TL;DR: sites were obliged to provide information and ask for consent when using marketing cookies. That is, cookies required for the site to work (e.g. session) were fine, but tracking/analytics were not. Everyone started to show banners saying "we use cookies [OK] [what cookies?]", users just got used to clicking OK on them, and almost nobody has any clue what this was all about.

You could see the cookie law as a gentle request for Internet businesses to self-regulate and limit unnecessary tracking. It didn't work (I don't know of any case when businesses decided to self-regulate themselves out of potential extra profit), so now GDPR is meant to force companies to stop their user-hostile data abuse.