Correct. Cookie banners were required before GDPR. GDPR is the one that makes dealing with EU citizens online a risky enterprise, so the large entrenched players have the advantage.
I know that cookie banners exist since ePrivacy. That's why I mentioned it. But ePrivacy does _not_ mandate them. The adtech industry could have respected the DNT header.