It is GDPR and not PECR that sites responded to with the cookie banners that we deal with today, and GDPR covers a much broader surface area ("processing of personal data")
Sort of, but it's still the ePD, really. The ePD was always there, but largely ignored by both companies and regulators.
What happened when the GDPR came in was twofold:
1. Everyone became acutely aware of data protection legislation, because the GDPR actually had teeth when it came to enforcement.
2. The ePD referenced the Data Protection Directive, and when the GDPR came in to force all references to the DPD became references to the GDPR.
The consequence of #2 is that the hand-wavy "implicit consent" that sites relied on to avoid cookie banners (why show a banner asking for consent if you can just assert you do have consent?) went away - the GDPR made it clear that consent must be explicit.
What happened when the GDPR came in was twofold:
1. Everyone became acutely aware of data protection legislation, because the GDPR actually had teeth when it came to enforcement.
2. The ePD referenced the Data Protection Directive, and when the GDPR came in to force all references to the DPD became references to the GDPR.
The consequence of #2 is that the hand-wavy "implicit consent" that sites relied on to avoid cookie banners (why show a banner asking for consent if you can just assert you do have consent?) went away - the GDPR made it clear that consent must be explicit.