Legally I haven't given affirmative permission so they're not allowed to track me. The same if I just ignored the cookie banners (which is what I did... until 2 hours ago when I saw this post).
Practically I assume most of the sites are breaking the law, because that's how I expect webdev's to think and because most of the cookie banners aren't nearly up to spec to satisfy the law so I assume they aren't being that careful.
The Irish data privacy regulator recently did a sweep of 38 Irish websites, reviewing for cookie compliance. Two-thirds of websites were found to be relying on "implied consent" and 37 were found to set unnecessary cookies on landing before consent was given. Overall only 3 websites were rated as "substantially compliant."
Because your boss has a boss who has a legal adviser who tells him they have to have the appearance of meeting the requirements of the law/regulators. Compliance theatre. They all know it's smoke and mirrors but it ticks a box in someone's board meeting agenda.
I suspect most sites will get a warning first. I have a website myself with Google Analytics and I've never added a banner myself, I'll wait for the warning first, and I expect my users to have blockers installed if they're privacy-conscious.
