That's not the issue. I don't want to see personal data sold either. It's all the little rules. There are hundreds of pages just in GDPR. You need a banner and explicit opt-in just to support login/logout functionality.
Can you explain why you believe this to be the case? Let's say you log the user in. Yes, you need consent to store a login cookie, but that doesn't mean you need "a banner and explicit opt-in". You only need explicit opt-in, which you can do by... putting a "remember me" box next to your login form[1]. Is that really so hard?
