As for EU sites, it looks like in this case there is a discrepancy in the requirements between GDPR and ePrivacy:
- European websites must always comply with GDPR, but only in regard to cookies that are related to an identified or identifiable natural person.
- ePrivacy Directive applies to all cookies, but only for end users and terminal equipment of end users located in the EU.
It looks like it is not necessary to gather consent for cookies that are not related to an identified or identifiable natural person or their terminal equipment located outside of the EU. In practice, though, the only way to profit from this loophole is to create one’s own mechanism for tracking users’ behavior, as all 3rd party tracking cookies absolutely do fall under GDPR.