The elephant in the room is that almost no one wants to host website without at least some sort of website analytics service, which does not fall under legitimate use. So that's why even a small blog is going to have a cookie banner.
There are some analytics companies out there that advertise cookieless analytics, but they are either a) too simple for enterprise or b) a much, much worse privacy and compliance risk.
The other elephant is that while everyone has analytics, only one in five companies pays someone with an actual clue how to interpret them to look at them regularly, and only one in five of those companies has a decision making structure that allows them to act meaningfully in response to insights gained.
Even this can be done without a banner, as long as these analytics do not contain any way to link them to individuals/specific users
It's admittedly sound advice to create a banner for such a usecase however, as sanitizing all user data from these events is hard to guarantee, and you'd have to do just that to keep it legal
Lots of misinformation on the internet wrt this, and I am not a lawyer either.
It's especially tragic because Google serves you countless factually incorrect articles if you search for gdpr, which doesn't help with this endless amount of confusion.
You might be interested to know that an IP address isn't actually PII, because that's a concept of California privacy regulation and they don't care about them
It's a different story for gdprs personal data however. Because there are individuals with static IPs - which makes it possible to link these IP addresses to individuals.
If you could only omit these, you could technically use ipadresses however you want too. But I admit that that's kinda unrealistic ( • ‿ • )
Yea, companies are so used to laissez faire that when they're finally told "too bad, so sad" they throw a tantrum, sue, cry, and eventually comply as maliciously as the possibly can, to show the world how upset they are that they can't simply do whatever they want.
I keep seeing this misinformation going around, and it has been going around since almost day 1 of when the directive became known. I'm not sure where it's coming from, or who initially thought it worked like that, but judging by the comments in this submission it seems like a ton of people are very misinformed about how these things actually work.
The first step is data minimization. The second step is informed and revokable consent. Everything else follows from there.
Do targeted ads increase the amount of personal data that needs to be stored and processed and the number of entities that will access it? Yes they do. Are they required for the site to serve its stated purpose? No, unless the site is marketing itself as literally a curated stream of targeted ads. So they require informed and revokable consent (i.e. opt-in). Even if you think they're beneficial to the user.
It's not about what's beneficial. It's about what's required. That's why most sites try to group services by categories like "functional", "analytics", etc. If you want to embed a Google Maps view to help people find your physical store, that's beneficial but still requires consent because it shares their data with a third party (i.e. Google) when the browser loads that map. Of course in this case you don't even need a banner, you could just have a placeholder (often called "content blocker") instead of the map with the option to consent to loading the map and storing that decision so the user doesn't have to see the placeholder again.
The things they're calling legitimate use just isn't, which is why they need banners.