[mortarion]

So take the IP, browser agent, your domain name and some other browser identifiers, stick them together and run them through SHA3-256, now you have a hash you can use for deduplication. You can even send this hash to a 3rd party service.

Or assign the user an anonymous session cookie that lasts an hour but contains nothing but a random GUID.

Or simply pipe your log output through a service that computes stats of accessed endpoints.

None of this requires a cookie banner.

[inkysigma]

I think this scheme still requires consent since you are processing pseudo anonymous identifiers that fall under personal information without the essential function basis. Hashing is considered insufficient under the GDPR iirc. Have you asked a lawyer about this?