I noticed the article paints a picture as though this law will effectively break the functionality of the web and/or make it so annoying that nobody will want to put up with it. I think that's completely wrong. The conclusion that this is "Breathtakingly Stupid" is correct, but not for the reasons stated in the article.
From the article:
Here's what's coming. The now-finalised text says that a cookie can be stored on a user's computer, or accessed from that computer, only if the user "has given his or her consent, having been provided with clear and comprehensive information".
An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though.
Ok.... so you wont be barraged with consent requests every time you visit any web site that needs to maintain session state between two or more pages or track the fact that you've logged in.
So it would seem that the good news in all of this is that this really only pertains to those cookies used for annoying things like advertising and market analytics & profiling; those things that invade your privacy. ...or does it?
What's in a cookie? That all depends on the cookie. Some cookies store all the data being tracked by the cookie. But other cookies are essentially an index -- they store no real data, but merely help the server identify you to the server where the real data is kept. This is where things go gray and the law becomes "breathtakingly stupid."
The law assumes that websites intent on "violating your privacy" (whatever that means) actually need to use cookies in order to do it. This is like wanting to outlaw murder and in order to so, just pass a law that bans handguns (as if handguns are the only way someone might commit the crime.)
Rather than create a separate cookie which exists for the exclusive purpose of marketing analytics (or whatever other violation of a user's privacy the website or it's partners want to perform), now the website just needs to create a 'meta cookie', if you will. They have carte blanche to create a session cookie for maintaing your login or user session (essential the operation of the website) without your consent. They can create what you could think of as 'server side meta-cookies' -- where instead of storing a cookie in your web browser, they store the cookie and it's value as an attribute of your session profile information which is stored only on the server. The only cookie you actually have is your login / session cookie.
Under this scenario, the law only drives the activities of user tracking deeper into the shadows. Before you knew they were tracking you... you had a cookie. But you could delete those and know that they were gone. NOW they'll track you based on session attributes you cannot delete because it's on someone else's server.
There's a huge gray-area around the "strictly necessary" clause. If your website is entirely ad-revenue-funded, and without tracking you wouldn't be able to provide a service to your users at all, is this "strictly necessary"? Google is ad-revenue funded. Then there are sites like Amazon which performs tracking for cross-sell / up-sell purposes (e.g. "Do you want this USB printer cable that goes with that printer you just put in your cart that 98% of the other people that bought that same product discovered they needed because no printer actually comes with a cable?") After all the data needed to track those buying habits isn't essential in order to track your user session or maintain your shopping cart, but it sure is useful to the end-consumer and they're not necessarily collecting it to invade your privacy.