@David
From the user's point of view nothing can be done with session IDs in the URL as if you delete them by hand they keep coming back and if you share the link with someone else or a search bot crawls your site it's a possible security problem.
However properly managing the cookie permissions allow you to reject session IDs on a per site basis if you really want to. Otherwise you can wipe them on exit.
The shadier side of the net can track you with flash cookies, DOM storage, local DB, history sniffing and more. They are only going to take advantage of the 'are you okay with this' message to install malware as someone mentioned here. Do you think premium SMS scammers and 070 fraudsters and the like respect the TPS and Ofcom?
Far better to push for DNT as in the states (and it's not often I say something like that) than annoy everyone with messages that give the impression that 'cookies are bad, m'kay'.
A perfectly good solution to a technical problem (storing state using a stateless protocol) has now been made clumsy to use by clumsy legislation, not just in the UK but across the whole of the EU.