Interestingly, despite the fact that the legislation is based on protection of personal information and privacy, it applies even when a cookie is not being used to collect any personally-identifiable information. The rules apply to all cookies, and are intended to prevent information from being stored on users' computers without their informed consent.
As is the case with privacy consents in general, the preferred approach for cookies is to obtain explicit consent. This can be achieved, for example, by providing a notice to the user explaining what cookies are, how they will be used, what they will do, and asking the user to click "I agree."
Explicit consent is the best legal way to ensure that the user has really consented to the issuance and acceptance of cookies. However, it is onerous and irritating, especially if it is done each time the user visits the website. That's why implied consent is also acceptable, at least in the U.K.
Implied consent involves providing information to the user and looking for some action by the user which indicates that the user has consented. For example, a website may post a clear and unavoidable notice when the user first visits the site, advising the user that cookies will be used, and explaining what cookies are. If the user clicks on any other pages within the site after the notice has been displayed, the user may be deemed to have given implied consent to receiving the cookies described in the notice. The requirements and wording of the notice may vary depending on the audience, such as how tech savvy it is.
Failing to comply with the rules may result in a number of actions. In the U.K., those actions range from an information notice and request to comply (on the low end), to a monetary penalty of up to £500,000 (on the high end).
The U.K. law applies to all companies in the U.K., even if their websites are hosted elsewhere. Likewise, the U.K. Information Commissioner's Office has taken the position that Canadian and other foreign companies should comply with the legislation if their websites are designed for the European market, or if they provide products or services to European customers. Practically, it may be difficult for EU authorities to enforce this law against Canadian companies that have no assets in the EU; however, there are good domestic reasons for Canadian companies to comply with the legislation as well.
In particular, Canada's anti-spam legislation, which has been passed but not yet implemented, contains similar rules regarding cookies in Canada. The starting point in Canada is that express consent is required to install a computer program on anyone's computer system.
Obtaining consent requires: (a) clearly and simply explaining the purposes for which the consent is being sought; (b) describing the function and purpose of the program and providing all other prescribed information; and (c) obtaining the user's consent. The legislation permits implied consent for cookies if the user's conduct is such that it is reasonable to believe that they have consented to the installation of the cookies.
I agree with it being a stupid law, I didn't make it!
From what I read I believe that if the website may attract EU visitors then you need to apply the rule.
Which I read as any website.
And with nodebb being multilingual that probably implies that the site (or any installation of) needs to at least have this popup option to cover everyones arse.