No.
As the main rule, article 11.7a Dutch Telecommunications Act (Telecommunicatiewet, Tw) provides that consent is required to store cookies and similar technologies on a device.
Yes.
Yes. Some cookies are exempt from requiring consent to place them. Namely, cookies:
Some analytics cookies may be placed automatically. Advertising and social media cookies may, however, only be placed after prior consent. Analytics cookies fall under exemption 3, mentioned above, insofar they have little or no impact on the privacy of an individual.
No.
GDPR grade consent is required, i.e. consent must be specific, freely given, unambiguous and provided before cookies are placed. In their cookie guidance, the AP points out the following: – Consent must be given prior to the placement of cookies. Any buttons/ boxes must be unticked by default. A clear positive action is necessary to express consent. – It should be clear for visitors what they are consenting to. – Visitors should be able to withdraw consent as easily as it was given.
Please note that you must be able to prove that visitors have actually given consent for cookies to be placed.
No.
The user must consent in an informed manner i.e. they must have access to clear and complete information on what they consent to. At least the following information must be provided to users:
For the sake of completeness, we note that a separate cookie notice is not required; the information can for example also be included in the privacy notice, or the second layer of a cookie banner. Also note that, even if all cookies are exempted, the AP still advises to observe transparency and provide notice of the use of cookies.
No.
The cookie banner must provide at least:
The cookie banner normally also describes the information included in the cookie notice in a concise manner, including specific hyperlinks to the relevant documents/ pages where more detailed information is set out. In its cookie guidance, the AP describes that the first layer of the cookie banner should in any case include who processes the personal data and for what purpose(s). Other information may be included on a second (or subsequent) layer. The AP further provides nine rules of thumb (illustrated with specific examples) for designing cookie banners: 1. Provide information about the purpose; 2. Do not automatically check checkboxes; 3. Use clear text; 4. Place different choices (e.g. accept and reject) on a single layer; 5. Do not hide certain choices; 6. Do not require unnecessary clicks (for rejection); 7. Do not use an inconspicuous link in the text; 8. Be clear about withdrawing consent; 9.Do not confuse consent with legitimate interest.
No.
The DPA has stated in its guidance that valid consent cannot be obtained if a cookie wall is used.
Yes. In the Netherlands, the Authority Consumer and Market (Autoriteit Consument en Markt, ACM) and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) supervise compliance with the cookie rules. The main regulator is the ACM.
Insofar the cookies are used to process personal data, the AP is also competent.
There has been active enforcement of the cookie rules by ACM and the AP in the past, notably between 2013-2015, where ACM sent numerous warning letters to organisations that were non-compliant. In a handful of cases this resulted in actual formal proceedings.
Between 2017 and 2019 there was little active enforcement, but the AP has recently become increasingly active in the cookie space. In 2019, the AP initiated investigations relating to tracking cookies and cookie walls and announced intensified monitoring of these spaces in the future. To date and to our knowledge, the ACM has not been too involved in this. From 2024 onwards the AP will receive additional budget for its supervisory activities related to cookies and online tracking. The additional annual budget for 2024, 2025 and 2026 is EUR 500.000. At the beginning of 2024, the AP published their cookie guidance and announced that it will increase its monitoring of the placement of tracking cookies.
None that we are aware of.
Recent enforcement activities of data protection authorities reflect a shift in attitudes towards cookies. Most notably, the Belgian DPA rendered a decision entailing that the Transparency and Consent Framework (TCF) is not GDPR compliant. Following the Belgian DPA’s ruling, the AP advised companies to stop using the TCF immediately. The AP has refrained from commenting on whether it will initiate enforcement against websites that continue to use the TCF.
Further, after the Schrems II decision several European DPAs found that the use of Google Analytics was not compatible with the GDPR as a result of (unlawful) data transfers to the United States. The Dutch DPA also investigated Google Analytics and previously announced that it would render its decision on the legality of its use in 2022, but no decision has been published as of yet. With the adoption of the EU-US Data Privacy Framework Adequacy Decision on 10 July 2023, the data protection concerns regarding the use of Google Analytics (considering its data transfers to the US) seem to be alleviated.
Moreover, from 2024 onwards the AP receives additional budget for its supervisory activities related to cookies and online tracking. The additional annual budget for 2024, 2025 and 2026 is EUR 500.000. The AP intends to utilize this budget for investigations and enforcement activities as well as for the publication of guidance and the development of tools to facilitate investigations. At the beginning of 2024, the AP published their cookie guidance and announced that it will increase its monitoring of the placement of tracking cookies.
