Setting cookies without asking permission while claiming GDPR compliance – chef's kiss.

To be precise: cookie consent isn't actually regulated by the GDPR itself. It falls under the ePrivacy Directive, which requires explicit consent before storing anything on a visitor's device, unless it's strictly technically necessary.

Cloudflare cookies are, at best, highly debatable as "technically necessary." So the GDPR claim is technically correct – but the site is likely non-compliant with EU law anyway.

I'd recommend dropping CF.