I have now taken the implied consent approach, with the first page load detecting if the visitor already has a cookie preference set (yes, in a cookie - apparently allowed). If not, then no cookies are set and an unobtrusive message displays asking if they would allow the use of cookies for the site. There are also links to more information. On the second page load of the session, if still no cookie preference is set, then implied consent is taken as the visitor has continued to use the site and not explicitly denied the use of cookies. The facility to explicitly accept or reject is still available. This is done in a specific cookie controller with actions for accept and reject. The extension provides methods that can be checked for cookie usage availability within normal page controllers if other cookies are going to be used for whatever reason.
*edit*
I don't know if implied consent is available in the Netherlands, but the ICO in the UK updated its advice on how the visitor may provide consent for the use of cookies a day or so before the implementation deadline arrived. That followed a grace period of 1 year after the actual introduction of the regulations. The updated advice included the fact that implied consent would be valid as long as it could be demonstrated that it was reasonable. I take the approach that if you provide explicit accept / reject functionality and the visitor chooses to continue using the site without taking either action, then it is reasonable to assume implied consent. You present the information, you have to assume the visitor has read stuff on the page - it isn't hidden away.
*edit*
Obviously alternative approaches for functionality that requires the use of cookies that would be considered non-essential, e.g. affiliate referral tracking etc. would need to be implemented, but that is outside the scope of allowing the visitor to allow the use of cookies (or not).
I have another non SS site where the site owner wanted implied permission to be used from the very first page load, as other large sites (mainly newspapers and broadcasters were doing a similar thing), effectively an opt-out, but without having to mess around with browser settings.
In SS, I am doing the checks etc. in the onBeforeInit method of an extension applied to the ContentController. In the onAfterInit, if cookies are not allowed, then the PastMember cookie (which is set in the Controller init method if the user is logged in and a past member), is overwritten with one that is expired so would be removed from the browser, if required.
If cookies are explicitly denied, then any GA cookies are also removed. The only cookies remaining essential to the site are the site session cookie (which if it wasn't essential before, is now to track the visitor's cookie choices in order to implement implied consent), and the cookie containing the visitor's cookie preference.
I know there are previous posts saying that if the user is registered, then part of the Ts & Cs could include that cookies should be accepted (as that is the visitor's choice to register and therefore they have a free choice to accept or reject the use of cookies), therefore the PastMember cookie doesn't have to be worried about.
I am working on turning this into a module - mainly so I can easily apply it to the SS based sites that I work on - so stuff like the PastMember cookie could be an option, as is the use of implied consent.
So far, the PastMember cookie is the only one that needs to be caught if you are not going to alter the core. For "remember me" functionality, that can be presented, or not, based on cookie preferences by overriding the MemberLoginForm and disabling the option from being presented.
Cheers,
Jason.