How to Comply with The Dutch DPA’s Cookie Consent Guidelines


In December 2019, the Dutch Data Protection Authority released cookie consent guidelines to help website owners in the Netherlands deploy cookies in a GDPR-compliant way. 

 A total of 175 websites in the Netherlands were surveyed by the Dutch DPA, Autoriteit Persoonsgegevens (AP), before the publication of the cookie guidelines, and 50% of those audited were found to be non-compliant with GDPR cookie consent requirements.

Interestingly, the investigation also found that all e-commerce platforms assessed did not obtain valid consent from their users for the deployment of cookies on their websites. 

The Dutch DPA’s cookie guidelines do not come as a surprise since the Netherlands is one of the countries that has maintained strict enforcement of both the GDPR and the EU Cookie Law when it comes to cookie consent compliance. 

What this means is that compliance with the Dutch DPA’s cookie consent guidelines is a crucial investment for website owners because failure to do so will only attract GDPR fines. 

In this article, we take an in-depth look at: 

  • What are website cookies?
  • What types of cookies do I have on my website?
  • What is the ePrivacy Directive, and how does it apply to cookie consent? 
  • The CJEU Ruling in Planet 49 case and GDPR Cookie Consent
  • What is valid GDPR Cookie consent? 
  • What are the Dutch DPA Cookie Guidelines? 
  • How do I Comply with the Dutch DPA Cookie Guidelines? 
  • How to Comply with the Dutch DPA’s Consent Guidelines with Secure Privacy?

What are Cookies? 

When a visitor accesses your website, small files that store data are installed on their devices via their browser. 

For website owners, cookies are essential because they can collect different types of information necessary for the desired functionality of the webpage.

Examples of the categories of personal data collected by cookies include; 

  • How a visitor accessed your website
  • The location of your website visitors
  • Your visitors’ online activity for relevant ad targeting and improving user experiences

What Types of Cookies Do I Have on my Website?

Website cookies fall under three main categories;

  1. Purpose

Strictly necessary cookies – this category of cookies facilitates users’ browsing experience on a website and their use of its features. Also known as essential cookies. 

 For instance, the cookies that allow e-commerce stores to keep items in a user’s cart while shopping online are considered essential cookies

While, both the GDPR and the ePrivacy Directive do not require website owners to obtain prior consent for strictly necessary cookies, you must inform users clearly about their purpose and their importance in your cookie notice.

Preference Cookies – The cookies enable a website to recall the choices a user has made previously, such as language preference, or their login details to allow automatic sign in. Also known as functionality cookies.

Statistics cookies – These cookies gather information about a user’s activities on your website such as the kind of pages he/she accessed and the kind of links he/she clicked on. 

The type of personal data collected by statistics cookies cannot be used to identify users. This is because the information is usually aggregated, making it anonymized. 

If these cookies are from third-party service providers, the objective of their use remains the same so long as the information they collect is used exclusively by the website owner. 

Marketing Cookies – Also known as promotional cookies, they capture a user’s online activity to help advertisers deliver more relevant ads or to limit the number of times you see an ad. 

Marketing cookies can share personal data with third-parties or adtech agencies for the purpose of digital marketing.

 Website owners need to be aware that these cookies are persistent and are mainly of third-party provenance.  

  1. Duration 

Session Cookies –  temporary cookies that expire the moment you close the browser. 

Persistent cookies – cookies that are installed in a user’s browser until he/she either deletes them or their browser removes them upon expiration. 

Typically, all persistent cookies have an expiry date written into their code, although this duration varies in some cases. 

  1. Provenance 

First-party cookies – cookies placed in a browser or computer directly by the website a user visits. 

Third-party cookies – refer to cookies placed in a user’s device by a third-party such as an advertiser or an analytics tool. In most cases, they are not stored in website visitors’ devices by the website they are accessing. 

Overall, it is important to be aware that some cookies may not fit neatly into these categories, in addition to the fact that others may qualify for multiple categories.

What is the ePrivacy Directive, and How Does it Apply to Cookie Consent? 

The ePrivacy Directive, commonly referred to as the  EU Cookie Law, is considered the pioneer data protection regulation in Europe. 

Adopted in 2002, and amended in 2009, the ePrivacy Directive is renowned for introducing the use of cookie consent banners on EU websites.

To obtain valid cookie consent, the EU Cookie Law requires you to ensure it is;

  • Freely given
  • Specific 
  • Indicates a clear indication of your user’s wishes

The only exception you do not need to rely on the ePrivacy Directive’s cookie consent requirements is when; 

You access personal information for strictly necessary purposes such as providing  Electronic Communications Services (ECSs) or Information Society Services(ISSs). 

It is important to note that the Dutch DPA, Autoriteit Persoonsgegevens, is one of the national Data Protection Authorities in Europe that has consistently applied the ePrivacy Directive in its local cookie compliance enforcement actions. 

This is unlike, for example, the German DSK, which relied on the German Telemedia Act (Telemediengesetz) to enforce cookie compliance in Germany. The reason for this is that the German DSK deemed the EU Cookie Law’s provisions to be already covered by the Telemediengesetz (TMG). 

The CJEU Ruling in the Planet 49 Case and GDPR Cookie Consent

In a case involving a German company, Planet 49, the European Union’s Court of Justice (CJEU) ruled that website owners must obtain valid consent before deploying non-essential cookies. 

Some of the practices that were considered a non-compliant way of obtaining consent from users under both the ePrivacy Directive and the GDPR include;

  • Using pre-checked consent boxes
  • Using silence or inactivity to signal cookie consent
  • Relying on a users’ activity of ‘scrolling down’ a website as an indication of cookie consent 

Check out the key takeaways from the CJEU’s ruling in the Planet 49 case here; https://secureprivacy.ai/how-to-obtain-gdpr-cookie-consent-after-cjeu-cookie-ruling/ 

What is Valid GDPR Cookie Consent?

According to the latest EDPB  cookie consent guidelines, valid GDPR cookie consent is obtained from the user only when it is; 

  • Informed
  • Unambiguous 
  • Freely given
  • Specific
  • Easily withdrawn

To learn more about the specific elements of GDPR-compliant cookie consent, read our blog on the latest EDPB Cookie Consent Guidelines.

You can also watch our video on EDPB Cookie Consent Guidelines here: https://www.youtube.com/watch?v=cHJ3ohj-hVk 

What are the Dutch DPA’s Cookie Guidelines? 

According to the Autoriteit Persoonsgegevens (AP), you must; 

  1. Ensure your website remains accessible if a user does not provide cookie consent

In line with the CJEU’s Planet 49 ruling, the Dutch DPA requires you to allow users to access content on your website even after they deny you consent to place tracking cookies on their devices. 

This requirement follows the Dutch DPA’s investigation of websites in the Netherlands, which revealed that some websites denied users access to pages they wanted to visit if they did not give consent which violates the ePrivacy Directive and GDPR’s cookie consent requirements. 

  1. Obtain Prior Consent Before Deploying Non-Essential Cookies 

To comply with the GDPR, you are required to provide a legal basis to process personal data. Therefore, the Dutch DPA requires you to obtain prior consent from users to process their personal information to satisfy GDPR consent requirements. 

According to the Autoriteit Persoonsgegevens (AP), obtaining prior consent guarantees your website visitors that you will protect their personal data adequately in line with the requirements of EU’s data protection laws. 

  1. Avoid using ‘Cookie Walls’ and Give Users Control over their Consent Choices

If you use ‘cookie walls’ on your website, you will be considered non-compliant with the Dutch DPA’s cookie consent guidelines because you denied users free choice over whether to give or deny consent to your use of non-essential cookies. 

A ‘cookie wall’ refers to the mechanism of denying users access to your website content if they do not provide consent to the installation of all cookies and trackers being used by a website. Essentially, it denies users a chance to reject the placement of cookies in their devices. 

How do I Comply with the Dutch DPA’s Cookie Consent Guidelines?

To comply with the Dutch DPA’s consent guidelines, the points consider are;

  • Do you have a GDPR compliant cookie consent banner on your website?
  • Does your cookie consent banner collect and store logs of valid consent from users in real-time?
  • Do you allow your visitors to decline cookies through a clear opt-out mechanism?
  • Does your cookie banner solution restrict the deployment of cookies, until you have received prior consent from your users?
  • Do you give users full information about all cookies on your website,  their purpose; and lifetime in your cookie notice?
  • Does your cookie policy have a comprehensive list of all third-party data processors who receive data about your visitors?

How to Comply with the Dutch DPA’s Consent Guidelines with Secure Privacy

Secure Privacy’s GDPR compliance solution is packed with enterprise-level features such as; 

  • Advanced  ongoing website scanning with our unique GDPR cookie scanner that helps you detect all cookies and trackers on your website, and blocks the deployment of third-party cookies until consent is given 
  • Cross-domain consent to help you manage your data subject’s cookie consent preferences in a single step across multiple domains
  • Highly customizable and stylish GDPR cookie consent banners that allow your users to opt-in, or withdraw their cookie consent easily, as well as manage their preferences
  • A privacy policy generator that allows you to develop a customized cookie notice for your company automatically.
  • Logs and consents tracking in real-time to ensure you keep retrievable records of your data subjects’ consent status if requested by Data Protection Authorities (DPAs) 
  • Multiple language support with 70+ languages, which allows you to customize your cookie consent banner in the language of your target users
  • Future-proof cookie consent compliance solution that supports California’s CCPA, Brazil’s  LGPD alongside other upcoming data privacy regulations globally.

Book a 30-min call today and get a quick ‘check-up’ of your website, cookie consent banner, or your cookie policy from a data privacy expert.

Alternatively, you can sign up for your free trial of our complete GDPR compliance solution here.

Check out the other Cookie Consent Guidelines from other European Data Protection Authorities that you may need to comply with as well; 

Tagged under: