A more flexible cookie legislation came into effect last week. As a result of the amended Dutch Telecommunications Act, prior consent from website visitors is no longer required for analytic cookies. Furthermore, visitors no longer need to be informed about these cookies. However, these developments are subject to the condition that the cookies may have no or only little impact on the privacy of website visitors. We explain exactly what this means below.
New exception for privacy-friendly analytic cookies
Section 11.7a, subsection 3, of the Dutch Telecommunications Act contains a new exception for cookies that are placed or read with the aim of obtaining information about the quality or effectiveness of the service provided (e.g. your website). Examples include analytic cookies. These cookies are used to analyse and map out the use of a website in order to improve its quality and effectiveness. Many companies do this using Google Analytics.
Measures to restrict the privacy impact
You may invoke the new exception only if the cookies have no or only little impact on the privacy of website visitors. For instance, the cookies or the data generated by them may not be used to draw up a profile of website visitors. If that is your aim, the new exception will not apply and website visitors must continue to be informed in advance and their consent obtained before cookies can be placed on their device.
If you use a third party to analyse, for instance, visitor behaviour (e.g. Google Analytics), you must take steps to protect the privacy of your visitors. You must first agree with this third party that it will use the information collected only for your own website and not for its own purposes. You can do so by concluding a processor’s agreement. The Dutch Data Protection Authority [College bescherming persoonsgegevens] has described in a manual how Google Analytics can be set up in a privacy-friendly manner. If you observe these measures, you will no longer need to inform visitors about Google Analytics or request prior consent.
Consent still required for other cookies
In principle, cookies for other purposes, such as tracking or social media widgets, may be placed only with the prior consent of visitors after they have been informed about the cookies. Tracking cookies require particular consideration because they are subject not only to the Telecommunications Act, but also to the Dutch Personal Data Protection Act [Wet bescherming persoonsgevens].
Enforcement by the ACM
The Netherlands Authority for Consumers and Markets [ACM] has announced that it will be actively enforcing the new regulations and will be calling companies to account if these are violated. The ACM may impose fines of up to EUR 600,000 or 7,5 ‰ of the turnover per violation. This fine was raised in July 2016. In January 2015, the ACM imposed an order subject to a non-compliance penalty on the Netherlands Public Broadcasting association of EUR 25,000 for failing to observe cookie legislation within the required period.