The Netherlands

Can you place cookies without consent?

No.

As the main rule, article 11.7a Dutch Telecommunications Act (Telecommunicatiewet, Tw) provides that consent is required to store cookies and similar technologies on a device.

Are cookie rules (whether specific or within general data protection laws) followed in practice?

Yes.

Are there any exemptions if consent is required?

Yes. Some cookies are exempt from requiring consent to place them. Namely, cookies:

  • which are strictly necessary for the provision of an online communication service expressly requested by the user;
  • that aim to allow or facilitate the transmission of communication by electronic means; and
  • which are used to obtain statistics about the quality and efficiency of an online service (such as a website) insofar they have little or no impact on the privacy of an individual.

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

Some analytics cookies may be placed automatically. Advertising and social media cookies may, however, only be placed after prior consent. Analytics cookies fall under exemption 3, mentioned above, insofar they have little or no impact on the privacy of an individual.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

No.

GDPR grade consent is required, i.e. consent must be specific, freely given, unambiguous and provided before cookies are placed. In their cookie guidance, the AP points out the following: – Consent must be given prior to the placement of cookies. Any buttons/ boxes must be unticked by default. A clear positive action is necessary to express consent. – It should be clear for visitors what they are consenting to. – Visitors should be able to withdraw consent as easily as it was given.

Please note that you must be able to prove that visitors have actually given consent for cookies to be placed.

Can you set cookies without a cookie notice? 

No.

The user must consent in an informed manner i.e. they must have access to clear and complete information on what they consent to. At least the following information must be provided to users:

  • categories of cookies and their purpose;
  • duration of the cookie lifespan;
  • categories of personal data processed;
  • categories of companies to which data is provided; and
  • any other further information as necessary in order to give visitors a fair overview of the data processing.

For the sake of completeness, we note that a separate cookie notice is not required; the information can for example also be included in the privacy notice, or the second layer of a cookie banner. Also note that, even if all cookies are exempted, the AP still advises to observe transparency and provide notice of the use of cookies.

Can you set cookies without a cookie banner/ management tool?

No.

The cookie banner must provide at least:

  • the option to ACCEPT/ DECLINE cookies,
  • the option to change certain cookie settings in a granular manner,
  • the option to consult a list of third-parties who will place cookies on the devices of users or have access to their devices; and
  • the information that the user can withdraw given consent at any time.

The cookie banner normally also describes the information included in the cookie notice in a concise manner, including specific hyperlinks to the relevant documents/ pages where more detailed information is set out. In its cookie guidance, the AP describes that the first layer of the cookie banner should in any case include who processes the personal data and for what purpose(s). Other information may be included on a second (or subsequent) layer. The AP further provides nine rules of thumb (illustrated with specific examples) for designing cookie banners: 1. Provide information about the purpose; 2. Do not automatically check checkboxes; 3. Use clear text;  4. Place different choices (e.g. accept and reject) on a single layer; 5. Do not hide certain choices; 6. Do not require unnecessary clicks (for rejection); 7. Do not use an inconspicuous link in the text; 8. Be clear about withdrawing consent; 9.Do not confuse consent with legitimate interest.

Are you able to use cookie walls? 

No.

The DPA has stated in its guidance that valid consent cannot be obtained if a cookie wall is used.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

Yes. In the Netherlands, the Authority Consumer and Market (Autoriteit Consument en Markt, ACM) and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens,  AP) supervise compliance with the cookie rules. The main regulator is the ACM.

Insofar the cookies are used to process personal data, the AP is also competent.

There has been active enforcement of the cookie rules by ACM and the AP in the past, notably between 2013-2015, where ACM sent numerous warning letters to organisations that were non-compliant. In a handful of cases this resulted in actual formal proceedings.

Between 2017 and 2019 there was little active enforcement, but the AP has recently become increasingly active in the cookie space. In 2019, the AP initiated investigations relating to tracking cookies and cookie walls and announced intensified monitoring of these spaces in the future. To date and to our knowledge, the ACM has not been too involved in this. From 2024 onwards the AP will receive additional budget for its supervisory activities related to cookies and online tracking. The additional annual budget for 2024, 2025 and 2026 is EUR 500.000. At the beginning of 2024, the AP published their cookie guidance and announced that it will increase its monitoring of the placement of tracking cookies.

Are there any current consultations relating to ad tech/cookies?

None that we are aware of.

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

Recent enforcement activities of data protection authorities reflect a shift in attitudes towards cookies. Most notably, the Belgian DPA rendered a decision entailing that the Transparency and Consent Framework (TCF) is not GDPR compliant. Following the Belgian DPA’s ruling, the AP advised companies to stop using the TCF immediately. The AP has refrained from commenting on whether it will initiate enforcement against websites that continue to use the TCF.

Further, after the Schrems II decision several European DPAs found that the use of Google Analytics was not compatible with the GDPR as a result of (unlawful) data transfers to the United States. The Dutch DPA also investigated Google Analytics and previously announced that it would render its decision on the legality of its use in 2022, but no decision has been published as of yet. With the adoption of the EU-US Data Privacy Framework Adequacy Decision on 10 July 2023, the data protection concerns regarding the use of Google Analytics (considering its data transfers to the US)  seem to be alleviated.

Moreover, from 2024 onwards the AP receives additional budget for its supervisory activities related to cookies and online tracking. The additional annual budget for 2024, 2025 and 2026 is EUR 500.000. The AP intends to utilize this budget for investigations and enforcement activities as well as for the publication of guidance and the development of tools to facilitate investigations. At the beginning of 2024, the AP published their cookie guidance and announced that it will increase its monitoring of the placement of tracking cookies.