The information can be collected anyway under legitimate interest provisions, which is (a) already listed and discussed, and (b) the relevant cookies have their own opt-outs.
The GA add-on is purely about that same data being passed to GA - and the very same cookie pop-up literally tells you what information is sent, why, and tells you how you can opt out (by either blocking the JavaScript, or installing the add-on) -- it literally meets the requirements for informed consent, as you put it, "legally or otherwise."
Might want to go check that out before trying to make baseless claims, "legally or otherwise."
The "information" you speak of vary. Some site plumb everything into GA, some just use it for pageviews. Some send all data, some use their own proxy backend to strip all remotely personal data. For examples of different ways to use it and their varying legalities see recent cases in sweden: https://edpb.europa.eu/news/national-news/2023/imy-orders-cd...
The "legitimate interest provisions" are for certain purposes. You can for example collect IP adresses for providing a service (eg. routing a request) or security (rate limiting to prevent DDoS) or fulfilling a contract or fraud prevention, but you cannot without consent use it for market analysis.
Consent must be given affirmatively:
> Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
The above section also makes any "opt-out" not valid. You can either have opt-in or make opt-in and opt-out equal choices. You cannot only have opt-out. You also cannot provide a service based only on opt-in, in other words you cannot make customers pay with their data.
Yes, I didn't say the information didn't vary - I clearly said sites could gather many metrics depending on cookie consent, and the GA JS only refers to the information you've already given consent to have collected -- but way to miss the point.
I'm aware of what the provisions of "legitimate interest" are, not sure why you're going off like some marketing person fresh off a GDPR 101 course, bro. Chill out, and stop being such a condescending tool.
If the data hasn't been collected in the first place (due to denying cookies for such), there's nothing to pass to GA anyway. You're missing the entire point.
I don't know if you've got a hard-on for attacking Google or genuinely have just finished a Baby's Guide to GDPR and think you're all that, but you're barking up the wrong tree.
Silence doesn't apply, because you have to actively accept or deny cookies in the first place, as well as accepting or denying legitimate interest options. Have you not seen a cookie popup before? These concepts should be obvious to you.
There is no "pre-ticked box" or "inactivity" in this event either, so you're really just grasping at straws to try and justify your attacks.
Try go reading the Swedish case. Firstly, it's about Swedish companies, not Google itself. Secondly, it concerns data transfer to the US, and whether the ECJ deemed the US to have sufficient protections for data (identifiers later deemed to be considered personal, given a lack of sufficient safeguards or anonymisation) at the time of the ruling -- and specifically concerns whether the 4 companies in question did enough to protect that PII. It also concerns how this was handled with boilerplate clauses in said companies' contracts, that weren't up to the provisions required by GDPR.
It's not a declaration that GA is in violation of GDPR, or anything close to that -- it merely concerns how they integrated and used it, and their own mishandling of PII. Additionally, the version of GA in this particular case is over 3 years old, a fact you've conveniently ignored -- like you've similarly ignored that Google has drastically changed how Google Analytics are handling and processing data since then.
It's also worth noting that this was one agency of one country's government audited decisions against how companies implemented and used a service at one time several years ago -- and isn't a declaration of illegality or incompatibility by either the European Commission or the ECJ.
The issue was about how data was transferred to the US, the contractual clauses that were supposedly allowing that, and what protections (or lack thereof) existed for the transfer of this data.
You'd do well to note that the security of this data transfer was during the time of the EU-US Privacy Shield, which the ECJ later declared invalid due to US surveillance concerns.
This isn't an issue with GA specifically -- this is an issue with any US corporation, or entity that is subject to US laws like FISA 702 and the CLOUD act, which can result in companies having to hand information over to US governmental entities. That's not something limited to Analytics, or even Google LLC, or Meta, it's anyone subject to those US provisions.
The fact that you haven't grasped that the issues were the transfers, not GA itself, shows you grossly misunderstand the core issues, and are going off half-cocked, so to speak.
Any tool that collects any personal data or identifiers could violate GDPR if implemented or operated improperly, from analytics to email to a simple website with cookies.
Go read up on the Schrems II ruling that invalidated the EU-US Privacy Shield, and therefore made the data transfers in question illegal -- not the use of GA itself.
If site operators gather data or use tools improperly, or make data transfers that aren't legal, that's what violates GDPR -- as the IMY rulings clearly stated.
Nothing you've said proves the out-out is unlawful, and no EU entity (or member state's government) has declared or even said otherwise -- the GA-related cases have concerned how operators implement the collection and transfer of data, and the ruling declaring Privacy Shield illegal.
It seems you're quick to go off on a rant, but not so quick to actually comprehend the intricacies of the cases involved, or the basis for the case law that concerns them.
I don't even know if you are sarcastic but:
That is not how that works, legally or otherwise.