You cannot store a users personal data like IP
or cookie id unless you have consent from the user.
Smaller companies seem to think GDPR is something they can fix by changing the legalese in their impressum and privacy policy. "Yet another trip to the impressum generator".
Bigger companies seem to pretend they misunderstand the GDPR. I got emails and popups from Facebook, Twitter, Instagram etc informing me about all kinds of nonsense about how they changed their policies and asking me all kinds of unrelated questions about what kind of ads I want to see.
Not a single company asked me for permission to store my personal data.
This isn't right. Consent is just one of six legal bases through which you can lawfully process data under GDPR.
https://ico.org.uk/for-organisations/guide-to-the-general-da...
This isn't true; there's a list of reasons you can keep information and "with consent" is one of them, "legitimate business need" another: https://ico.org.uk/for-organisations/guide-to-the-general-da...
But: "However, an individual always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies."
So: you can store IP addresses as part of your information security needs, but not turn round and use them for direct marketing. (I'm not sure if web advertising counts as "direct marketing" here)
If you're talking about tracking cookies from an ad company, you better mention them in the privacy policy.