I've got an easy one for you: stop embedding google analytics and others. You don't need a cookie banner when you only have operational ones or better yet, none at all.
You can have GDPR-compliant analytics, like what Fathom does.
I also built my own analytics solution that simply shows me my blog article reads per day, week, month, and year (that is all I care about). It's a simple bit of JS that sends a request to my endpoint when the user spends 30 seconds on a page with an article. I also do some light user agent filtering (no "curl" or "python" in the agent string, for example).
I might start logging the referrer in the future to see where my traffic is coming from. However, I am very far from needing cookies or a GDPR notice. I doubt there's a need for cookies at all for most analytics. Even if you wish to track user flow in your website, you can do it with IPs (or hashed IPs to not store the actual IPs) only. An IP is unlikely to change while a user is browsing the website.
It seems to my mind that we only see so many GDPR notices because many websites use dinosaur software like Google Analytics that hasn't been keeping up with the times.
> many websites use dinosaur software like Google Analytics that hasn't been keeping up with the times
Or maybe has a conflict of interest, and its true purpose is to act as spyware on behalf of Google? Google absolutely has the skills to build a GDPR-compliant version if they wanted to.
The problem is that they aren't in the business of giving away free stuff. GA is only free because they need to give you an incentive to deploy their spyware - they'll happily let you in on (some) of the data they collect in exchange for you spreading it.
They could probably spy on users in a GDPR-compliant way. GDPR isn't about not tracking users, it is about protecting their personal data. All that analytics providers must do in principle is make sure to never associate certain types of data (phone numbers, names, addresses, and similar) to the user fingerprint they use for advertising.
As far as I understand (and I could be wrong), the cookie notices exist because analytics providers do not guarantee that this personal data won't be associated with the cookie fingerprint in their systems. Cookies themselves are only mentioned once in relation to this in the GDPR text:
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
If the advertising ID/fingerprint was kept unassociated with personal data capable of identifying a natural person, there would be no need for the cookie notice in my understanding. However, I am not a lawyer.
Well, I'm glad I don't use GA on my personal site, then, even if it means I have no idea what traffic levels it gets. GA is incredibly popular though - I would guess the vast majority of blogs etc. use it and have no consent to do so.
Anonymization (if you actually believe Google despite their conflict of interest and previous GDPR breaches) still happens on their server, so the IP address (which counts as personal data) is still transmitted there.
I guess you may actually make it truly anonymous from a GDPR point of view if you proxy all calls through your own server and strip out anything that can be used to reidentify a user - so no IP addresses, session IDs, etc.
I've got an easy one for you: stop embedding google analytics and others. You don't need a cookie banner when you only have operational ones or better yet, none at all.