UPDATE: jump to the bottom of this post for the latest update!
There is a good summary of what the EU cookie law is and means here. It’s a commercial site but provides a clear explanation.
Disclaimer: This is not written by a legal expert, these are just some thoughts on the issue that we hope will be useful, it is not meant as legal advice.
As the article suggests, the first step is to find out what cookies your WordPress site uses. WordPress itself uses cookies. Here is the information on what cookies WordPress uses. There’s a good discussion of the WordPress cookie situation here – it looks like the “comment cookie” is the only one discussed in terms of requiring consent.
There may also be cookies issued by third parties such as plugins and other software or services used on the site such as comments/analytics services.
Once you know what cookies your website uses, it’s probably a good idea to include a cookie policy alongside your website’s other legal statements (Terms of Use, Privacy Policy, Disclaimer) – some of which are already required by law.
Take a look at this example of a well-constructed and clear privacy policy for reference.
It will be interesting to see how the EU WordPress community reacts to the legislation: it is likely that a best practice will emerge in the coming months if the law is fully enforceable.
This is not a 100% comprehensive response, but hopefully it is useful for reference.
UPDATE: Apparently, it’s not enough to just have a cookie policy: users must explicitly consent to receive cookies. Here at Angry Creative, we’re keeping on the policy path and seeing what happens.
UPDATE 2: This is the best advice I’ve seen – it’s a plugin pointing out that the DMCS (the department that oversees regulations in England) doesn’t have a popup, just a policy (and their policy is here). So until they introduce a popup, then we’d say just a policy is enough, but again this is not authoritative, just a discussion of the situation.
UPDATE 3: This Google Chrome extension looks like a really useful way to analyse cookies running on your site and generate information for your cookie policy.
UPDATE 4: The law was changed just before it came into force to allow “implied consent” – read this Guardian article for more details. Our current view on all this is that it’s probably (a) necessary to have a good cookie policy as part of your overall privacy policy, (b) good to understand what cookies your site uses, and (c) not to implement an annoying and intrusive pop-up/consent box. But if you or your customers really feel the need to have one, there are several great plugins to choose from in the WordPress plugin library.
UPDATE 5: As of January 2013, it appears that you no longer need to ask for explicit consent. But we recommend a cookie policy with cookie auditing to ensure compliance.