The law actually only applies if you are incorporated in the EU I believe, so US sites should be fine (there would be no way to enforce the law otherwise).
Also, in terms of punishing sites, the governing body that issues the law is implemented at a country-specific level, not at an EU-level (they just give guidance on what it should be), so the actual implementation is down to wherever you are based.
That means that actually as a US-based company you would be exempt of having to put a cookie warning up, although complying with it would be 'nice', but not mandatory.
Finally, although everyone is scrambling to put something on thir sites to comply and to have a policy, sites that will most likely get fined will be 'sample cases' to set precedent or set an example, but overall this will be very hard to enforce, particularly considering the definitions are so wishy-washy (for example, Google Analytics isn't counted as infringing and if you have cookie-based authentication that is 'required' for operation of the site then again it is exempt).
So unless you are doing some heavy-duty tracking you should be complying just by having a policy on your site.
But, I'm not a lawyer so please don't take the above as gospel (covering my butt) ;-)