Comment by dx034

Session cookies are allowed if the user agrees. And if the user doesn't agree, you have no right to process PII to group metrics over a session. That's the big shift here, assuming you have a right to build a profile on a user (or even evaluate their behavior) without their consent is not legal under GDPR.

And as a European, I'm very glad that's the case. I know, we're still not close to compliance with GDPR, but it has changed the privacy discussion more than any other part.