GDPR cookie law compliance + how to disable user accounts until they agree to new terms of service

I don’t think the GDPR actually applies to my site, both because we have less than 250 employees, and because we don’t do routine processing of data. However, I still want to do some minimal GDPR compliance just to avoid any problems down the line. I’d like to update my ToS (which must be agreed to in order to register an account), to stipulate that those who register agree to Google Analytics cookie usage (as well as Open edX cookie usage obviously.).

1. How can I disable everyone’s account, and send a link via email that says “you must agree to the new ToS to keep using your account” and/or prompt them to agree to the updated ToS on their next login? (prompting on next login would be best, because people could claim they never got the email since it went to spam…)

2. In the interest of ToS accuracy, are there any other cookies I should be aware of that get built into Open edX? E.g. due to “share this course” via Twitter?

I think this guide might help you 4.26. Enabling the User Retirement Feature — Installing, Configuring, and Running the Open edX Platform documentation . It seems to the guide is resolving an issue very similar to your case

We at nau.edu.pt project, we enforce the acceptance of the new Terms of Service when the user reenters / relogin to the platform using the User Preference API /api/user/v1/preferences/
He needs to accept to continue to use the rest of the platform.

We have included that code directly on our Open edX platform theme.
Link for that commit: Merge pull request #1 from eduNEXT/ttg/featured_modal-tos · fccn/nau-themes@817af5b · GitHub

Hope this could help you.