Copy/paste from cookiebot website, but it's basically what's needed. Biggest nonsense for me, that site should be usable, even when user declines cookies, it's big BS. What I think if you don't accept cookies, just leave the website, my yard my rules.
Inform your users:
Provide a clear and specific information on the cookies in use on the site, what types of data are processed, for what purpose and where in the world they are sent.
Get prior consent:
Ask for consent before setting cookies. Only strictly necessary cookies may be set prior to the reception of the consent.
Document:
Keep record of all received consents as evidence that the consent has been given.
Protect the data:
Ensure that all personal data is securely stored. Only transmit data to the EU and other
adequate countries.
Give your users a true choice:
Make sure that your users have the possibility to see the cookies, select, accept and reject them. The site must function even though the user has rejected cookies.
Provide the option for your users to change their mind:
Give access for the users to see and change their choice of accepted and rejected cookies on your site. If the user so requests, you must be able to erase their data.
Alert:
In the case of a breach, alert securities and affected users within 72 hours.