No, I can see that you are not familiar with the law, I don't blame you because nobody is, since it's incredibly vague about when applies and AFAIK nobody has yet been fined. There are hundreds of companies doing wrong things, no doubt. The "millions" are collateral damage.

I am basing my statements on http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm (the chapter EU legislation on cookies). According to this guide, the following cokies are exempt from consent: user-input (forms, shopping carts), authentication (for the session), user-centric security, multimedia player, ui customization, social network for logged in members.

Seems quite straightforward and fair.

No it's neither straightforward nor fair. Because it's a whitelist (and a short one), not a blacklist. You can not legislate like that, making potentially illegal any use case that you could have missed or any future use case.

And there is plenty of legitimate usages that are not whitelisted. The most notorious is non-shared traffic analysis. Meaning what basic google-analytics offers and half of the internet uses. There is absolutely nothing wrong with knowing how many unique visitors you got today, and everyone with a website wants to know that.

> There is absolutely nothing wrong with knowing how many unique visitors you got today, and everyone with a website wants to know that.

Maybe people running those websites want to know that, but as a visitor, I might not want that. Being ablet o tell "how many unique visitors you got today" implies that you can group actions by unique visitors, and thus tell e.g. exactly what I was doing on your website over the course of days. If I'm not logged in, I might not want that.

And don't get me wrong - I'm not really a strong privacy advocate or something. Most of the time I don't care much about tracking. But while in theory there's nothing wrong in tracking unique visits, we all know that the primary use of this is to manipulate users and shit ads on them, nowadays mostly cross-site. It's entirely reasonable people get fed up of being on the receiving end of someone else's malice.

> Maybe people running those websites want to know that, but as a visitor, I might not want that. Being ablet o tell "how many unique visitors you got today" implies that you can group actions by unique visitors, and thus tell e.g. exactly what I was doing on your website over the course of days. If I'm not logged in, I might not want that.

That's like asking the guy behind the counter in a shop to not look at you because as long as you are not buying anything you don't want him to know you are there. You are entitled to your feelings but if you don't want to be seen don't go there, or care enough to open an incognito window.

> But while in theory there's nothing wrong in tracking unique visits, we all know that the primary use of this is to manipulate users and shit ads on them, nowadays mostly cross-site.

No, primary use is regular analytics. 99.9% of websites on the internet are not amazon. And if the law was for cross-site information sharing cookies then this would be a totally different debate, but it is not.

What are the best server side only alternatives to google analytics?

Without cookies you can not measure anything but IPs, and IPs are meaningless. You can not count unique users because in a given office you get 50 people/IP. You can not count new/recurrent users because most ISPs don't offer fixed IPs.