Cookies aren't part of the GDPR, so they must be part of the ePrivacy Directive.
Consent is part of the GDPR, but the way I've seen it operate in practice is widely out of compliance. You're supposed to ask for consent in each specific instance of data collection, not present a blanket approval, and default to "no."
Cookies and the GDPR
The General Data Protection Regulation (GDPR) is the most comprehensive data protection legislation that has been passed by any governing body to this point. However, throughout its’ 88 pages, it only mentions cookies directly once, in Recital 30.
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
What these two lines are stating is that cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.
They are not required for cookies, but they are required for tracking cookies. If you are only using cookies for e.g. shopping cart or CSRF protection, you don't need a consent dialog, but that is not the case for those websites showing the dialog.
Cookie compliance
To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:
Receive users’ consent before you use any cookies except strictly necessary cookies.
Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
Document and store consent received from users.
Allow users to access your service even if they refuse to allow the use of certain cookies
Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.