Because legislatures are incredibly short sighted and ignorant when it comes to technology. ("Would you like to accept cookies on this site you chose to visit, if not it won't work and you should probably leave")
Don't blame the legislators for malicious compliance. Don't set cookies (which is the perfectly reasonable thing to do for read-only visitors of many sites) and no consent is required.
And if the user registers for an account then they can be informed as part of the signup because it's a technical necessity to maintain a login, again no banner needed.
I wasn't attempting to be literal. The observed effect "in the wild" though is pretty obvious, and the overall experience of the internet is worse off for it.
There are two pieces of law about two very different things. (IANAL.)
- The ePrivacy Directive from 2002 (!) is (in its opt-in part) about sites storing stuff by whatever mechanism on the user’s computer (not just cookies, despite its nickname of “cookie law”). The explanatory text allows the “storage or GTFO” approach you are referring to. No mention is made of deletion of data, as the directive is purely about client-side storage, and the user can presumably delete that. Any storage technically required for the site to operate (e.g. login cookies) is specifically exempted, it need not even be mentioned.
I would not say this turned out particularly useful, but, well, in 2002 Microsoft was publishing books on .NET thick clients with chapters on interoperability with COM+ distributed transactions and SOAP was the hot new thing not even in Recommendation status yet. Nobody can see the future all that well, large organizations especially.
(I understand a more useful update to that has been stalled by GAFAM lobbying efforts for years now.)
- The General Data Protection Regulation from 2016 (not a typo, there was a generous grace period) is about organizations tracking people through whatever means. The “tracking or GTFO” choice (or its close relative, “tracking, money, or GTFO”, as seen e.g. on French newspaper sites even today) is explicitly illegal, though of course showing ads with no tracking is not in scope. As the tracking data is stored by the organization, the user can demand that it be deleted. Any tracking technically required for the organization to operate (e.g. lists of customers who have used their free trial) is specifically exempted to the extent that the requirement exists (e.g. as long as the free trial is offered).
This one is working out better, although there seem to be tricky international law issues (“directive” vs “regulation”, jurisdiction etc) that mean that enforcement is less efficient that it could have been (e.g. Google and Facebook have mainly been prosecuted via ePD, as the GDPR complaints have to be routed through the Irish authorities, who have jammed their fingers into their ears and gone “lalala can’t hear you”).
And if the user registers for an account then they can be informed as part of the signup because it's a technical necessity to maintain a login, again no banner needed.