FYI, it was the ePrivacy Directive that brought about the cookie banners, not GDPR