It’s one of the conditions in the GDPR which *does* allow a company to store personal information on their users.

You’re allowed to do so if you hae a “legitimate interest” in doing so. That is, if you couldn’t provide the service you’re providing otherwise.
For example, a website might use a cookie to track when you’re logged in. If they couldn’t do that the website wouldn’t work. So they have a legitimate interest in storing *that* cookie on your computer, and are therefore allowed to do so without asking for your consent.