Relevant legislation (say, GDPR) says nothing specific about cookies, just about using client-side state. Granted, relevant legislation also says privacy should be the default, and that you can't coerce people into accepting loss of privacy.

Anyways, that would then need to use a, say, "local storage banner" for most intrusive tracking and we're back to square one.