Written by Richard van Schaik and Róbin de Wit

Dutch newspapers report that Dutch websites massively violate privacy laws by passing on information about surf and click behavior of visitors to advertising companies, without permission of the visitors involved. Such information is collected through so-called tracking cookies.

Under Dutch cookie law, website operators need to consider the application of article 11.7a Telecommunications Act (Telecommunicatiewet) for the use of cookies, except for those which are “strictly necessary for the provision of an information society service requested by the subscriber or user”. This means that all cookies that are not strictly necessary for the essential operation of the website require prior informed (opt-in) consent. Tracking cookies do not fall under this “strictly necessary” exemption. On the contrary: tracking cookies or similar data files placed or accessed, are considered to be personal data, unless the party placing such cookies or information can prove otherwise.

Rules on cookie consent are subject to new legislation under which the required opt-in consent may be changed to implied consent. However, because of the privacy sensitivity the this new legislation will not apply to tracking cookies. This means that the required opt-in consent remains unchanged so that even after a legislative change Dutch websites will still be in violation of the Telecommunications Act. Therefore, parliamentary questions are currently asked to the Dutch state secretary of Justice, Fred Teeven.

Although no sanctions have been imposed yet by the Dutch supervisory authority (Authority for Consumers & Markets (“ACM”)), the ACM does acknowledge that not every website complies with Dutch cookie laws. Currently, the ACM is investigating companies that violate the laws so it is likely that the first fine will be imposed soon.

For further information, please contact Richard van Schaik (richard.vanschaik@dlapiper.com) or Róbin de Wit (robin.dewit@dlapiper.com).