OK, so cookies are actually only mentioned one time in GDPR, but that one time packs a bit of a punch.
Natural persons may be associated with online identifiers… such as internet protocol addresses, cookie identifiers or other identifiers… This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
Which translated basically means (taken with other parts of the regulation) if you can identify an individual via their device (directly or indirectly) that makes it personal data.
Now not all cookies will be able to identify users but a whole load of them are. And that includes analytics cookies.
The existing “cookie law” was pretty clear about gaining consent and we all added those cookie bars on to our websites that basically implicitly gained your permission. Well those aren’t any good any more. For any cookies that aren’t strictly necessary to run your site you’re going to have to get explicit consent under GDPR.
That means you need some kind of affirmative action. Like a tick box.
And that consent must be as easy to take away as it was given.
Oh, and it’s about consent. So if you’re not giving a choice then there’s no consent to be given or not. Which basically means you can’t tell your visitors they have to accept or the can’t browse…