[g_p]

The UK implementation of ePD is a pretty strict application, only allowing 2 grounds to use a "cookie" (note that means other identifiers like session identifiers, although everyone says cookie.

One grounds is necessity to deliver the packets to you (IP address can be used to route a reply back to you in TCP/IP), and the other grounds is to deliver a feature you explicitly request, and can't be done otherwise (adding an item to your shopping basket, for example).

Neither lets you go beyond functionality, so use of a TLS session identifier to me would be a straightforward breach, if the purpose was anything beyond basic connection setup. At that point, informed, explicit, specific, opt-in consent is required. And contrary to all the illegal cookie walls, you can't require or presume this consent - that isn't consent!