With the first fine being granted to a company since the introduction of the new European GDPR laws, it is time for our own Sitecore solutions to be adapted. Those GDPR laws restrict the tracking of users without the user’s consent, which is mostly done by setting certain cookies. This means that those cookies cannot be set without consent of the user.
In Sitecore, users are tracked by Sitecore Analytics which creates a contact profile containing the information gathered of the user. In order to track users, Sitecore Analytics uses the SC_ANALYTICS_GLOBAL_COOKIE cookie.

Disabling the tracker & cookie

So, in order to make your Sitecore solution GDPR compliant, well, the tracker should not be started, and the analytics cookie should not be set (and removed if it was already set). This can be done easily because for every request without a tracker, the startAnalytics pipeline is started. This pipeline, as the name suggest, starts a whole bunch of things for Sitecore Analytics. If you would analyze the pipeline you would see that there is a processor called CreateTracker. The processor creates the tracker and when creating a tracker the cookie is set, therefor this is where the pipeline should be aborted when the user did not give his or her consent. This can be easily done by inserting a new processor right before the CreateTracker processor:

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
  <sitecore>
    <pipelines>
      <startAnalytics>
        <processor
          type="YOURPROCESSOR" patch:before="processor[@type='Sitecore.Analytics.Pipelines.StartAnalytics.CreateTracker, Sitecore.Analytics']" resolve="true"/>
      </startAnalytics>
    </pipelines>
  </sitecore>
</configuration>

That processor should abort the pipeline when the user did not give any consent and the Analytics cookie should be removed if it was already be set:

if (SC_ANALYTICS_GLOBAL_COOKIE not allowed)
            {
                if (HttpContext.Current.Request.Cookies["SC_ANALYTICS_GLOBAL_COOKIE"] != null)
                {
                    var myCookie = new HttpCookie("SC_ANALYTICS_GLOBAL_COOKIE");
                    myCookie.Expires = DateTime.Now.AddDays(-1d);
                    HttpContext.Current.Response.Cookies.Add(myCookie);
                }

                args.AbortPipeline();
            }

Aftermath

Because the user is not tracked and the tracker did not start, a lot of things will not work anymore: personalization, device detection, all code using the user profile (via XConnect),… So be aware of this and make sure that your Sitecore solution does not crash and can handle this, especially the abscent XConnect. As it will throw errors telling you that the tracker is not initialized (Tacker.Current is not initialized).
Also on a small side note, this code does block the analytics cookie but to make your site fully GDPR compliant you might need to block other cookies as well (either 3rth party or your own custom ones).