I agree. The GDPR would be necessary. And it's a useful instrument (if still somewhat underused). The "cookie law" is what drove people to add cookie banners before GDPR was a thing. GDPR admittedly made them worse and more prevalent.
I'll also point out that vast swathes of cookies do not require a cookie popup, according to the European Commission's internal guidance; specifically, for their own websites, they believe that "cookies used for the sole purpose of carrying out the transmission of a communication" and "cookies that are strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service" do not require a cookie popup. So, for example, CSRF cookies, login cookies, and so on and so forth do not require a cookie popup.
That is - if you're building a website and using the bare minimum cookies you need to make the website function, you don't need a cookie popup. The default here is that you don't need a cookie popup, and when you start tracking users and/or selling their data, you need to comply with ePrivacy and the GDPR.
No, GDPR just forced website owners to air their dirty laundry. You don't need a cookie popup. See Basecamp.com, github.com etc. You only need one if you're asking the user for more data than is necessary to provide the service.
