Not this again. GDPR references cookies only once, along with IP addresses and other things, as examples of things that can be used to identify people. It made no law on how all of those things should be handled.

It was the ePrivacy Directive that actually regulated cookie use.

https://gdpr.eu/cookies/