Let's consider for a second only standard Moodle 2.2 or newer. It creates only one cookie "MoodleSession" which I would consider "strictly necessary cookie", in line with the "ICC UK Cookie guide" from April 2012:
Generally these cookies will be essential first-party session
cookies, and if persistent or third party, there should be a good
justification for this.
Not all first-party session cookies will fall into the ‘strictly
necessary’ category for the purposes of the legislation. Strictly
necessary cookies will generally be used to store a unique
identifier to manage and identify the user as unique to other
users currently viewing the website, in order to provide a
consistent and accurate service to the user.
Examples include:
• Remembering previous actions (e.g. entered text) when
navigating back to a page in the same session.
• Managing and passing security tokens to different services
within a website to identify the visitor’s status (e.g. logged in
or not)
• To maintain tokens for the implementation of secure areas of
the website
• To route customers to specific versions/applications of a
service, such as might be used during a technical migration
These cookies will not be used
• To gather information that could be used for marketing to
the user.
• To remember customer preferences or user ID’s outside a
single session (unless the user has requested this function).
For this kind of cookies:
User consent is not required for the delivery of those cookies
which are strictly necessary to provide services requested by
the user. However, it is important to give users the opportunity
to understand these cookies and the reasons they are used.
So it seems to me, that standard Moodle is now (after MDL-28158) compliant but provided that some message is given to the user about using "MoodleSesssion" cookie, in a visible way and with simple to understand explanation (I think that current explanation in inline help is good enough).
cheers,
Tomasz Muras
Enovation Solutions