Some countries even refuse to implement them, as the Swedish goverment did with the Data Retention Directive (http://en.wikipedia.org/wiki/Data_Retention_Directive). See
(scroll down to implementation) for a while. Then they complied.
But that won't happen either: it's a law that applies to EU companies with a website. Your company might have to worry a little if they chose to incorporate in Europe.
And yes, this is a somewhat ridiculous situation; but in practice it's not really likely to be a problem, unless you've got a major presence in an EU market.
In practice, the UK at least is extremely unlikely to pursue any non-UK companies for breaching the UK interpretation of these regulations (which is very light-touch anyway); if only because of the difficulty in taking effective action.
Other member states might take a more or less proactive approach in pursuing action; and other countries have a different take on the regulations anyway.
Basically, if I was a small-ish non-EU based website with EU customers I'd be keeping an eye on this to see where it goes, but I wouldn't take any action yet.
If I was a large non-EU-based site with tens of thousands or millions of EU customers, I'd be paying quite a lot of attention; what I did about it would depend on my risk profile.
The other option is to ignore the directive, which is what most websites will do.
"It is the responsibility of every citizen to ignore dumb laws."
And I would add that the whole world would crawl to a halt and descend into total chaos if everyone followed every law in the books. Too many laws are plain incoherent, inconsistent and impossible to follow.
The reason is that blocking the domain in your hosts file will prevent the functions from ever loading, and so something like this (the standard code for doing cross-domain tracking):
<a href="http://thirdpartycheckoutsite.com" onclick="_gaq.push(["_link"]); return false"></a>
(I actually abhor the practice of doing this this way, because it's so easily breakable, but this is the "recommended" way of faciltating cross domain tracking)
If you use one of the "official" Google opt-out plugins, it'll load ga.js, but it'll block any information from being sent about you to Google, it'll block Google Analytics cookies from being sent, and it won't break any site functionality.
It's more user friendly and easier to modify websites that shouldn't be blocked than big hosts file.
If only getting rid of spy cookies/tracking was so easy...
A less painful solution would be to try and solve this at the browser level where the experience for end users would at least be consistant. Like a blend of DNT & private browsing mode that had extremely restrictive criteria for cookie usage - if any.
Something like [Ghostery] would be a nice starting point.
Of course the better solution would be to erase Article 5(3) and start again. Good intentions, bad directive.
Why? It will make people better aware of what cookies they have, and how they are used. Which is probably a good thing.
And nobody cares about that level of technical detail either, and why would they?
If the gov't is so keen on regulating Web stuff, they should have a regulatory body that reviews and audits Facebook's and Google's internal handling of user data, to make sure thay actually don't abuse them secretly.
This cookie thing doesn't make any difference for privacy protection at all.
Considering web browsers already have cookie controls built in it seems a bit silly incur such an enormous cost in implementing a completely redundant feature.
I think the effort would be better spent on publishing transparent descriptions of what data collected and what it is used for than for designers to each create their own non-standard dialog boxes. The cookie issue could be "fixed" (to the extent possible with pointless legislation) with a link to an EU-published HOWTO on configuring a web browser.
I've already had to explain to my parents that cookies aren't evil, the sites they visit (BBC/Google etc) are mainstream and fine.
As an EU resident and webmaster of several sites for myself and clients. I see little benefit to my visitors other than causing me a lot of grief over trying to follow guidelines and hoping my implementation doesn't break them.
I was speaking to a client about it today, he hasn't seen anything about it and I doubt many small business owners have seen (or cared) much about it.
I highly doubt that is the interpretation of "opt in" that the various Data Protection agencies will take.
They are so ubiquitous that browsers typically accept them by default now, but they are still an optional feature. This EU mandate could have been just as well fulfilled by required browser vendors to have the accept cookies warning turned on by default and let users turn it off at their peril. Instead, it has just added another chunk of compliance for web workers to adhere to. Users are still going to be the same ol' users who click "Accept" because they want to get into whatever they were trying to get into. Only now, there's a lot more room for lawsuits.
However last week the ICO issued new guidance saying that implied consent is OK
News article here:
The UK formal advice here (PDF)
A rather handy site that has an easily integratable tool for implementing Directive-compliant opt-out on your site
and the Drupal module:
I look forward to each individual shop/business making us sign a waiver when we enter a shop with CCTV ie 95% of UK shops
So would a lot of people, but the official guidance makes it clear that they are not considered vital as far as these legal rules are concerned.
The "essential cookies are OK" criteria relate to the functionality the user has explicitly asked for, not to functionality that the site operator needs to run the site in a commercially viable fashion. Thus things like session cookies to record that you have logged in or what's in a shopping cart are OK, but things like analytics aren't allowed to piggy-back on top.
There seems to be some doubt about how seriously anyone in the UK is going to take these rules, though. Even the ICO can't get its opinion straight, and it's the government body responsible for enforcement. As I understand it, we're already taking this whole mess far more seriously than most countries in the EU, in that some web sites run by large organisations have made some effort to comply with the rules, while even that might not be true in most places that are theoretically affected.
Ironically Neelie Kroes, the EU's Digital Agenda Commissioner now wants us to have manditory electronic id cards storing god only knows what information about us.
This is a far worse infringement of our rights that some aggressive retargeting as opposed to being asked "papers please" on the euro star.
I think i will change my last name to Pike :-)