The legislation on cookies on web pages is crazy.
The only real problem I am aware of seems to be advertisers profiling web page accesses to target adverts at people. I don't like it myself but can't pin down why more appropriate adverts on sites I visit is in fact bad. Even so many people really don't like it. I respect that. Making it a law is crazy though as it does not help.
The law at present is silly, but says if users can opt out it is fine. The change happening shortly is to say people have to opt in, unless strictly necessary for a service the user has request (e.g. shopping baskets and on-line banking, etc).
Sadly it applies to anyone using a communications system to store information in end users terminal equipment.
Even so, if you consider sending data in response to a request is somehow causing information to be stored, then it must apply to all the information which is stored. That means the cache of the page or image and all the meta data such as last-modified date/time, expiry date/time, and so on. It includes the links in the page served. It includes the fact the browser history is updated. All of it. And most of that is definitely not strictly necessary to provide a service the end user has requested. Caches are not strictly necessary and so cache control meta data and last-modification date/times will need expicit consent to be stored. That means consent before the home page asking for consent is served. That is probably impossible.
This may seem overkill - surely we all know that it means cookies? Or at least means stuff that can be retried by the sending server later? Well that would cover Last-Modified as it is sent back in an If-Modified-Since header later and easily has a few billion combinations that could be used to hold a session identifier. Indeed, RFCs recommend browsers send back the exact string from Last-Modified in later If-Modified-Since requests thereby making it exactly like a cookie in operation. The problem is that this is part of normal cache operation and used on virtually every static web resource, so outlawing it would cause real problems, and in some cases costs (bandwidth costs).
But even if we only meant cookies, the law is stupid as cookies are used for a lot of not strictly necessary things which are also quite harmless. Simply tracking visits to a web site rather than number of page hits (very common). They are also used to hold preferences, even those that are there for disability access reasons. And nobody wants horrid pop-ups on every web site. They are often used to make a session track before a user goes to a shopping basket, and this would have to be changed to meet the rules.
If the law was actually enforced, we would see every web site that stayed in the EU having an landing pages "Yes I agree to terms of access to this site" like you get on adult web sites already. Even then, that may not meet the law as the page would go in the browser history before you agree. In fact the adult web sites (the very ones people do not want tracked) already have this sort of thing, and so you end up with their terms saying you agree to cookies and hence tracking!
If the law is not enforced properly you also have a bad situation. Almost anyone in the UK would be breaking this law. I bet having a facebook page makes you responsible for it in the eyes of the ICO and so probably makes you a criminal if you did not ask for explicit consent to store cookies (and last-modified time, and so on). So you have horrid uncertaintly. The powers that be can find yet another law that anyone they don't like is already breaking. It is not good for society to make everyone a criminal under a number of widely un-enforced laws. It allows a police state. The fact that this law cannot possibly actually tackle the problem it aims to also makes it a bad law.
How can we stop these bad laws?