"Cookies" is just a colloquial way of talking about this tracking. What actually matters legally is what you are tracking, not how you implement it. It is completely irrelevant whether your shopping cart uses cookies or not.
That is completely false unless you are talking about the pre-GDPR e-privacy directive.
GDPR only uses the word cookies once and it comes immediately after the phrase "such as", i.e. it's a non-exhaustive list of examples of ways that you could track someone.
