Disclaimer: I’m not a legal expert and this is just some thoughts on the matter that I hope will be useful, it’s not intended as legal advice.
UPDATE: skip to the bottom of this post for the latest!
There may also be cookies issued by 3rd parties such as plugin providers and other software or services used within the site such as commenting/analytics services.
It’ll be interesting to see how the EU WordPress community responds to the legislation: it’s likely that a best practice will emerge over the coming months if the law looks like it’s actually anywhere near enforceable anyway.
I know that’s not a 100% comprehensive answer, but hopefully it’s useful as a reference. Please do sound off in the comments with any thoughts, advice or resources – thanks!
UPDATE 2: This is the best bit of advice I’ve seen – it’s a plugin that points out that the DMCS (the department that oversees this issue) doesn’t have a pop-up, just a policy (and their policy is here). So, until they introduce a pop-up, then I’d say you’re safe with a policy only, but again this is not authoritative, just a discussion of the situation.