| The recent case against Criteo in the Netherlands has some interesting definitions of cookie types: This case revolves around (third party) tracking cookies. The Dutch Data Protection Authority (AP) defines 2 cookies as follows: “Cookies are small files that a website owner places on a visitor’s device. For example on a computer, laptop, smartphone or tablet. For example, the owner can collect or store information about the website visit or about (the device of) the visitor. Bottom of form There are 3 types of cookies: - functional cookies; - analytical cookies; - tracking cookies.” The AP says about tracking cookies 3 : “If cookies can also be read when you visit another website, we call these tracking cookies. These cookies allow organizations to track people’s internet behavior over time. Tracking cookies make it possible to draw up profiles of people ( profiling ) and treat them differently. Tracking cookies usually process personal data. Personal interests can be derived from the information about visited websites. This allows organizations to, for example, show their website visitors targeted advertisements. (…) Do you process personal data of visitors to your website with tracking cookies? Then you must comply with the rules of the General Data Protection Regulation (GDPR).” https://uitspraken-rechtspraak-nl.translate.goog/?_x_tr_sl=a... |
(It's in dutch, translate at your own liberty, I'll give my own below + the stuff the authority for consumers and the market demands, which is linked from their page.)
Basically of the three cookie types, functional cookies require no consent whatsoever. A cookie to set up a user session (the page uses a shopping cart in a webshop as an example and the details mention things like saved passwords and language choices) is totally fine. The AP still recommends informing the users, but it's not required.
Analytical cookies are permissible insofar that they aren't used to profile the user. You're not required to ask for permission as long as they don't contain any uniquely identifying information. You are required to inform the visitor that you are placing these cookies though.
The final category are tracking cookies. These fall under the full scope of the GDPR; you must ask for consent before placing them, you must tell people how you are collecting their data (cookies, scripts or beacons are listed as examples) and you need to tell people what you do with them.
Pre-checking consent forms in general is expressly forbidden (on the same logic that you can't pre-check people into signing up for physical spam mail or paid subscriptions) and consent must be clearly stated, not hidden in some terms of services page or privacy statement.
Those are all requirements on top of the rights the GDPR (in Dutch called the AVG) grants consumers, although obviously most of this overlaps with the GDPR already.