Given a Web Site which uses cookies for the following:
what explicit permissions would be required from the user?
Here I anticipate the cookies would be set from JavaScript, so no identification of the user would be required. I know that cookies are sent to the server.
Not all cookies require consent.
The current answers are in WP 29 Opinion 04/2012 on Cookie Consent Exemption - 00879/12/EN WP 194.
This WP29 Opinion is based upon Directive 2002/58/EC ("ePrivacy Directive"), and not GDPR, which is current law for this matter until other guidelines are adopted pursuant to GDPR or until the awaited "ePrivacy Regulation" is finally adopted.
1. General rules
This Opinion states 2 critera for cookie consent exemption:
(...) exempted from the requirement of informed consent, if they satisfy one of the following criteria:
CRITERION A: the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”.
CRITERION B: the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”.
2. User preferences
The first two types of cookies would be, as I understand, for the purpose of remembering user preference in how it interacts with the Website. Such types of cookies can fall under criterion B, under certain conditions.
Section 3.6 "UI customization cookies" explains the conditions that such type of cookies have to meet so that the consent exemption can apply, in particular:
User interface customization cookies are used to store a user’s preference regarding a service across web pages and not linked to other persistent identifiers such as a username. They are only set if the user has explicitly requested the service to remember a certain piece of information, for example, by clicking on a button or ticking a box. They may be session cookies or have a lifespan counted in weeks or months, depending on their purpose.
(...)
These customization functionalities are thus explicitly enabled by the user of an information society service (e.g. by clicking on button or ticking a box) although in the absence of additional information the intention of the user could not be interpreted as a preference to remember that choice for longer than a browser session (or no more than a few additional hours). As such only session (or short term) cookies storing such information are exempted (...). The addition of additional information in a prominent location (e.g. “uses cookies” written next to the flag) would constitute sufficient information for valid consent to remember the user’s preference for a longer duration, negating the requirement to apply an exemption in this case
If you need to request consent, then WP 29 Working Document 02/2013 providing guidance on obtaining consent for cookies - 1676/13/EN WP 208 contains guidance.
3. Cookie Preference cookie
The last type of cookie you mention, being the Cookie Preference cookie, would be, as I understand, only used as a purely technical mean to store and retrieve (transmit) the user's explicit choices preferences, and would most probably fall clearly under criterion A and/or B.
