CMS has built-in support for GDPR cookie compliance. This needs to be integrated into AB Testing. That is, if a user has not agreed to cookie usage, we should not allow the user to be part of a test, and cannot create cookies for that user. This is supported as documented here.
The solution is to call the IAggregatedPersonalizationEvaluator.Personalize and, if any of the implemented return false, the user is not included in the test, and no cookies will be created.