On 26th May 2011, the EU Cookie Directive comes into force. You're going to need to tell visitors to your website what information you're tracking about them.  So, how do you comply?

From Slashdot:

"The Information Commissioner's Office has, with just over two weeks to go, given its interpretation on what websites must do to comply with new EU regulations concerning the use of cookies. The law, which will come into force on 26 May 2011, comes from an amendment to the EU's Privacy and Electronic Communications Directive. It requires UK businesses and organizations running websites in the UK to get informed consent from visitors to their websites in order to store and retrieve information on users' computers. The most controversial area, third-party cookies, remains problematic. If a website owner allows another party to set cookies via their site (and it is a very common practice for internet advertisers) then the waters are still muddy. And embarrassingly for the Commission — it's current site would not be compliant with its new guidelines as it simply states what they do and does not seek users' consent."

As with many regulations that small businesses have to deal with, this is poorly thought out and those managing / creating it don't seem to understand either business or technical realities.  In particular there are two areas of concern:

1. Session cookies - these are stored any time during a browsing session on a site.  They're vital for e-commerce, sites where you login or indeed any proper functionality.  They shouldn't pass data back to the server about the person, but simply store something called 'state' - which is where a user is inside your website.  After the session ends (which is when a browser is closed or the session times out on the server) these should disappear.  Why these are included in the regulation is a mystery... but they apparently are.
2. Third party cookies - use Google Analytics, Facebook Likes, Google Calendars, Youtube videos - you name any external functionality on your site, you can bet they are also setting cookies.  You need to tell users what they collect too!  It's a bit of a nightmare, and even the ICO doesn't really seem at all clear as to what they are proposing.

The Information Commissioners Office (which is responsible for this) has said businesses should show they're making an effort to comply (and at the same time giving us all a year's grace). In the mean time they're trying to work with browser manufacturers to create a global solution.