What are the Dutch Cookie Rules?

The Autoriteit Persoonsgegevens (Dutch Data Protection Authority) enforces the General Data Protection Regulation (GDPR) in the Netherlands and plays an important role when the provisions in the national laws involve the processing of data. In the context of cookies, the Zowel de Autoriteit Consument & Markt (Duch Authority for Consumers and Markets or ACM) would likely be involved in cases where the use of cookies could impact fair competition or consumer rights.
Businesses must comply with the Telecommunicatiewet (Dutch Telecommunications Act) as well, influenced by European directives. The Act says the storage of or access to information in a user’s device via an electronic communications network (which includes cookies) is only permitted if the user is provided with clear and complete information about the purposes for which this information is used, and the user has given their consent.
This means that businesses must inform users about the cookies they use, what data they collect, how long the cookies are stored, and what they do with this data. Consent must be obtained before the cookies can be activated.
Exceptions to this rule are storage or access that is strictly necessary to provide a service requested by the user or to carry out communication over an electronic communications network.

Who Do the Dutch Cookie Rules Apply To?

It’s important to note that the Dutch cookie rules apply not only to the website owners but also to any third parties that may be placing cookies through the website. Both the website owner and the third party are obligated to provide information to the users. If a user has a complaint about cookies, they should first contact the owner of the website. If a third party is placing these cookies, the user can also approach that third party.
The Dutch cookie regulations apply to any business that operates a website accessible to Dutch users and uses cookies. The rules also cover other types of data being placed or collected from users’ devices with Internet connection. If you use cookies not strictly necessary for the functioning of your website, you must obtain explicit consent from your users before these cookies can be activated.

Rules for Obtaining Consent and Processing Data

Compliance with the General Data Protection Regulation (GDPR) general requirements is necessary for processing personal data obtained through tracking technologies.
The Dutch law is very specific about what constitutes valid consent. For instance, it is not considered valid if a website states that it assumes your consent if you continue using the site, or if all categories of cookies are pre-ticked by default. Websites cannot deny access if users refuse to accept tracking cookies. This practice, known as a cookie wall, is prohibited under Dutch law.
The cookie notice should be easy to understand and accessible, providing users with a clear understanding of the categories of information to be collected and for what purpose it will be used.

What Do the Dutch Cookie Rules Cover?

The Dutch cookie rules also distinguish between different types of cookies. Functional cookies, which are technically necessary for the website to function properly, do not require consent, but users must be informed about them. These essential cookies, for example, enable users to put items in a shopping cart and proceed to the checkout. However, cookies that improve the user experience on your website but are not necessary to complete a service the customer requested are subject to these rules.
Analytical cookies, which provide insight into the functioning of a website, do not require consent if they are used solely for counting visitors. However, these cookies cannot be used to treat people differently, such as by building a profile of someone. Users must still be informed about these cookies. Tracking cookies, on the other hand, always require consent.

How to Comply with the Dutch Cookie Rules?

To comply with the Dutch cookie rules, businesses should:

Fines for Non-Compliance

If a user has a complaint about tracking cookies and how their personal data is being processed, and the website owner does not respond or the user is not satisfied with the response, the user can file a complaint with the Autoriteit Persoonsgegevens. Non-compliance with the Dutch cookie rules can lead to severe penalties, including written warnings, fines, and other financial penalties, deletion of data collected without consent, restrictions on data sharing with third parties, and even temporary or permanent bans on processing activities.
Furthermore, according to Article 15.4 of the Dutch Telecommunications Act, penalties for violations can reach up to €900,000 or, in certain cases, 1% to 10% of a company’s turnover. If a similar violation has occurred within the previous five years, the maximum fine can be doubled. These fines underscore the seriousness with which the Dutch authorities view breaches of cookie regulations.
fines digital markets act