Newsflash May 2012
 
The New Dutch Cookie Regime
 
Newsflash.jpg
 

The new Dutch cookie regime will come into effect on 8 June 2012. The rules introduce a stricter regime for most cookies, which is based on informed and explicit consent. It is expected that the new Dutch legislation will be stricter than the implementation of the EU-requirements which has already taken place in most other Member States.

Summary of the new rules

Strong link between cookies and privacy

The new legislation is premised upon a strong link between cookies and data protection/privacy, mainly due to the use of cookies in profiling. The new cookie rules therefore contain various references to the Dutch Data Protection Act. Most notorious is the notion that the use of cookies for commercial, charitable or idealistic purposes is presumed to involve the processing of personal data. This introduces a burden of proof where the website publisher has to prove that the tracking cookie does not process personal data. In practice, this will make it easier for the Dutch Data Protection Authority (College bescherming persoonsgegevens) to supervise the use of cookies (further to the general supervision from the telecom authority OPTA). Please note that this legal presumption only enters into force from 1 January 2013, as opposed to the rest of the cookie regime.

Prior consent

The old cookie rules were based on a right of refusal of cookies, in practice implemented by browser settings that make it possible to refuse cookies. The new rules however, require the user to give consent to the placing and retrieving of cookies. There has been considerable discussion as to how consent can be obtained.

The legislature has made clear that currently, browsers are not capable of producing this consent, leaving it to websites to obtain consent. The Dutch legislator indicated that this could be different with future browsers.

At this moment, it is unclear how consent must be obtained; neither the relevant regulatory bodies, nor the Dutch legislature have provided instructions or guidelines on how consent must be obtained. It is expected that consent can in practice be obtained by a pop-up or splash screen, though other options are also available.

Information requirements

As with the old rules, information on the purposes, placing and removal of cookies should be provided to users. It is generally deemed sufficient to mention this in the privacy policy or general terms of use of a website.

Functional cookies

The exception to the requirements of information and consent is for so-called "functional cookies". If cookies are essential in the process of communication or to provide the user with a requested service, there is no need to obtain informed and explicit consent prior to the placement or access of the cookie. Examples of functional cookies are cookies used to facilitate online payment or cookies used for displaying online content such as videos. Due to the absence of guidelines, it is unclear if so-called analytical cookies, used for monitoring the actions of visitors on a website, will be considered as functional cookies.

...And more

  • Cookies and more: the new rules not only apply to cookies, but also to related techniques, such as device fingerprinting, flash-cookies, and java-scripts, and cover a range of user-devices, such as computer, phones, tablets and (digital) TV's.
  • Jurisdiction: there has been some discussion between the Parliament and the Minister as to what extent the cookie rules apply to foreign websites. The Minister concluded that the cookie rules apply to websites that are aimed at Dutch citizens.
  • ... and more: We are closely involved with the latest national and EU-developments, so we are always able to provide more information in addition to the general information above. Please do not hesitate to contact us.

Upcoming cookie seminar

Much more can be said about the national and international implementation of the new cookie rules for your business. In June, we will host a seminar to talk you through the new cookie regime, the latest national and international developments and give you practical examples of how your website could be adjusted to comply with the new legislation. We will circulate an invitation in the course of this week.

Please also see our website, which provides an overview of the implantation in the various member states and the practical guidelines published by other supervisors.

Should you have any questions, please feel free to contact Gerrit-Jan Zwenne or Berend van der Eijk.
The content of this update is of general interest and is not intended to apply to specific circumstances. The content should not, therefore, be regarded as constituting legal advice and should not be relied on as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly.
BIRD & BIRD

Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 15 Fetter Lane, London EC4A 1JP.

For details of Bird & Bird, our offices, our members, the use of e-mail and regulatory information, please see twobirds.com and, in particular, twobirds.com/english/Legal_Notices.cfm.

The word "partner" is used to refer to a member of Bird & Bird LLP or an employee or consultant, or to a partner, member, director, employee or consultant in any of its affiliated businesses, who has equivalent standing and qualifications. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at our London office address.

All such persons are solicitors, registered foreign lawyers or non-registered European lawyers.