to avoid detecting 'no cookie' and asking if it's ok to create one, then I 'think' it's ok to create a cookie that holds zero personal information, merely acting as a state flag
And that is where the catch-22 comes in. They have the exception that "being necessary for the program to function" can allow a cookie, but to me attaching a cookie to a specific user that needs to know who they are next time they come back defeats that whole purpose. Obviously nothing personal is being stored but I could still see it beng called a "tracking" device.
Let's look at it the other way around...
Let's say user A has no problem with cookies and User B has concerns about privacy, so would prefer not to have cookies.
User B does not want cookies. So they visit site 1 and say no. Site 1 becomes unusable to them, or limited, or just sends them to a privacy statement. Or.. the site has no cookies now, so EVERY page that loads prompts them about whether to allow cookies. This continues on EVERY site they visit.
Then... a few weeks pass. User A has approved all the sites they normally visit so internet is pretty much back to normal. Then they need to try a new browser or clear their settings for some reason. Sometimes clearing cookies is necessary. Now, all those sites have forgotten about the fact that User A is okay with cookies and he has to re-approve all the sites.
No matter the preferred method of "complying" with this ridiculous law on each site, this is the only end result. Endless prompts, re-prompts and frustration.
If it as easy as just allowing a user to opt-out, shouldn't that be handled ONCE by a browser?
In fact, browsers already do this:
Check out the awesome footer they use on that site, btw. Or the ugly header on the ICO site: http://www.ico.gov.uk/for_the_public/topic_specific_guides/online/cookies.aspx
Won't that be a great way to greet ALL new visitors to EVERY site?