That's not true. Any cookie that is not strictly necessary needs explicit consent. There is simply no distinction whatsoever made between first-party or third-party cookies in the "cookie directive" (ePrivacy directive), or in the GDPR.

The directive itself speaks of cookies "intended for a legitimate purpose" "on condition that users are provided with clear and precise information". Read the rest of paragraph 25 to see how users "should have the opportunity to refuse".

https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...

"Legitimate purposes" are then more narrowly defined in the GDPR.

https://gdpr.eu/article-6-how-to-process-personal-data-legal...

I strongly suggest anyone serving European users to just read the GDPR and the ePrivacy directive, directly, rather than rely on third parties to give you an interpretation. These directories can be read "as is", and are really straightforward. Lots of companies of course try to work their way around the really obvious requirements and definitions laid out here.

In summary:

Unless you really need the cookie for the service to function, you cannot have it unless the user opted in. You cannot simply invent a reason why you would "need" the cookie. Anything that you can make work without cookies has to be provided without them, and you cannot "require consent" and somehow tie to it your service offers for anything that could be made optional.