The cookie law is no more. GDPR superseded it. It requires user consent, but only in some cases. Under GDPR, cookies that are not "personal information" (those that do not track users) do not require consent.
This is a common misconception. The GDPR is about protecting user's information, it's not really about cookies (the entire 88 page law mentions cookies only once).
The ePrivacy Regulation is intended to replace the cookie law (ePrivacy Directive) eventually, but it hasn't yet.
