[rndgermandude]

You could just do "Set-Cookie: visited=true; Max-Age=<interval>". No unique id, but you still can count uniques by checking requests for the lack of that cookie. This cookie is not personal information, and cannot be used to identify a person, not even indirectly, and thus needs no consent. This is basically what most those "cookie banners" do anyway, set a preferences cookie - that cannot be linked back to a person, if done properly.

Or if you want to avoid the cookie altogether, you could use some static, cachable resource with a cache expiration date. Basically the good old counting pixel. Almost the same as the non-identifying cookie, except caches are more likely to be automatically evicted by browsers.

[candiodari]

The only thing that matters about cookies is whether they are necessary, not whether they contain identifying information. Even duration doesn't matter. They should be explained to the user, but consent is not necessary.

Some cookies are even mentioned specifically as allowed. The example given is keeping track of a shopping cart across visits. Do that, and you have your uniques. While hinted at, it does not specifically mention those have to be session cookies: you could have a banner with "accept cookies", then use session cookies whether or not accept is pressed. It even seems to be common practice to hide explanations behind a "more info" button.

https://www.privacypolicies.com/blog/eu-cookies-directive/

I'm pretty sure "uniques" stats don't require you to violate the EU cookie directive.

[rndgermandude]

>The only thing that matters about cookies is whether they are necessary, not whether they contain identifying information.

Incorrect, kinda.

The GDPR concerns personal information, and information that can identify people directly (e.g. location data) or indirectly (e.g. an "opaque" unique id, as it can be potentially linked back to a person, or an IP address, as it can be potentially linked back to a person, with the help of a court order compelling an ISP to pass through subscriber information to a complainant or law enforcement, and that subscriber may live alone).[0] The GDPR does not concern itself with stuff that cannot be used to identify a person or is personal data.

The earlier ePrivacy Directive (better known as the "cookie law", although the section concerning "cookies" is only a small part, and does not even mention cookies explicitly) is a vague thing, on the other hand.

Specifically, it says under "Art 5 - Confidentially of communications" that

"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

Some people therefore say this rules out all non-"necessary" cookies (unless there is explicit consent). However, this is not the intention of the directive, not how legal experts evaluated it, not how courts in particular evaluated it. If you followed that maximal view of the text, then you couldn't legally serve anything to a user (as the users browser might temporarily or permanently store that information without user-intervention), cannot "make" a browser cache stuff, cannot even store that a user opted against tracking cookies. Instead, it has to be seen in under the "confidentiality" umbrella of that Article, meaning the "information" mentioned has to be information that concerns the user. Non-identifying (neither direct or indirect) cookies do not fit that interpretation, and courts have acknowledged that (and because it's the EU and it's vast, some courts went against it too).

The proposed ePrivacy Regulation (successor to the ePrivacy Directive) is meant to make things less vague and simpler, especially in regards to cookies, and explicitly allows anonymous user counting via cookies, among other things. While the ePR has not passed, courts did take notice, and consider it whe they evaluate the intent of the law makers as it pertains to the still reigning ePrivacy Directive.

>They should be explained to the user, but consent is not necessary.

Correct. You still have to inform people, even if your cookie use is merely "we do not use cookies to track or identify users".

Maybe surprisingly to some, the aforementioned access logs up thread, are likely illegal without user consent, because usually they contain IP addresses of users. While the "visited=true" non-identifying cookie is not (in courts with reasonably knowledgeable judges at least).

[0] https://gdpr.eu/recital-30-online-identifiers-for-profiling-...

Yes, it's not the official website, but also yes, it's the same text of the official directive recitals, except on this unofficial website you can properly link it without fuss.