> AFAIK, the GDPR didn't subsume the Cookie Law, but I may be wrong about that
You are correct. GDPR repealed and replaced the Data Protection Directive (DPD) from 1995. The "cookie law" (ePrivacy Directive, ePD) was an extension of the DPD, and made heavy reference to it. As part of replacing the DPD, GDPR includes a provision that any law referring to the DPD now refers to GDPR instead, which affects the ePD.
So ePD is still in effect, and by reference uses GDPR's new stricter definition of consent. This is a problem. The ePD was dumb but mostly ignorable. The "upgrade" has made its dumb-ness actually impactful.
You are correct. GDPR repealed and replaced the Data Protection Directive (DPD) from 1995. The "cookie law" (ePrivacy Directive, ePD) was an extension of the DPD, and made heavy reference to it. As part of replacing the DPD, GDPR includes a provision that any law referring to the DPD now refers to GDPR instead, which affects the ePD.
So ePD is still in effect, and by reference uses GDPR's new stricter definition of consent. This is a problem. The ePD was dumb but mostly ignorable. The "upgrade" has made its dumb-ness actually impactful.