It's a bit unfortunate, there was a follow-up to this law that much improved the cookie nagging, but unfortunately it seems to have been stopped in it's tracks by lobbyists because of its restrictions on ad tracking.
"""
Are we required to provide information and obtain consent for all cookies?
No – PECR has two exemptions to the cookie rules. Regulation 6(4) states that:
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
"""
Strictly nessesary includes "Cookies that help ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computers (this is often referred to as ‘load balancing’ or ‘reverse proxying’)". That covers at least one of the Cloudflare cookies directly, and gives good indication that the other two also qualify.
But the regulator guide is about GDPR. And it's consistent with what I wrote - GDPR law does not require consent for such cookies. So the regulator is ok with no consent.
Apart from GDPR law, there's also separate EU Cookie Legislation which was passed before GDPR. This regulation require clear user notification (not consent) that cookies are used. As far as I know (but I might be wrong, I don't follow it) this law is still in place and GDPR did not replace it. So that means you still need cookie notification banner (but not with "I accept" button but with "I understand").
No that's not true, look at article 5(3) of the directive, it exempts strictly necessary cookies as well (it doesn't reference cookies in particular but applies to all kinds of storage technologies instead): https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...
I am not sure what exactly do you mean is not true. But in fact the article you linked says about pre-gdpr cookie consent. So it kind of contradicts what I said. But in practice to gather such consent it was allowed to say "if you don't consent, please disable cookies in your browser" and that's what I meant about "I understand" button. Regarding the exempt for this notification, I am not sure if CF cookies should be considered as strictly necessary.
Here's what the UK Regulator says.
It's a bit unfortunate, there was a follow-up to this law that much improved the cookie nagging, but unfortunately it seems to have been stopped in it's tracks by lobbyists because of its restrictions on ad tracking.