Just because it's free and somewhat nice looking, doesn't mean it isn't shady shit. Maybe all you care about is counting unique visitors, but by doing that with Google Analytics, you're exposing your visitors to a complex surveillance product that collects data for its own purposes, and it sees much more than what's needed to just count unique visits.

It has a wider lifecycle: "this is YOUR data, and we collect, maintain, process, sell these data to a myriad other sources for a myriad other purposes". GA just feeds these monsters.

Most GA users just don't care about their clients/readers privacy. Or they care 'a little' but they care 'a lot more' in monetizing.

We externalize the costs, or find shady revenue streams. As long as people think "it's free therefore it is good and I like it" we are not progressing.

I would love to have a technical solution for browser-wide consent management, but it wouldn’t solve the issue of granular, informed consent for all the shady things that are possible in adtech.

Also, the law certainly doesn’t prohibit a technical solution, but that really is something that the industry should work out.

The problem is that Google Analytics isn't _just_ collecting data for you, it's collecting a trove of other data that it's using to track and link users accross other websites.

The fact that a question can be phrased like this really illuminates how much society has changed in 20 years.

Not so long ago sharing data between sites was definitively shady. Then Google somehow institutionalized it, and now it is completely mainstream.

> I would think counting unique visitors is a legitimate business interest

Yes, that's not it. Identifying people are, and collecting their personal data is.

Truly open culture does not accept tracking, for example there is no way to count Linux users. And people would not be kin to those who track physical news papers.

Meanwhile I use uMatrix and uBlock Origin.

The purpose of the tracking matters, though. Truly open culture also doesn't attempt fraud, DoS attacks, data breaches, and all the other nasty things that some people who are hoping not to get caught and punished do online. Unless you can prevent all such threats, it's unreasonable to expect websites whose operators might be held responsible for the consequences not to monitor how their own systems are being used and who is using them.

What happened was entirely predictable to anyone who understands how the market works: there were some volunteers who honored DNT while it was opt-in, but that mostly ended when one of the browsers decided to make sending DNT enabled by default.

The industry wasn't, isn't, and is never going to self-regulate itself out of a significant revenue stream. That's why we ended up with GDPR - a proper solution with legal backing - which almost works. It would be working, if EU member states were more eager to pursue violations and issue fines.

Setting a cookie is not in itself a GDPR violation. Collecting personally identifiable information is. You can collect unique visitors by setting a cookie but without collecting personally identifiable information, so no consent popup would be required for that:

1. Set a "site last visited: <date>, <serial-of-the-day>" cookie if it is not set.

2. Count hits as appropriate by examining the cookie - without collecting IP addresses.

Since no personally identifiable information is being collected with this scheme, consent is not required.