TL;DR (in short)
PECR vs. GDPR
Basically, the ICO says: “PECR first, GDPR second.”
The simplest way to understand it is that if your cookies require consent under PECR, then you cannot use one of the alternative lawful bases from the GDPR to set them. If you’re placing cookies, this is why you need to look to PECR first and comply with its specific rules before considering any of the general rules in the GDPR. source
When do you need consent?
You need consent when cookies are not strictly necessary:
‘Strictly necessary’ means that storage of (or access to) information should be essential, rather than reasonably necessary. It is also restricted to what is essential to provide the service requested by the user. It does not cover what might be essential for any other uses that you might wish to make of that data. It is therefore clear that the strictly necessary exemption has a narrow application.
All cookies that are used for analytics do require consent. Simple Analytics does not use any cookies and does not require any consent.
What ICO says about Simple Analytics
After contacting Daniel Morgan from ICO about the need for consent with Simple Analytics he replied:
If you do not rely on techniques which involve storing or gaining access to information within users’ devices in order to produce analytics data for your clients, then this will not fall under Regulation 6 and you will not need to obtain consent.
Most competitors in the privacy space do use similar technologies like hashing an IP address. For those, you would need consent.
Sources used: insideprivacy.com.