The Charter of Fundamental Rights of the European Union recognizes in Article 8 the right to the protection of personal data. This fundamental right is developed by the European legal framework on the protection of personal data consisting mainly of the Data Protection Directive and the ePrivacy Directive. They lay down several substantive provisions imposing obligations on the data controller and recognizing rights to the data subject, prescribing sanctions and appropriate remedies in cases of breach, and establishing enforcement mechanisms to make them effective.
Although strictly speaking it is data controllers who bear legal responsibility for complying with data protection rules, also those who design technical specifications and those who actually build or implement applications or operating systems bear some responsibility for the data protection aspects from a societal and ethical point of view.
The law applies to all Member States of the European Union. However, even websites outside the EU are required to comply with the law if they are targeting Member States. For example, a site based in the USA that sells products to consumers in the UK, or that has a French-language version of its site aimed at users in France, will still have to comply.
Anonymous cookies, those that do not contain information that would enable you to identify a user, do not infringe the law anonymity and therefore are not a problem.
The directive’s core requirement is to define how consumer’s "opt-in" or "opt-out" to cookies, and what level of information the consumer must be provided when cookies are used so they are sufficiently informed.
BT.com is an excellent example of a very well designed implementation:
Visits to web pages do not reflect actual activity