You're correct that the GDPR specifically doesn't require this, but you're incorrect that "the law" doesn't—the 2004 EU ePrivacy Directive requires affirmative consent for all cookies, and it's being enforced much more strictly now in a post-GDPR world