> so far no-one has seen any consequences for doing do.
This is precisely the problem with the GDPR to date.
Last August the ICO (British regulatory body) stated that you can't run Analytics such as Google Analytics without a GDPR standard of consent. They've yet to enforce this despite tens of thousands of non-compliant websites.
Meanwhile, there has been talk of permitting first party analytics cookies without requiring explicit consent for at least as long as the GDPR has been around. IIRC, even the ICO previously indicated support for that position, though I can't immediately find a reference for that now.
This is precisely the problem with the GDPR to date.
Last August the ICO (British regulatory body) stated that you can't run Analytics such as Google Analytics without a GDPR standard of consent. They've yet to enforce this despite tens of thousands of non-compliant websites.