So, obviously, I Am Not a Lawyer, but this seems easy to explain: when you go to the grocery store and buy something, you tacitly enter into a contract (which is exchanging money for food), where both parties agree.
For someone to use your personal information, they need to have one of the 6 legal basis to do so under the GDPR. One of those legal basis is to have a contract with you (in which case, the contract will define what's allowed and what's not). Another of those legal basis is "consent", which is the one being the most discussed, as it is generally the only one ads can hope to use, so let's ignore the 4 others (legitimate interest, public interest, vital interest, legal requirement, you can easily see why trackers for ads targeting don't fit any of those).
It is generally admitted (or at least I think it is, feel free to dig around for a better source for or against that assertion) that visiting a site is not entering into a contract (probably because a contract has to be fair, and giving up personal information without your knowledge just by visiting a site isn't actually a fair? I don't know that, IANAL).
That means the only legal basis ads companies (or the site that host them) have to use your personal data is to have your consent, which is strictly defined in the GDPR (and other posters have discussed how this definition is mostly ignored)
For someone to use your personal information, they need to have one of the 6 legal basis to do so under the GDPR. One of those legal basis is to have a contract with you (in which case, the contract will define what's allowed and what's not). Another of those legal basis is "consent", which is the one being the most discussed, as it is generally the only one ads can hope to use, so let's ignore the 4 others (legitimate interest, public interest, vital interest, legal requirement, you can easily see why trackers for ads targeting don't fit any of those).
It is generally admitted (or at least I think it is, feel free to dig around for a better source for or against that assertion) that visiting a site is not entering into a contract (probably because a contract has to be fair, and giving up personal information without your knowledge just by visiting a site isn't actually a fair? I don't know that, IANAL).
That means the only legal basis ads companies (or the site that host them) have to use your personal data is to have your consent, which is strictly defined in the GDPR (and other posters have discussed how this definition is mostly ignored)