On 3 June, Italy’s data protection authority, the Garante, published a general decision on user notice and consent requirements when an organization uses cookies as part of its online services. The decision outlines specific categories of cookies based on their intended uses and the roles played by the entities placing those cookies, and highlights different levels of notice and consent requirements for each. The decision also offers guidelines for providing users with adequate notice through a two-layer privacy notice and outlines the consequences of failing to comply with Italy’s rules on cookies.