Seems like the Information Commissioner is not entirely happy with the way the new EU law has been implemented by organisations in the UK - where they have actually bothered to do so.
Sadly UK law in this case, as with the Disability Discrimination Act, has been a little vague when it comes to drawing a line in the sand and explicitly telling us what we should do. The law is drafted and after extensive debate is passed by two Houses and then left to the Courts to decide on the initial cases and through that then setting the boundaries.
The Cookie Law is quite clear in stating that we must all explain what cookies we use and why and then request permission to place the cookie(s) on the visitors machine. The only exception to this being where a cookie is "strictly necessary" to deliver the functionality of the website. But then that is how websites work and ensure the server knows what content to send, what closed areas to allow visitors into and what is in a shopping basket.
And that highlights where the law has not really taken into account how the industry works. Originally they wanted to stop websites gathering personal data and then tracking visitors across the internet from one site to another. But in trying to close all the loop holes they have introduced some draconian measures. The actual words suggest we should ask in every case and, if the cookie request is refused, cannot deliver the website, cannot gather anonymous analytics to improve the site (just the one) nor let people shop or enter registered user areas.
What the ICO needs to do
They need to make it clear that were a cookie is needed to deliver the site without recording any personal information and just for the length of the visit - that this is acceptable and does not require explicit permission. This removes any block that the visitor may percieve where they are not entirely sure what cookies are - and that is probably about 95% of the Internet user population.
They need to make a statement about use of Google Analytics where it is just recording information about journeys, pages visited, return visits and type of browser used - anonymously - so that this can continue without requesting permission. If only 10% were to say No then the statistics become largely useless and we cannot use them to imporve the site and experience.
What have we done
You will see the request at the top of the site for permission. This meets the letter of the law. Only problem is that there would be no access to our client area and no stats to help improve the site if you said No.
The only cookies we use on any CMS system is a "session" cookie that lasts only as long as you are on the site and is completely anonymous. We also use the four key Google Analytics cookies (recently termed "performance cookies" by the industry) which again are anonymous but eimmensely helpful in planning our new site (keep a watch out for the launch soon)
We have put some background information on the website for our customers and you can find that discussion here.