Thank you for your reply, but...
1. AFAIK, we need to inform about the necessity and expiration for any cookie used.
2. The "_sid" session cookie does not need to be persistent but just a session cookie (which is deleted after the session). However, PHPBB writes a persistent cookie instead of a session cookie. The problem: Such cookie could be used for tracking. I wish you good luck to explain to a 60yo judge, that you don't. He will simply ask you "ok, so why is it persistent then?! You can use it for tracking and so you probably do and everything you say is a lame excuse". Bam, say farewell to $10k for a lost case.
It would be really great, if cookie use in PHPBB could be cleaned up to avoid unnecessary documentation, thus unnecessary confusion and/or risk of legal issues.
At least in Germany, it seems to quite a game to sue others for the tiniest infringement of overly formal requirements. The recent highest EU court decision is the best example: The lawsuit debated whether the cookie consent notice itself has to inform about the lifetime of a cookie (it now has to!) and if the cookie consent check box can be checked by default (it must not!).
Such topics make many highly paid adults spending much time and piles of paper in reality. Please help us avoiding it.