Actually thing isn’t that. GDPR dictates how and when a company/juridic society can store and use personal information, that can be connect to user. An user has ownership only when
- data can be transferred to another services (images, audio, video, but not commenting in a forum, because all forums have different category structure etc.)
- personal data, meaning user accounts and similar, must be deleted when asked, right away OR after some decent time, unless there is other juridic demands like with web shops
Deleting an user account is not same thing as deleting content. Content can be anonymized, as here (and on quite many other services) will happend.
Shortly: GDPR tells that a company/society can store only needed personal data and for limited time. Cookies and other ”followers” are part of that.
Meta should not set GA-cookies without consent but all other technical cookies are just fine, but those must tell to an user. Meta can ask my email-address, but not my social security number. They can ask my birthday for fun, not as mandatory request.
I am totally different thing. I’m a finn and so are (almost) all of my forum-users. Because I’m a private person driving private, even it is free to all, forum, I’m not operating under GDPR in any means. But my webshop is regulated by GDPR.