Your first paragraph describes GDPR, which does not require cookie popups.
But there is also the e-privacy directive (older than GDPR) that does require a cookie popup for any cookie not strictly required to deliver the service. Regardless of whether it tracks PII. So this also applies if for example you only want to know whether someone is a returning visitor or a new visitor without storing any identifier.
But there is also the e-privacy directive (older than GDPR) that does require a cookie popup for any cookie not strictly required to deliver the service. Regardless of whether it tracks PII. So this also applies if for example you only want to know whether someone is a returning visitor or a new visitor without storing any identifier.