Ah, judging by that report, the law really seems quite reasonable.
Basically, if the user explicitly requests some functionality, like creating an account or saving a preference, and you need a cookie to do that, you don't have to ask permission to set it.
If you want to do anything else with the cookie, you have to get informed consent and the practical way to do that is by making it part of the request e.g. adding an explanation and checkbox to the signup or preferences page. Naturally, the more you want to do with the cookie, the more you have to explain to the user.
So effectively, you get to track users in exchange for their engagement with your site, and you have to (gasp) tell them exactly how you are tracking them.
Basically, if the user explicitly requests some functionality, like creating an account or saving a preference, and you need a cookie to do that, you don't have to ask permission to set it.
If you want to do anything else with the cookie, you have to get informed consent and the practical way to do that is by making it part of the request e.g. adding an explanation and checkbox to the signup or preferences page. Naturally, the more you want to do with the cookie, the more you have to explain to the user.
So effectively, you get to track users in exchange for their engagement with your site, and you have to (gasp) tell them exactly how you are tracking them.