GDPR is about consent, not cookies, storage or anything.
If you track a user then you need consents. Nothing about GDPR is tied to cookies. They are just one way to generate and keep PII (a tracking ID).
Now if the UTM only identifies the source (user coming from X, FB, ...) and does not identify or reveal the user then you are probably fine. It should even be fine as a cookie, although there have been talks about storing on a users device without consent. Not sure about the current exact legal status, so you might want to set it to never persist the browser close.
It might get a bit more complicated at sign up. You probably would want to disclose that you track and keep this information. But at this point GDPR is active for sure as you have a somehow identifiable user.
Consent is one of six different legal bases for processing personal data. Consent is important, yes, but it's not the be all and end all.
>It should even be fine as a cookie, although there have been talks about storing on a users device without consent
That will require consent, because the use of cookies is regulated not by the GDPR but by a different law (the ePrivacy Directive).
Under the ePrivacy Directive all cookies[0] that aren't strictly necessary to provide the service require consent.
[0] In fact it's even broader than cookies as the law covers storing any information on the user's device, so it includes things like the local storage API and indexed DB.
GDPR is about consent, not cookies, storage or anything. If you track a user then you need consents. Nothing about GDPR is tied to cookies. They are just one way to generate and keep PII (a tracking ID).
Now if the UTM only identifies the source (user coming from X, FB, ...) and does not identify or reveal the user then you are probably fine. It should even be fine as a cookie, although there have been talks about storing on a users device without consent. Not sure about the current exact legal status, so you might want to set it to never persist the browser close.
It might get a bit more complicated at sign up. You probably would want to disclose that you track and keep this information. But at this point GDPR is active for sure as you have a somehow identifiable user.