There’s a major legal question here and you need to be very careful about observing the intent of privacy legislation such as GDPR.
While I’m not a lawyer, every encounter I’ve had with one on this issue leads to the same conclusion: No, you may not assume the person has consented to be tracked using other, technically non-cookie-driven methods by narrowly asking them about cookies.
This applies to using Local Storage or Session Storage, for example, which are just as powerful — and just as privacy-intrusive — as cookies, with the exception that they don’t cross domains. You can’t just store stuff in LS/SS and pass an audit. If you could, we’d hardly be worried about people rejecting cookies!
And it applies to continuously adding the original UTMs to all links on every page — “UTM forwarding” is what we call that. If you told someone you would not track them for analytics purposes, you’re completely contradicting that.
As for the technical side of UTM forwarding: on many sites, it’s simple to update alldocument.links using JavaScript (not jQuery) on page load. On other sites, it’s very difficult to determine which links are used for navigation. For example, a <div>with a click listener won’t be in document.links but can take someone to a new page, and the destination URL may not be found in anhrefattribute and may not be found in the DOM at all, only in JS. You would have to work with your web team to determine every single link-like element and how to find its URL.
.png)