Let's say I want to improve my site by recording basic user analytics like unique user counts, to produce actionable data. I'm not nefariously collecting their social security number. I'm just putting some uuid in a harmless cookie in their browser so I can track which requests are from a unique browser.
Thanks to the GDPR I cannot do this without the stupid cookie warning popup.
In this regard, the GDPR is clumsy lawmaking that results in companies having to behave defensively, hoping that users will accept a damaged UX in order that the company is not fined by the EU.
In the UK (and broadly under the UK GDPR and PECR – the Privacy and Electronic Communications Regulations), yes, you generally do need to get consent before setting non-essential cookies, even if it's just for rudimentary analytics like a unique visitor count.
Here's the key distinction:
Strictly necessary cookies: No consent needed. These are required for the site to function properly (e.g., shopping cart cookies, login sessions).
Analytics cookies (including the case with a unique ID for tracking visitors): Not strictly necessary, so consent is required.
Even if the data is anonymous or pseudonymous (like a randomly generated unique ID), if the purpose is analytics and it involves storing or accessing data on the user’s device (like setting a cookie), you must ask for consent.
Thanks to the GDPR I cannot do this without the stupid cookie warning popup.
In this regard, the GDPR is clumsy lawmaking that results in companies having to behave defensively, hoping that users will accept a damaged UX in order that the company is not fined by the EU.