You're actually wrong. It is the responsibility of the website to notify the user. Facebook has placed in its policies a rule that says that you cannot use its code/buttons/images on your site without obtaining consent by the user for FB to place cookies there. They have a reasonable expectation that you have complied with this, or the image/whatever would not have been caused to load by your site.
Otherwise, think of the havoc. You decide that you want to get Facebook in trouble. So you place a Facebook button on your site and don't notify users or ask consent. Then you go call regulators. In this case, you'd find yourself in trouble, not Facebook.
it's the controller's (in this case FB is def a controller) responsibility to ensure that their use of data has a legal basis
You're correct. They are ensuring it by placing it in their terms for the use of their code/images on other sites. Nowhere in the GDPR does it say that every third party whose content may be placed on a site must themselves obtain consent. What exactly do you envision? That each page you load have 40 different consent dialogs show up?
How about most sites don't load resources from 40 different sites. Alternatively how about facebook ask for the users consent once to track them all over the web and remember that users choice.
On ingress the data could be deleted if it didn't correspond to a user that had given consent.
FB doesn't get to use the data unless it's consented by the end user.
It is distinctly not GDPR compliant for FB to claim that their TOS requires consent so it's not their problem. Feel free to read the discussion about co-controllers (called as joint controllers) and particularly the A29WG guidance.
Again, under your (incorrect) interpretation of the GDPR, what exactly do you envision? That each page you load have 40 different consent dialogs show up - one for each tracker and external image that is on the page? Some have hundreds.
For each external tracker, you will have to consent that use. By name. Per discussions you can find via google, even naming a well-defined class of 3rd party controllers is not enough; they have to be individually named.
The fact that some page may have hundreds of co-controllers is immaterial, unless you envision "we don't want to" as a defense to the privacy regulators.
I think we'll have to agree to disagree. I expect that EU users won't be spending all their time on the web issuing 50 approvals for each page they load. You may so despise ad-supported services that this is your dream for the world, but unfortunately for your dream (and fortunately for all users that actually want to be able to use the Web), even the heavy-handed GDPR does not mandate this.
I don't know why you think me relating a correct understanding of the GDPR is my endorsement (or not!) . This is what the GDPR requires. You've cited no sources for disagreeing with the formulation of the GDPR as pushed by the very privacy orgs who are in charge of it in 6 weeks.
True! I don't think I ever claimed otherwise, just that they have to be individually consented. And nothing prevents someone from adding an approve all button, but it cannot be the default.
per GDPR, without consent, fb cannot legally use that data (for EU residents).
And you don't need to trust that; fb knows they're going to be spending some quality time in front of their privacy regulator.