well it's legal to create a hash and save it inside a database to count unique users. if the hash is not connected to any info that would identify a user (btw. user agent is some kind of identifing stuff) it is fine.
what I wanted to say is that cookies are not illegal by gdpr means and gdpr does not make a lot of stuff illegal, it's just that SAVING personal information or information that could identify somebody needs explicit permission.
edit:
another thing ip addresses, by german law you are required to save it, when a user can register on your site and your site allows users to submit data. because authorities force you to give them out when a user did something illegal. (§ 7 Abs.1 Satz1 Nr.4 TKÜV, https://www.gesetze-im-internet.de/tk_v_2005/__7.html) In germany it's basically: fuck the privacy if they harmed our law! or at least you need a way to "activate" saving ip addresses.
How do you create the hash? If it's based on something that you can derive from the user (let's say sha1(IP address + User Agent), that seems pretty clearly identifying. If you generate a random identifier but save that identifier in their cookies and send it back next time, also pretty clearly identifying.
> How do you create the hash? If it's based on something that you can derive from the user (let's say sha1(IP address + User Agent), that seems pretty clearly identifying.
of course that is forbidden.
and that's exactly why it is really hard to tell if companies honor it.
what I wanted to say is that cookies are not illegal by gdpr means and gdpr does not make a lot of stuff illegal, it's just that SAVING personal information or information that could identify somebody needs explicit permission.
edit: another thing ip addresses, by german law you are required to save it, when a user can register on your site and your site allows users to submit data. because authorities force you to give them out when a user did something illegal. (§ 7 Abs.1 Satz1 Nr.4 TKÜV, https://www.gesetze-im-internet.de/tk_v_2005/__7.html) In germany it's basically: fuck the privacy if they harmed our law! or at least you need a way to "activate" saving ip addresses.