> Honestly I don't understand why the EU focused on the stupid cookie law instead of referers which are clearly privacy-violating.
Neither the ePrivacy directive (commonly called the "cookie law") nor the later GDPR focus on cookies. They are "technology neutral", applying to e.g. URL parameters and HTTP headers too, but just widely misunderstood and badly enforced.
It doesn't help that the most visible and best SEO'd sites purporting to explain the GDPR are made by advertising/tracking companies, or firms representing/selling services to them.
I'd guess that the average person doesn't know that the GDPR applies even when you're taking details from people by hand with a pen on paper.