[dgb23]

Cookie notices are required if you for example use them to pass data to third parties.

A login cookie that is just for auth is not that. It is specifically requested by the user and implies that the user's data is managed on that site and can be evicted.

Same with analytics. The problem is not that you're doing analytics. It's that the user doesn't know that your doing it and that you're passing on that data to a third party.

[Semaphor]

It’s not just about third parties. I still need to consent to any PII you gather for your analytics, even if it’s completely first-party.

[dgb23]

Would have assumed that anonymous logging is fine? Generating usage data? Error logs? As long as it’s not sold, private data or used to identify the user?

Highly doubt that kind of gathering is a problem. If it were you could close 95% of the web.

[Semaphor]

As I said, PII. So if your only PII is storing the IP one-way hashed and salted, keeping the salt only for a day as like (I think) Plausible does, it’s probably/possibly okay.

Besides that, intent also matters. For example, we had to start logging IPs for every newsletter change, or you can log IPs in your access log for security reasons without consent. Logging the same IP into your analytics tool becomes an issue.