> User tracking and fingerprinting has moved server side.
This smells like a misconception of the GDPR. The GDPR is not about cookies, it is about tracking. You are not allowed to track your users without consent, even if you do not use any cookies.
Cookies and crossdomain tracking is slightly different to a login. Login would occur on one platform and would not track you when you go on to amazon or some porn site or read infowars. But crossdomain cookies do not need auth and they are everywhere because webmasters get paid for adding them, they track you everywhere.
This smells like a misconception of the GDPR. The GDPR is not about cookies, it is about tracking. You are not allowed to track your users without consent, even if you do not use any cookies.