I'm also going to stay out of this thread now, it seems got needlessly over-heated over what at best is probably not one of the EU's most useful laws.
The problem is, it's a well-intentioned law that hasn't necessarily been thought through properly. Where users privacy is at stake, things will always get a little heated. As someone observed earlier, though, cookies are the very tip of the iceberg!
while still gaining acceptance from users for the site's cookies
I think at it's root, the issue raised with your solution boils down to this;
You are asking
for permission, but not actually doing anything to require permission (i.e. the cookies are being set anyway). If your banner said "We set cookies to improve your experience, if you continue you accept
" or similar then there'd probably be less objections (I still don't feel this is in the spirit of the law, but as the big players have all taken this route I suspect it'll become the norm).There are many sites doing that and be warned ... a list of sites are being compiled and will be submitted to the ICO soon
I promise I'll fix my personal domain soon
I'm actually planning on doing a comparative write-up of the various solutions listed here, hopefully later today (if I don't get buried in something else!). Obviously we have a solution we are selling, but I'm going to try and avoid bias because it's meant to be a useful resource rather than a marketing tool.
I've also implemented a 'Implied Consent' mechanism into Virya Cookie Monster. As I've said before, I don't feel it's a solution that should
be considered compliant, but it apparently is so people are going to want it! Once I've hammered a few bugs all our sites should slip into compliance. To begin with, VS is going to need to use Implied Consent purely on the basis that I don't have the time to properly integrate VCM into all of the systems it uses (the custom ones are the issue really) but in future should change to something I'd consider more acceptable.
I had an interesting piece of feedback from a customer earlier, which would also apply to your solution (probably Chris' too). The user was concerned about the automatic creation of a Joomla user, and didn't understand why it was necessary. I explained why it had to be done, but it did highlight an issue from a developers PoV with this: Users are becoming more and more aware security wise (which is a good thing) but that also means that sometimes good solutions will be deemed 'unacceptable' because of what is perceived as a 'bad' thing.
I may have missed it, but I've yet to see a Joomla solution that doesn't need to use ACLs (i.e. needs a user)? The only alternatives I've seen simply work by unsetting any cookies that have been set (which I don't think actually complies with the law) or by telling the user that cookies are used and offering no choice. I'd love to be able to find a way to achieve the end result without, but it seems to be a bit of a brick wall at this point!
In an ideal world, there'd be a Joomla function setCookie that had to be used for all
PHP cookie setting operations (i.e. instant rejection from JED for using $_COOKIE). We'd then be able to alter that to achieve the desired end, though we'd still need to do some work to catch the JS nasties!
Ach, I dunno. Cookies used to be a good thing, but they've been mis-used so badly that no-one trusts them. It'd help if they were given sensible names rather than a MD5 hash as the name. If your cookie is supposed to track my chosen font size, why not call it font_size rather than blah1234456?