[velcrovan]

I'm curious: running a static website with no JS-based analytics whatsoever — only Apache logs in standard format (so including IP address and user agent string) — does GDPR require consent banners in this case? If so, doesn't essentially every website require consent banners due to the way websites work?

[xorcist]

GDPR does not require a consent banner. If you want to process the user's personal data outside what is strictly necessary, you need permission. One way to get that permission is for the user to specifically consent to it. It does not have to be a banner. (In fact, many banners out there are probably not enough for informed consent anyway, as they provide no information about what data is collected or any reasonable way to opt out.)

Personally identifiable information has nothing to do with javascript, or analytics. Do you have GET requests with parameters containing enough to identify a specific individual? Then your logs are sensitive and you must have a valid contract, informed consent, or provide some important service where this information is necessary.

There are gray areas which can make this difficult, but you the basic idea is enough information to identify an individual. A basic website where you log that IP address A viewed home.html is not enough. The knowledge that a 55 year old woman with particular name on a particular street address has an interest in photograhy and shoe size 9 probably is. The line is somewhere in between.