Assuming it's implemented correctly, yes. The tracking should be opt-in, so by default none of it should happen until a positive opt-in is received from the user.
In practice, most are poorly implemented though so I wouldn't count on it. The solution is to lobby for proper GDPR enforcement and in the meantime defend yourself by using antimalware solutions such as uBlock Origin and blocking malicious domains/ASNs at the network level if you can (Facebook is entirely blocked on my network, so even if my blocker fails it won't be able to do anything).
In practice, most are poorly implemented though so I wouldn't count on it. The solution is to lobby for proper GDPR enforcement and in the meantime defend yourself by using antimalware solutions such as uBlock Origin and blocking malicious domains/ASNs at the network level if you can (Facebook is entirely blocked on my network, so even if my blocker fails it won't be able to do anything).