Even with tracking you merely need a privacy policy in a place users can find. It's considered implied consent to continue using a site if the site makes a reasonable effort to make you aware that such a policy exists.
However, what counts as reasonable hasn't been explicitly defined. The UK government considers it fine to use a header that automatically disappears after awhile (i.e. no need to click "ok"). But other governments may view it differently so I can understand some large organisations being cautious.
> Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
> Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
> Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
> Explicit consent must be expressly confirmed in words, rather than by any other positive action.
Most sites don't adhere to that at all as there's pretty much no way to "not agree", which means they can not rely on consent as a legal basis for processing PII.
I feel it's important to note that, although implied consent doesn't mean anything in a GDPR context, consent isn't necessarily required at all. It's only one of 6 different justifications a business can use to show their activities are legitimate: https://gdpr-info.eu/art-6-gdpr/
And they all have their own stipulations. Contract requires that the data is needed to perform your part of the contract, legitimate interests requires documentation proving you do need the data and weighed the risks to users
However, what counts as reasonable hasn't been explicitly defined. The UK government considers it fine to use a header that automatically disappears after awhile (i.e. no need to click "ok"). But other governments may view it differently so I can understand some large organisations being cautious.