In fact, a trade-off has to happen. A cookie - or in terms of the GDPR, storing data on the end device - does not necessarily have to be technically required for it to be stored without consensus. A shopping cart, for example, can technically be coded as a GET parameter in the URL. However, since a cookie is the technically more sensible way to persist the shopping cart, a cookie can be used. This only needs to be explained - ideally in simple language - in the data processing statement.