Thats a good find. However "strictly necessary" is pretty vague. Tracking your own users on your site to optimise it for them would potentially be out of the question. Though if you sign up you could implicitly allow it with terms and conditions.
I'm still reading the ICO report. It does talk at some length about what kind of measures are needed to comply with the coming legislation, and emphasises that the rule is about privacy protection, and that uses of cookies that don't build up a picture of users aren't what it targets.
The legislation does look bad for startups whose business plan revolves around accumulating data on users or selling targeted ads, but the ICO report looks pretty aware of how cookies are used in practice and not at all the "ignorant intervention" that the article describes.
The ICO report says that is fine, provided that it is (i) sufficiently informative and (ii) you provide an update to existing users about the change in terms.
I'm wondering about the following: what if I wrote a bit of Javascript serving up a picture of a pile of cookies during normal use, which can be clicked on to to call up a pop-up window describing how my site makes use of customer-tracking software with a dialog allowing the user to switch to untracked mode. Untracked mode could be implemented by issuing -you guessed it- a cookie, but one which is only used to check that the user opts out, and so is "strictly necessary" for this approach.
It's sailing close to the wind: there's no positive act of consent; but by making it easy to see the state of privacy and change it, it is arguably more privacy-friendly than a T&C. I'm tempted to try it on my site and get feedback.
The ICO report also talks about use of browser settings to govern privacy.
Still doesn't help with anonymous users...