The EU regulates tracking cookies. They're not banned, but the requirements for their use are rather strict, due to the interactions between the ePrivacy Directive (2002) and the GDPR (2016).

To GP's broader point, "what about GDPR?" the GDPR basically steps back when other laws apply. Processing personal data requires a legal basis, and one option for legal basis is "Legal Requirement," so if another law says it's required, GDPR says it's OK. And furthermore several provisions (like erasure) don't necessarily apply. GDPR would impose some restrictions like access and notice. The biggest issue is going to be "who is the Controller?", i.e. who 'owns' the data and who is in control of the processing?