Big companies tend to have stricter cookie policies and tend to stay longer on old technologies (E.g. old IE versions)
On
The EU recently created new legislation that large companies (that tend to be international) have converted their policies to align with the new policies. The law basically made it so companies have to be more forthright about using cookies and require users to explicitly give consent for the site to use cookies.
This link explains the cookie policy in slightly more detail, but essentially what your policy should include is:
Incorporating these things should give you a good start, however you should also read into the policies that other companies are using in order to generate the best one for your company.
In general practice, the law requires that all websites require their visitors to consent for the usage of cookies, generally with a non-intrusive pop-up somewhere on the website allowing the visitor the option to accept them.
For consent to be valid, it must be informed, specific, freely given and must constitute a real indication of the visitors intention.
It should be noted that using cookies to measure visitors to your website or for advertising purposes is not allowed. The law does allow an exception for some 'strictly necessary' cookies to be stored without requiring prior consent such as technical cookies (user preferences, session trackers).
Platform for Privacy Preferences (P3P) policies currently are not required under any United States laws, therefore P3P causes some controversy with consumers who are concerned about the release of their personal information and are only able to rely on P3P's protocol to protect their privacy. For a large company, it's probably the better consensus to display the usage of P3P on the website and inform the visitor of its presence.
In terms of other additional policies, EUROPA websites must also follow the commission's guidelines on privacy and data protection and inform users that cookies are not being used to gather information unnecessarily.