Technically under the directive, any storage of information on the user's system should have the full consent of the user, with the exception of information which is strictly necessary for the functioning of the service requested by the user (see 2009 amendment to the original directive[1]).
Consequently, it's not necessarily at the determination of a lawyer, but I think the ICO has acknowledged that this is a difficult proposition so is taking a softer approach to enforcement.
At the very least the distinction could very easily be drawn between cookies which facilitate the sharing of information on the user's usage of multiple sites, to cookies which deal solely with the user's usage of the site where the cookie is set.
No, consent is not assumed. From my understanding, most browsers are generally set up to accept cookies automatically. If it was the other way round, and users had to physically change their settings, this could be an appropriate opt-in.
The E-Privacy Directive specifically contemplates browser solutions as being a potential solution, however, I understand that at this stage, there isn't an acceptable implementation.
If for example a browser on first load asked what I wanted to do with cookies during that session, that might be acceptable.
I suspect browser makes are hesitant to work towards a solution because it would obviously be a blanket policy when it may be more appropriate for a more nuanced one dependent on each each site's cookie usage.
You can obviously configure cookies in your browser settings but I imagine for most users this option is overly complex for them to understand.
Sorry for the brevity, but the only thing I can think of is: A-fucking-men. This is a colossal waste of time and resources, and it's a completely distraction from other -real-, -actual- privacy concerns that every day citizens should have. This is not one of them, and there is already a solution.
Actually that would be a good potential solution to have cookies on browsers automatically disabled but one that advertising networks and companies that rely heavily on advertising revenue (Google for example) are lobbying hard against for obvious reasons. As a result, I don't think this option will make an appearance anytime soon.
Consequently, it's not necessarily at the determination of a lawyer, but I think the ICO has acknowledged that this is a difficult proposition so is taking a softer approach to enforcement.
At the very least the distinction could very easily be drawn between cookies which facilitate the sharing of information on the user's usage of multiple sites, to cookies which deal solely with the user's usage of the site where the cookie is set.
[1] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2...