Strictly necessary cookies, session tokens and such, are exempted. But there’s no general exemption for cookies that provide functionality a user might like. If your site will function without remembering who I am when I come back tomorrow, you have to disclose that you’re going to try to remember me and give me a chance to say I don’t want you to. Doesn’t matter how benign your plans for that information are - the whole point is that the user is in control and they get to make that decision.