For the record, the above information is incorrect.
@paulmelis I think you are correct and this is a good catch.
A persistent cookie does need explicit permission even if it provides specific functionality to the user: the user must have explicitly requested the functionality.
To make things worse, the various existing “cookie consent banner” solutions that are currently available for Discourse, including the official theme component, are not GDPR compliant. They will only inform the user about these cookies being set, but if the user does not click the “I understand” button then Discourse will happily set those cookies anyway. In other words, these solutions are not asking for permission for something to happen, they are informing the user that something is happening (or worse: happened already).
So even if you would have a cookie consent banner on your forum, if you have persistent sessions enabled, you’re still in violation of the GDPR.
This all said, I doubt that this will be a huge problem in practice, but for those of us that are looking for 100% compliance this is an issue indeed.
For now your only option will be to disable the persistent sessions
setting.
On a first glance, this does look very doable in a plugin, although it would be much better if this was in core Discourse.