GDPR requires informed consent for tracking of any kind, whether that's 3rd party or restricted to your own site.

Incorrect, GDPR requires informed consent to collect personally identifiable information, but you can absolutely run your own analytics that only saves the first three octets of an IP address without needing to ask for constent.

Enough to know the general region of the user, not enough to tie any action to an individual within that region. Therefore, not personally identifiable.

Of course, you also cannot have user authentication of any kind without storing PII (like email addresses).

▲

root_axis 2 days ago | parent [-]

You've stretched the definition of tracking for your hypothetical. If you can't identify the user/device then you're not tracking them.

▲

input_sh 2 days ago | parent [-]

I literally worked with digital rights lawyers to build a tool to exercise your GDPR rights, but sure, call it a hypothetical.

	▲	root_axis 2 days ago \| parent [-]
		It's literally a hypothetical situation you introduced for the sake of discussion. "Hypothetical" doesn't mean it doesn't happen in real life, the whole purpose of a hypothetical is to model reality for the sake of analysis.