In perhaps the best proof of how confusing the directive is, the European Commission website serves several cookies to visitors without first asking for permission. The Europa.eu website serves a couple of session cookies which expire when the browser is closed, but it also serves a couple of persistent cookies related to an “exit survey” – even if you do not see a survey or click on a link to it.
The website is clearly compliant with the 2003 Privacy and Electronic Communications Directive, which required a privacy notice to explain that cookies were used, but in 2003 prior consent was not required – only information. Since the Directive was updated in 2009, all visitors to a website are supposed to be told how to stop cookies. In fact, under the European Commission’s own rules, cookies are not supposed to be served until consent has been given.
What is confusing is that some cookies are exempt from the requirement for permission (such as essential session cookies), but persistent cookies that are non essential would fall outside this scope.
I also checked the websites of a number of European institutions this morning to see if other countries had been implementing the draconian measures. A look at www.financas.pt, bbva.fr, santander.es, ing.nl and several others all revealed no such cookie notices clear on the home page.
You can read more here about how to comply.