Art 5 (3), Privacy and Electronic Communications Directive 2002/58/EC wrote:Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information[/b] in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user. ([a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML"]Source[/a])
Recital 66, Directive 2009/136/EC wrote:It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. ... Where it is technically possible and effective, [...] the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. ([a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:01:en:HTML"]Source[/a])
I'm not sure that statement from the ICO is particularly dramatic. All it is saying is that consent can be implied (presumably by conduct). But that doesn't mean that implied consent is sufficient - by my reading of the Directive, what is important is the right to refuse the processing, and the clear and comprehensive information about what is happening. Consent alone (either implied or express) isn't enough, you need informed consent. It may not be enough to know that cookies are used, but also what they do, how they work etc.
Not that it really matters for most sites, as I don't imagine the ICO will be going after everyone for non-compliance.
As for the ICO changing their position at the last moment (if they have), that's just silly. this Directive was passed in December 2009 - it's not like it's crept up on anyone...