There is so much misinformation about GDPR that sites like this spread.
First, the law only relates to personal information about EU citizens or residents. If what you're doing doesn't identify someone, then you don't have to do anything about it for GDPR.
Second, there is no special treatment required for cookies. They are as important or unimportant as collecting personal data with pen and paper. If you use cookies that use personal data, then you should disclose that type of data (you don't have to list every field), why, and which of the six justifications for use you're using. You don't need special cookie policies and you don't need to list every cookie and its attributes in perfect detail. You have the choice of doing so, and some people might argue that it is good to do so, but its not required by law.
Thirdly, there are six grounds for processing data. Consent is one. Just one. There are five others.
In a lot of situations, you don't need permission to use data. You just need to decide which of the other five grounds justifies you using it.
Fourthly, if a data subject asks you to do something, you don't have to do it if you have a good reason. If someone asks you to delete all information, you can refuse if you're a business for example, because you might need that data for another reason (such as to comply with other law, such as tax law). There are all sorts of examples.
Lastly, the regulation itself provides for weakening of the policing for small businesses. The supervisory bodies have said that they will not issue fines before first issuing warnings. And most supervisory bodies, as pointed out here, are understaffed and under-funded. They'll go after Facebook, not $100 a month affiliates.
Download a good privacy policy template (if you deal with data of EU citizens), and show that you've made an effort to comply.