Privacy & Cybersecurity Law Blog

On December 10, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a statement regarding compliance with the rules on cookie consent (the “Statement”).

According to the Statement, the Dutch DPA recently carried out a check of 175 websites and e-commerce platforms to determine whether they met the requirements regarding the use of cookies. Following the investigation, the Dutch DPA found that almost half of the websites that used tracking cookies and almost all e-commerce platforms did not meet the rules regarding cookie consent. The companies responsible for those websites and e-commerce platforms received a letter from the Dutch DPA calling on them to adjust their cookie consent practices. The Dutch DPA further indicated that an investigation would start following that letter, to identify whether those companies’ cookie practices had been brought back into compliance.

In the Statement, the Dutch DPA recalls that pre-ticked check boxes are no longer valid to collect users’ consent to the use of cookies. Similarly, silence, inactivity or scrolling down the website is not sufficient to constitute valid consent. To support its argument, the Dutch DPA references the judgment of the Court of Justice of the European Union (“CJEU”) in the Planet49 case. In its judgment, the CJEU held that consent for cookies cannot be lawfully established through the use of pre-ticked boxes.

Furthermore, the Dutch DPA also recalls that cookie walls that prevent users who do not consent from accessing the website or the app are unlawful and that tracking cookies, which allow companies to track individuals, require users’ prior consent.

Read the Dutch DPA Statement (in Dutch).