Hi Rory,
This article on Giga Om is worth a read: http://gigaom.com/2011/04/18/britain-says-no-thanks-to-europe%E2%80%99s-cookie-monster/

It suggests that we're OK for a while.

I haven't noticed anyone doing anything on their sites towards this yet, and I can't see how the EU are going to enforce it. If it turns out that we really are going to get permission to use cookies on the site, rather than letting the browser handle it, I was hoping to see how others implemented it first. It could be something that's very easy to get wrong.

There's a very amusing example of what it do to the user experience here: http://www.davidnaylor.co.uk/eu-cookies-directive-interactive-guide-to-25th-may-and-what-it-means-for-you.html

Matt

I've been following this quite closely and it seems quite likely whilst for the most part Ashley is right that the onus will be with the user/browser, there is a responsibility to ensure you make it explicit on your site what you're doing with cookies and make it easy to opt out. For example doubleclick clients are usually asked to add some copy to privacy statements with a link to opt-out. Make this as clear as possible.

Here is something I've written up internally for Tesco but more than happy to share here:

When I first heard this a few years ago no one could see it being a reality. Now that its a reality, no one believes it will be easily enforceable and indeed whether it will make any difference to privacy (there are always ways around 'laws' in the digital world) - it is basically switching the current opt-out model in place worldwide for cookies, into an explicit opt-in model, specifically for behavioural targeting across websites (it is unclear on the effect on on-site behavioural targeting). That is, the likes of Doubleclick/Criteo that track users across sites then within client sites, serve relevant ads is deemed as cross-site behavioural targeting sites... go browse M&S or Halfords then browse around Hotmail, Yahoo, Sky and you'll most likely see the products you browsed served as ads. However on-site behavioural targeting tools I believe (like recommendations tools, mvt), remain unaffected. The directive tries to split 'explicitly required' cookies from 'marketing cookies' such that it is marketing cookies which track your online behaviour which is under threat...

Firstly, here's a humorous view of it, worth reading the pop-ups to get an idea of how accepting cookies could work at the extreme side of things: http://www.davidnaylor.co.uk/eu-cookies-directive-interactive-guide-to-25th-may-and-what-it-means-for-you.html

Then the serious part:

Directive Implications
1. Users must explicitly opt-in to allowing ANY cookie enabled device to store certain types of cookie, whether first or third party

2. Whilst this becomes UK Law on the 25th May 2011 (submitted to the EU in 2009**), an amnesty is offered within the UK and companies will not face prosecution if they fail to comply immediately, as companies will understandably be seeking legal guidance on what to do* (update, this has been extended to end of June)

3. It has still not been decided whether browsers should carry the burden of asking the customer to accept the cookie, or whether each and every website needs to do this; my personal opinion is that for every website in the UK to request opt-in is highly unlikely and instead the most likely solution will be a browser update of some sort but then you have the issue of older browsers not having this capability... *

4. We should as matter of course, review Privacy policies of all our websites and ensure they clearly state what data we collect and why we collect it, at the very least which is common best practice (though this law is partly designed to stop websites from hiding this information from users to an extent)

5. [confidential note: removed]

6. "The directive actually applies to only one specific type of cookie: those used by advertising systems to record the sites you visit" ***. If this is true, and it needs substantiation, it would predominantly affect tags such as Atlas, Doubleclick and other similar tracking tags which track users across multiple websites.

7. The funniest thing? Well if you visit a website and reject cookies, then each AND EVERY time you visit that website you will be prompted on whether to accept the cookie; how else would the browser or website know that you'd already said no?!!! "This on its own is likely to lead most customers to (eventually) opt in for the sake of their sanity." ****

8. An interesting note "The response to complaints about firms that flout the directive will be viewed in light of what they have done to prepare for it, continued Mr Graham.[Information Commissioner]"*****

9. The Internet Advertising Bureau (IAB) has created this website for members of the public to be referenced to, to help them understand the use of cookies to help businesses persuade customers to accept cookies: http://www.youronlinechoices.com/

References:
* http://www.ft.com/cms/s/0/ea483208-48ef-11e0-af8c-00144feab49a.html#axzz1HMH7rn00
** EU Directive: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:En:PDF (this is an amendment of the 2002 Privacy and Electronic Communications Directive)
*** http://www.technologyreview.com/web/35099/page1/?a=f
**** http://econsultancy.com/uk/blog/7275-why-eu-e-privacy-directive-is-not-a-real-threat-to-the-internet-industry
***** http://www.bbc.co.uk/news/technology-12668552
__________

Just a note to say discussion continues here:

http://econsultancy.com/uk/blog/7572-ico-take-an-extra-year-to-chew-on-new-cookie-law