The way they are doing it doesn't actually comply with the law either, so the CYA aspect of it doesn't work as designed. Adding a popup doesn't do anything as far as the GDPR is concerned unless the popup allows you to decline tracking just as easily as it is to accept it (no pre-ticked boxes or anything).

I believe the problem here is wrong advice leftover from the previous "cookie law" (which I agree is completely stupid) being repeated endlessly (either honestly or maliciously from the adtech/spyware industry to try and make the GDPR look more annoying to the users). I sometimes even see this wrong "advice" here on HN on GDPR-related threads.