GDPR still applies in the UK via their "equivalent" UK GDPR, as does the PECR (which is their implementation of the ePrivacy Directive, which covers cookies).

UK cookie law is pretty strict, and also pretty clear to read - https://ico.org.uk/for-organisations/guide-to-pecr/guidance-...

The issue is nobody bothers to follow it, and enforcement isn't likely enough, or crippling enough, to drive compliance.