The UK ICO and the French CNIL both released updated guidance on cookies this summer (see ICO July 3 2019 guidance and CNIL July 23 2019 guidance).
A few key takeaways are:
1. The "cookie" guidance covers more than just cookies. It covers any technology that stores or access information on the user's device.
2. "Strictly Necessary" cookies do not require consent.
3. Other than "Strictly Necessary" cookies, consent is required before any cookies are set on the user's device.
4. Cookie consent cannot be bundled into terms and conditions or a privacy notice.
5. You cannot pre-enable non-essential cookies. This means that when you present a user the option to manage their cookies, non-essential cookies should default to "off".
6. You cannot obtain implied consent via the continued use of a website.
For example, the following cookie pop-up notice on a major US newspaper is likely invalid.
Image by Andrew Magill on Flickr licensed under CC BY 2.0.