When PII includes IP addresses it's kind of hard not to process. How else are you supposed to group metrics over a session (since cookies are also forbidden)?
This seems to ban third-party analytics by any US company. The cynic in me feels this is a little convenient in how it advantages EU organizations over foreign ones...
Session cookies are allowed if the user agrees. And if the user doesn't agree, you have no right to process PII to group metrics over a session. That's the big shift here, assuming you have a right to build a profile on a user (or even evaluate their behavior) without their consent is not legal under GDPR.
And as a European, I'm very glad that's the case. I know, we're still not close to compliance with GDPR, but it has changed the privacy discussion more than any other part.
How is that something that is essential to providing a service?
I suppose that it's somehow "commercially advantageous", but there are many other commercially advantageous techniques that are simply illegal - such as taking a customer's money, but supplying zero in exchange.
A company's profit needs are not an end-run around consumer protection laws (which is what GDPR amounts to).
This seems to ban third-party analytics by any US company. The cynic in me feels this is a little convenient in how it advantages EU organizations over foreign ones...