[mqus]

GDPR was explicitly designed to be "general". Specifying website behaviour is a bit specific for a regulation that wants to regulate privacy at a whole (in virtual and reallife interactions). Of course that also means that the regulation is quite lacking when it comes to specifics but that wasn't its goal. The goal was to be a fallback-law which regulates everything that is not explicitly regulated otherwise.

What you want is the ePrivacy Directive which "introduced" the cookie banners many years ago and its updated version which is (still) not ready.