[Kalium]

Having read through GDPR, I got the distinct impression that nobody involved in writing it really understood the technologies involved. There's a lot of handwaving about "reasonable measures" whenever they run into ignorance that's absent in the many chapters about inter-government protocols.

[mqus]

GDPR was explicitly designed to be "general". Specifying website behaviour is a bit specific for a regulation that wants to regulate privacy at a whole (in virtual and reallife interactions). Of course that also means that the regulation is quite lacking when it comes to specifics but that wasn't its goal. The goal was to be a fallback-law which regulates everything that is not explicitly regulated otherwise.

What you want is the ePrivacy Directive which "introduced" the cookie banners many years ago and its updated version which is (still) not ready.