Yeah, I was responsible for a moderately high-volume site, and getting it GDPR compliant wasn’t all that much effort. That’s because we’re not scumbags abusing our users’ personal information.

And yeah, the cookie-banners bullshit isn’t required, it was just passive aggression by sites butthurt that they couldn’t intrusively track their users so easily anymore.