> Honestly I don't understand why the EU focused on the stupid cookie law instead of referers which are clearly privacy-violating.

Neither the ePrivacy directive (commonly called the "cookie law") nor the later GDPR focus on cookies. They are "technology neutral", applying to e.g. URL parameters and HTTP headers too, but just widely misunderstood and badly enforced.