The recent cookie law in the EU (http://www.cookielaw.org/) introduces a challenge for sites which run off Sitecore if the interpretation of the rules is all cookies should be blocked.
Throughout the lifecycle of a Sitecore app, the cms introduces cookies into the users browser – some would be expected eg login / auth cookies however some relate to environment considerations e.g. language.
The image above shows the cookies you would expect from an out the box installation without DMS or OMS running. OMS and DMS make use of cookies for persisting users information – this is stored in the ‘SC_ANALYTICS_GLOBAL_COOKIE’ and ‘SC_ANALYTICS_SESSION_COOKIE’ cookies, both key for Sitecore Analytics to function correctly.
The use of session can be configured at application or page level (http://support.microsoft.com/kb/306996). One thing to note, if you are implementing functionality which relies on session information eg shopping carts, removing the session cookie may be impractical. The cms relies on session working – see the information below about splitting the authoring and presentation servers.
Sitecore introduces a cookie based on the current site name suffixed with #lang. This is used for storing the user’s language selection and is introduced to the browsers cookies during the httpRequestBegin pipeline – initiated by the languageResolver.
For more information on Sitecore Sites see http://sdn.sitecore.net/Articles/Administration/Configuring%20Multiple%20Sites.aspx
To ensure the language cookie isn’t added you can remove the languageResolver from the httpRequestBegin pipeline. NOTE removing the languageResolver is risky! Only do it if you are happy with the following:
- You have one language in use on the site in question and this language is defined on the <site> entry in the <sites> config
- You don’t need to use preview or page editor within the cms. If you do, you need to keep the languageResolver hence you need different configs for the cms and presentation sites – this can be achieved via separating out the cms to be a different application from the front end site.
In my opinion removing the language cookie and session cookie is pretty heavy handed. In the majority of sites both these would be mission critical – that said, if the law is interpreted in certain ways removing them may be the only option.
True Clarity 
Hi Nick
Is the above still correct when the DMS is in place?
I’ve updated the post with a bit more info on DMS / OMS. The solution it was originally based on didn’t make use of analytics.