The unholy side-effect of that is that site owners based in Europe will have to know the applicable laws for each EU member as the Directive does not proscribe any particular wording.
The other bit of advice I've just been given is that site owners should clearly explain the content and use of any third-party cookies introduced on visitors' machines during their visit. But I note that even the ICO is unable to do this fully.
The other rather laughable aspect of the ICO site is that it places a second cookie, in addition to their main one, if you agree to cookies -- surely the presence of their main cookie indicates that you've agreed to cookies!
Oh and thank you for posting a copy of your email to ICO. I am relieved and reassured to know that this issue is being taken seriously by the Wedge Team whilst those over at SMF are simply burying their heads in the sand. You have just provided me with yet another in an increasingly long list of reasons to wait patiently for the release of Wedge! Thank you!
This is the problem I have with SMF: I understand their view that they're in the US and as such they take the view that it does not apply to them. But they're not offering advice on how to be compliant, and given what's involved, and how deeply rooted it is into SMF, with its session management and also the privacy concerns of Who's Online, and that's where the problem is. If the team isn't actively taking this on board, who is? Is anyone?
And that's the problem: it leaves people like you and me (taking off my platform steward hat for a moment) in the lurch because if the platform itself isn't going to take responsibility, that means the site owners have to, and without any guidance, how can they?
As I said in my email, I don't know if other platforms are taking this seriously, but I don't see big noises about doing so, put it that way.
'm still convinced that this is just 'for the show', and that this law is only going to be used in clear cases of privacy abuses, as legal grounds for action, rather than being mindlessly applied to every single blog or whatever.
The thing is, even with the source code available, it isn't that easy to identify what the cookie does, especially if you observe that the PHPSESSID is actually potentially set for 3 years at a time when it is supposed to be a session cookie, it does make you wonder what's going on.
If we make it difficult or even impossible to be compliant, I myself can't use Wedge on my own sites, that's the bottom line. If I can't be reasonably sure that Wedge will be compliant, I don't see how I can in good faith or otherwise operate Wedge on my own sites, so even though I personally believe that it's for show, I can't take that chance for my own stuff, and I can't, thus, take that chance of dropping people in it who use Wedge in good faith.