Most of this I am happy with and accept as being on the right track. However the regulations apply to persistent and session cookies (page 4 of their guidance pdf). This has evidentially been written by some arts muppet who does not have the first clue as to how a real web site is written.
Each page refresh to a web server starts afresh, completely unrelated to any previous page served up. This is not how a user sees it: they think of it as a conversation - a session. This sort of session cookie is used to tie the page hits from a user together so that they are related. The session cookie is ONLY returned to the domain that set it, expires when the browser is closed and, generally, is not recognised by the server if unused for 1/2 hour or so.
There is also little distinction on the purpose of a cookie. A request for a larger font size is considered the same as one that record the user's name, the privacy implications of these two are worlds apart.
Much too great an emphasis on the wording of a poorly drafted law rather than what the intention is.
The ICO's own web site:
They make great show of how to do it, but when I agreed to it storing that cookie on my machine and I found:
* 2 cookies from www.ico.gov.uk
- session cookie
- ICOCookiesAccepted - permanent cookie that expires in 2 years.
* 5 cookies from ico.gov.uk ---- which is a cross site cookie -- a site that I did not agree to.
cookies that vary from being session to permanent which expire varying from 1 hour to 2 years.