What does GDPR say about cookies?

As per Recital 30 of the General Data Protection Regulation (GDPR), online identifiers such as cookies, IP addresses and other web technologies that can be used directly or in combination with other data to identify an individual, is considered personal data. The GDPR mentions cookies only once, but since they are categorized as personal data, all the requirements under GDPR is applicable to cookies. Therefore, to drop cookies on a user’s device, websites are required to obtain valid consent, also referred to as GDPR cookie consent.