Common Sense and Opt-In: http://weblogs.asp.net/erobillard/archive/2003/05/08/6680.aspx
Eight years ago I wrote a brief piece on cookie management proposing that preferences be remembered by default with an opt-out option. The part that got the most feedback was this:
The act of remembering preferences in the form of cookies is not gathering information on surfing habits. If the issue is the perception of privacy, then educate your users about cookies. If you care about privacy, provide a button to delete cookies previously stored by your site.
Eight years later, these basic principles are reflected in the EU cookie law (http://eucookiedirective.com/) with the notable exception of opt-in vs. opt-out. People should know and care what's being stored on their machines, and as a principle transparency should always win.
The other idea worth a second thought is to make it easy for people to delete their cookies. Give them the ability to say "I'll use the site now, but to give me control over my own privacy, let me delete any cookies when I'm done."
Are these ideas still controversial? Always curious to hear.