OK, so I've been reading up on the guidance issued by the ICO.
They actually go as far as to note that there is an exemption for 'important' as opposed to 'strictly necessary' cookies, and that they note that 'Cookies used for analytical purposes to count the number of unique visits to a website for example' is not likely to fall within the exemption.
Going back to the whole PHPSESSID thing, which is relevant here, we could remove PHPSESSID, and simultaneously drop the entirety of the problem with the cookie law in the process by simply not starting a session for guests (and take the view that if our own cookie wasn't supplied, it's nothing we're interested in). BUT, this would mean losing accuracy of the number of guests, and will require much more work under the hood.
The other thing is that if we go out and use IP addresses, that we do actually bend the other guidance that there is regrading behavioural tracking. Like a lot of things it is about the lawmakers making policies that don't really work - except that the ICO doesn't have the same view that the French authorities have.
It does also seem that there is a certain degree of insanity in the wording, from what I can tell, a user in the UK can complain to the ICO about a site based in Europe, regardless of being run in the UK or not, and for it to be taken up with the appropriate country's authorities on the matter.
We also have a problem that needs resolving, namely that setting the regular cookie to 'forever' also manages to set PHPSESSID as a cookie to forever too. I need to re-evaluate getting rid of PHPSESSID because if PHPSESSID is actually a session cookie, not a persistent one, we can much better argue its case as important. But still there is an issue with respect to privacy since the admin can see what users are doing because it's logged.
(That is definitely a privacy concern, btw. Going through logs is considered valid if you explain that you have that power. We can probably argue that it is much the same thing, except slightly more real time, and from a privacy perspective more problematic because it's not just logs, it's personally identifiable.)
Jeesh it's a mess.