What are cookies and when may a website place them?

Cookies are small text files a website stores on your device to recognise you on future visits. Three legally-relevant types. (1) Functional/strictly necessary cookies: needed for the site or service to work — language preference, logged-in session, shopping cart, cookie choice itself. No consent required under Dutch Telecommunications Act Art. 11.7a (implementing the ePrivacy Directive). (2) Statistics/analytics cookies: measure visitor behaviour. Google Analytics, Matomo, etc. Consent required unless "privacy-friendly configured" (IP-masking, no data export to third parties, no cross-linking with other data). (3) Marketing/tracking cookies: Facebook Pixel, Google Ads, TikTok Pixel, retargeting. Explicit consent always required. What must a cookie banner do? Everything off by default (no pre-ticked boxes), Accept and Reject buttons at equal prominence, granular choice per category, withdrawal as easy as giving. "Continue browsing = consent" is illegal since the Planet49 ruling (CJEU 2019). When does the cookie law NOT apply? True server-side anonymisation with no cookie. Or cookies purely for security (anti-fraud during login). Fine: the AP can fine up to €20 million or 4% turnover. Multiple major fines issued 2023-2025 (e.g. Booking.com, TikTok).