[jampekka]

> Honestly I don't understand why the EU focused on the stupid cookie law instead of referers which are clearly privacy-violating.

Neither the ePrivacy directive (commonly called the "cookie law") nor the later GDPR focus on cookies. They are "technology neutral", applying to e.g. URL parameters and HTTP headers too, but just widely misunderstood and badly enforced.

[extraduder_ire]

It doesn't help that the most visible and best SEO'd sites purporting to explain the GDPR are made by advertising/tracking companies, or firms representing/selling services to them.

I'd guess that the average person doesn't know that the GDPR applies even when you're taking details from people by hand with a pen on paper.

[jampekka]

Yes. My diagnosis that this is due to bad enforcement and the refusal to make or stick to clear enforcement criteria. This lead to the deployment being that companies are as maliciously compliant as possible, with the criteria evolving as a loophole whack-a-mole with 10 year iteration time due to enforcers and courts dragging their feet.