How to Comply with The Dutch DPA's Cookie Consent Guidelines

Here is a summary of the key information you need to know about the latest Dutch DPA's Cookie Consent Guidelines.

What is the Autoriteit Persoonsgegevens (AP)?

Autoriteit Persoonsgegevens is the Dutch Data Protection Authority. This independent administrative body has been appointed by law in the Netherlands as the supervisory authority for the processing of personal data. The AP is located in The Hague.

What are the Dutch DPA Cookie Guidelines?

In December 2019, the Dutch Data Protection Authority released cookie consent guidelines to help website owners in the Netherlands deploy cookies in a GDPR-compliant way. 

The Dutch DPA surveyed a total of 175 websites in the Netherlands before the publication of the cookie guidelines, and 50% of those audited were found to be non-compliant with GDPR cookie consent requirements. Learn more about GDPR compliance.

Interestingly, the investigation also found that all e-commerce platforms assessed did not obtain valid consent from their users to deploy cookies on their websites. 

The Dutch DPA’s cookie guidelines do not come as a surprise since the Netherlands is one of the countries that has maintained strict enforcement of both the GDPR and the EU Cookie Law regarding cookie consent compliance. 

This means that compliance with the Dutch DPA’s cookie consent guidelines is a crucial investment for website owners because failure to do so will only attract GDPR fines. 

In this article, we take an in-depth look at: 

• What are website cookies?
• What types of cookies do I have on my website?
• What is the ePrivacy Directive, and how does it apply to cookie consent? 
• The CJEU Ruling in Planet 49 case and GDPR Cookie Consent
• What is valid GDPR Cookie consent? 
• What are the Dutch DPA Cookie Guidelines? 
• How do I Comply with the Dutch DPA Cookie Guidelines? 
• How to Comply with the Dutch DPA’s Consent Guidelines with Secure Privacy?
  

What are Cookies? 

When visitors access your website, small files that store data are installed on their devices via their browser. 

For website owners, cookies are essential because they can collect different types of information necessary for the web page's desired functionality.

Examples of the categories of personal data collected by cookies include; 

• How a visitor accessed your website
• The location of your website visitors
• Your visitors’ online activity for relevant ad targeting and improving user experiences
  

What Types of Cookies Do I Have on my Website?

Website cookies fall under three main categories;

1. Purpose

Strictly necessary cookies – This category facilitates users’ browsing experience on a website and their use of its features. They are also known as essential cookies. 

For instance, the cookies that allow e-commerce stores to keep items in a user’s cart while shopping online are considered essential cookies.

While both the GDPR and the ePrivacy Directive do not require website owners to obtain prior consent for strictly necessary cookies, you must clearly inform users about their purpose and importance in your cookie notice.

Preference Cookies – The cookies enable a website to recall a user's choices previously, such as language preference or their login details to allow automatic sign-in. They are also known as functionality cookies.

Statistics cookies – These cookies gather information about a user’s activities on your website, such as the kind of pages they accessed and the sort of links they clicked on. 

The type of personal data collected by statistics cookies cannot identify users. This is because the information is usually aggregated, making it anonymous. 

If these cookies are from third-party service providers, the objective of their use remains the same so long as the information they collect is used exclusively by the website owner. 

Marketing Cookies – Also known as promotional cookies, they capture a user’s online activity to help advertisers deliver more relevant ads or limit the number of times you see an ad. 

For digital marketing, marketing cookies can share personal data with third parties or adtech agencies. 

 Website owners need to be aware that these cookies are persistent and are mainly of third-party provenance. 

1. Duration 

Session Cookies – temporary cookies that expire the moment you close the browser. 

Persistent cookies – cookies that are installed in a user’s browser until they either delete them or their browser removes them upon expiration. 

Typically, all persistent cookies have an expiry date written into their code, although this duration varies in some cases. 

1. Provenance 

First-party cookies – cookies placed in a browser or computer directly by the website a user visits. 

Third-party cookies – refer to cookies placed in a user’s device by a third-party such as an advertiser or an analytics tool. In most cases, they are not stored in website visitors’ devices by the website they are accessing. 

Overall, it is essential to be aware that some cookies may not fit neatly into these categories, in addition to the fact that others may qualify for multiple categories.

What is the ePrivacy Directive, and How Does it Apply to Cookie Consent? 

The ePrivacy Directive, commonly referred to as the EU Cookie Law, is considered the pioneer data protection regulation in Europe. 

Adopted in 2002 and amended in 2009, the ePrivacy Directive is renowned for introducing cookie consent banners on EU websites.

To obtain valid cookie consent, the EU Cookie Law requires you to ensure it is;

• Freely given
• Specific 
• Indicates a clear indication of your user’s wishes

The only exception you do not need to rely on the ePrivacy Directive’s cookie consent requirements is when; 

You access personal information for strictly necessary purposes such as providing Electronic Communications Services (ECSs) or Information Society Services (ISSs). 

It is important to note that the Dutch DPA, Autoriteit Persoonsgegevens, is one of the national Data Protection Authorities in Europe that has consistently applied the ePrivacy Directive in its local cookie compliance enforcement actions. 

This is unlike, for example, the German DSK, which relied on the German Telemedia Act (Telemediengesetz) to enforce cookie compliance in Germany. The German DSK deemed the EU Cookie Law’s provisions already covered by the Telemediengesetz (TMG). 

As a side note, Germany has enacted a new law that implements the cookie consent requirements of the ePrivacy Directive. The new law combined the Telemedia Act and Communications Act and is called the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia, or TTDSG, which came into effect in December 2021. 

The CJEU Ruling in the Planet 49 Case and GDPR Cookie Consent

In a case involving a German company, Planet 49, the European Union’s Court of Justice (CJEU) ruled that website owners must obtain valid consent before deploying non-essential cookies. 

Some of the practices that were considered a non-compliant way of obtaining consent from users under both the ePrivacy Directive and the GDPR include;

• Using pre-checked consent boxes
• Using silence or inactivity to signal cookie consent
• Relying on a users’ activity of ‘scrolling down’ a website as an indication of cookie consent 

Check out the key takeaways from the CJEU’s ruling in the Planet 49 case here.

What is Valid GDPR Cookie Consent?

According to the latest EDPB cookie consent guidelines, valid GDPR cookie consent is obtained from the user only when it is; 

• Informed
• Unambiguous 
• Freely given
• Specific
• Easily withdrawn

To learn more about the specific elements of GDPR-compliant cookie consent, read our blog on the latest EDPB Cookie Consent Guidelines.

You can also watch our video on EDPB Cookie Consent Guidelines here.

What are the Dutch DPA’s Cookie Guidelines? 

According to the Autoriteit Persoonsgegevens (AP), you must; 

1. Ensure your website remains accessible if a user does not provide cookie consent

In line with the CJEU’s Planet 49 ruling, the Dutch DPA requires you to allow users to access content on your website even after they deny you consent to place tracking cookies on their devices. 

This requirement follows the Dutch DPA’s investigation of websites in the Netherlands, which revealed that some websites denied users access to pages they wanted to visit if they did not consent, violating the ePrivacy Directive and GDPR’s cookie consent requirements. 

2. Obtain Prior Consent Before Deploying Non-Essential Cookies 

To comply with the GDPR, you must provide a legal basis to process personal data. Therefore, the Dutch DPA requires you to obtain prior consent from users to process their personal information to satisfy GDPR consent requirements. 

According to the Autoriteit Persoonsgegevens (AP), obtaining prior consent guarantees your website visitors that you will protect their personal data adequately in line with the EU's data protection laws requirements. 

3. Avoid using ‘Cookie Walls’ and Give Users Control over their Consent Choices

Suppose you use 'cookie walls' on your website. In that case, you will be considered non-compliant with the Dutch DPA’s cookie consent guidelines because you denied users free choice over whether to give or deny consent to your use of non-essential cookies. 

A ‘cookie wall’ refers to the mechanism of denying users access to your website content if they do not provide consent to installing all cookies and trackers being used by a website. Essentially, it denies users a chance to reject the placement of cookies in their devices. 

Dutch DPA Compliant Cookie Banner examples

According to the Dutch DPA cookie guidelines, a cookie wall blocking a user's access to the website without accepting cookies is not compliant.

Pre-ticked boxes (CJEU Cookie Ruling) are not compliant according to the Dutch DPA cookie guidelines.

A compliant cookie banner would have to include the following elements:

• Reject and Accept options (either as buttons or links) that are of the same prominence;
• A link to the comprehensive cookies policy;
• A mechanism to allow users to choose which cookies they consent to.

The following examples would likely be compliant with the Dutch DPA cookie guidelines as they fulfill the criteria mentioned earlier.

See more cookie banner examples.

Checklist for compliance with AP Guidelines

The Dutch DPA cookie guidelines are not comprehensive. It does deal with certain aspects of cookie usage; notably, the invalidity of cookie walls and pre-ticked boxes. However, considering the consent requirements under the GDPR, as well as the Dutch DPA cookie guidelines, if you would like to comply with the cookie consent rules, the points to consider are:

▢ Have a GDPR compliant cookie consent banner on your website

▢ Don’t use cookie walls

▢ Collect consent for each category of processing

▢ Ensure your cookie consent banner collects and stores logs of valid consent from users in real-time

▢ Allow your visitors to decline cookies through an explicit opt-out mechanism

▢ Restrict the placement of cookies until you have received prior consent from your users

▢ Give your users complete information about all cookies on your website, their purpose; and lifetime in your cookie notice

▢ Have a comprehensive list of all third-party data processors who receive data about your visitors

How to Comply with the Dutch DPA’s Consent Guidelines with Secure Privacy

Secure Privacy’s GDPR compliance solution is packed with enterprise-level features such as; 

• Advanced ongoing website scanning with our unique GDPR cookie scanner that helps you detect all cookies and trackers on your website and blocks the deployment of third-party cookies until consent is given 
• Cross-domain consent to help you manage your data subject’s cookie consent preferences in a single step across multiple domains
• Highly customizable and stylish GDPR cookie consent banners that allow your users to opt-in or withdraw their cookie consent easily, as well as manage their preferences
• A privacy policy generator that allows you to develop a customized cookie notice for your company automatically.
  Adding a privacy policy to your website with Secure Privacy is a breeze. Adding a privacy policy button on your website is equally easy. And if you use Magento and need Magento cookie compliance with a privacy policy, or you use Hubspot, we’ve got you covered.
• Logs and consents tracking in real-time to ensure you keep retrievable records of your data subjects’ consent status if requested by Data Protection Authorities (DPAs) 
• Multiple language support with 70+ languages, which allows you to customize your cookie consent banner in the language of your target users
• A future-proof cookie consent compliance solution that supports California’s CCPA and Brazil’s LGPD alongside other upcoming data privacy regulations globally.

Book a 30-min call today and get a quick ‘check-up’ of your website, cookie consent banner, or your cookie policy from a data privacy expert.

Relevant Links

Dutch DPA Official Website (Autoriteit Persoonsgegevens)

Dutch DPA Cookie Guidance (available in Dutch)

Check out the other Cookie Consent Guidelines from other European Data Protection Authorities that you may need to comply with as well; 

• Belgian Data Protection Authority (DPA) Cookie Consent Guidance 
• Irish Data Protection Commission (DPC) Cookie Consent Guidance 
• French CNIL Consent Guidelines 
• Spanish AEPD Cookie Guidelines
• GDPR Compliance in Germany
• Swedish Datainspektionenen Consent Guidelines 
• Italian DPA Cookie Guidelines
• Luxembourg DPA Cookie Guidelines
• DSK Germany Cookie Guidelines
• Danish DPA Cookie Guidelines
• Spanish AEPD Cookie Guidelines: The Ultimate Guide
• Czech Cookie Law