You need consent to read or write data from the user's computer except that which is strictly necessary for providing the service provided. This torpedoes analytics which identify users by setting their own pseudonymous identifier.
There's a bit more leeway to take data you already need to use for your service, and using it for a secondary purpose like analytics. So things like analyzing logs, including making use of a user identifier which you had to collect and process for other reasons. There are still restrictions, but much less severe than "strict consent." You can use "Legitimate Interest," legitimately.
Note that reading cookies is covered by the ePrivacy Directive, while processing personal data is covered by GDPR (reading cookies with personal data is covered by both). This is the source of many issues. In this case, it means collection is severely restricted (ePD) but use afterwards is less-restricted (GDPR).
There's a bit more leeway to take data you already need to use for your service, and using it for a secondary purpose like analytics. So things like analyzing logs, including making use of a user identifier which you had to collect and process for other reasons. There are still restrictions, but much less severe than "strict consent." You can use "Legitimate Interest," legitimately.
Note that reading cookies is covered by the ePrivacy Directive, while processing personal data is covered by GDPR (reading cookies with personal data is covered by both). This is the source of many issues. In this case, it means collection is severely restricted (ePD) but use afterwards is less-restricted (GDPR).