GDPR and the cookie banner get talked about as if they were the same rule, but they come from two different laws, and keeping them apart makes compliance a good deal clearer. One governs what you do with personal data. The other governs what you store on someone's device. Knowing which is which tells you when you actually need consent and when you do not. What follows is a short, practical view rather than legal advice.
GDPR is about personal data, meaning any information that relates to an identifiable person. It applies whenever you collect, store, or use that data, and it asks you to have a lawful basis for doing so. Consent is one such basis, but it is not the only one. Legitimate interest and the performance of a contract can also make processing lawful, which is why a great deal of ordinary business activity, like keeping a CRM or following up with a customer, is allowed without anyone clicking a consent button.
The cookie banner does not come from GDPR. It comes from the ePrivacy rules, which govern one specific act: storing or reading information on a person's device. A cookie is the obvious example, but the rule covers anything kept on the device, including other identifiers. ePrivacy is stricter in one way that matters here, because for this kind of storage there is no legitimate-interest option. You either fall under a narrow strictly-necessary exemption, or you need consent. That is why the banner asks rather than assumes.
The two laws stack, so an action can touch one, both, or neither. Reading the IP address and referrer that a browser sends with every request is processing personal data, so GDPR applies, but it stores nothing on the device, so the cookie rule does not. Setting a tracking cookie triggers the cookie rule, and then using what it collects brings in GDPR as well. The upshot is that the binding constraint for most website tracking is ePrivacy, because it is the gate with no legitimate-interest path. Sort out the device-storage question first, and the GDPR side usually follows.
In short, GDPR is about the data, ePrivacy is about the device, and the cookie banner belongs to the second one. For the practical side of staying within both while still learning from your leads, there is a companion piece on gathering lead intelligence in a way that stays GDPR-compliant.