As long as you don't connect the statistics you collect to individual user data, you should be fine. A server-side hit counter that just increments a row per page visit in the database doesn't need consent, as long as that row isn't directly connected to any user accounts.
If return counts are nothing more than "this user has visited the site before" and there is some benefit to the user (say, remembering their address or username) then I don't see why you'd need consent. This is in the legitimate interest of you and your user. This "legitimate interest" exception doesn't go as far as many of the nasty tracking companies pretend it does, though.
A history of purchases for an account is an obvious feature, but you need consent before you can use that data to generate a marketing strategy for example. So a cart history is perfectly fine, but training your recommendation algorithm in that needs consent.
You can use whatever you like to achieve the technical requirements for your site to operate from the user's perspective. Theoretically you could even use advanced device fingerprinting techniques without consent as long as the purpose isn't to gather data, but to serve an end goal.
As soon as you start aggregating data for your own benefit, you need explicit, optional consent from the user to use their data to your benefit.
Anonimised data can be used without consent, but good anonimisation is very very difficult to achieve. Data is considered PII if the data can be linked back to the individual user if you have a theoretical second database. Pseudonymisation, which is what most frameworks actually seem to do instead of anonimisation, is not enough to not need consent, because the data can easily be linked back to actual user data using a backup of your site database afterwards.
Tl;dr: as long as you use cookies and other features only to directly benefit the user, you need no consent. If the data you collect cannot possibly be connected to a user, you don't need consent. Based on my reading of the GDPR (not a lawyer but it was covered in an IT law class), that means 1: yes, 2: yes, 3: no, 4: possibly, 5: probably, 6: you've got the right idea.
You can find more details here: https://gdpr.eu/cookies/
You can also try reading the GDPR text itself, it's quite readable as far as legal documents go in my opinion.
If return counts are nothing more than "this user has visited the site before" and there is some benefit to the user (say, remembering their address or username) then I don't see why you'd need consent. This is in the legitimate interest of you and your user. This "legitimate interest" exception doesn't go as far as many of the nasty tracking companies pretend it does, though.
A history of purchases for an account is an obvious feature, but you need consent before you can use that data to generate a marketing strategy for example. So a cart history is perfectly fine, but training your recommendation algorithm in that needs consent.
You can use whatever you like to achieve the technical requirements for your site to operate from the user's perspective. Theoretically you could even use advanced device fingerprinting techniques without consent as long as the purpose isn't to gather data, but to serve an end goal.
As soon as you start aggregating data for your own benefit, you need explicit, optional consent from the user to use their data to your benefit.
Anonimised data can be used without consent, but good anonimisation is very very difficult to achieve. Data is considered PII if the data can be linked back to the individual user if you have a theoretical second database. Pseudonymisation, which is what most frameworks actually seem to do instead of anonimisation, is not enough to not need consent, because the data can easily be linked back to actual user data using a backup of your site database afterwards.
Tl;dr: as long as you use cookies and other features only to directly benefit the user, you need no consent. If the data you collect cannot possibly be connected to a user, you don't need consent. Based on my reading of the GDPR (not a lawyer but it was covered in an IT law class), that means 1: yes, 2: yes, 3: no, 4: possibly, 5: probably, 6: you've got the right idea.
You can find more details here: https://gdpr.eu/cookies/ You can also try reading the GDPR text itself, it's quite readable as far as legal documents go in my opinion.