I would think that it shouldn't require a law. Just redefine the HTML standards so that conformant browsers can't have a cookie privacy setting lower than "ask me first before every cookie". Although that would be extreme in today's web, while cookies that are valid between sites can already be turned off by privacy settings, as they should be.