Netherlands

[NL] New Dutch Cookie Act comes into effect

IRIS 2015-5:1/29

Youssef Fouad

Institute for Information Law (IViR), University of Amsterdam

On 11 of March 2015, the new Cookie Act came into effect in the Netherlands, amending Article 11.7a of the Dutch Telecommunications act (Telecommunicatiewet) (see IRIS 2014-10/28 and IRIS 2012-7/32). The act governs access to and storage of information on a terminal of an end-user via an electronic communications network.

The new Cookie Act has interesting implications for the consent requirement regarding certain types of cookies that can be deemed non-privacy invasive. The previous law already exempted functional cookies, which are technically indispensable in order to provide a requested service to an end-user, from the consent requirement. Under the new act, the consent requirement is also excluded for cookies that have little or no impact on the privacy of end-users.

The explanatory memorandum states that analytical cookies, which are solely used to monitor the functioning and use of a website, are excluded from the consent requirement, provided that they have little or no impact on the privacy of an end-user. Under the new Cookie Act, consent is still required for the placing of cookies on the terminals of end-users which are deemed to have a significant impact on the privacy of the end-user. Therefore, consent is still required for the placing of tracking-cookies, which monitor and profile the individual online behaviour of an end-user.

The amendment also provides that access to websites run by public bodies cannot be made dependent on a user consenting to privacy-invasive cookies. The explanatory memorandum states that a “cookiewall” can be deemed to comply with the law, unless end-users are dependent on the information which is disseminated by the website.

Furthermore, it is important to note that, in spite of the name, the Cookie Act’s application is not limited to the placing of cookies on end-users’ terminals by websites. The law applies to any type of technique used that enables the storage on or access to a terminal of an end-user. This means that the law also applies to malware, spyware, botnets, device fingerprinting, java-scripts and pixel tags. Terminals of end-user are not limited to computers, but also include devices such as smartphones, tablets and smart-TVs.

Lastly, the Dutch authority for consumers and markets (Autoriteit Consument en Markt - ACM), which enforces the Cookie Act, has stated that they will do so proactively. Various websites in the Netherlands have already been notified by ACM of possible enforcement actions. Websites that do not comply with the new cookie law risk facing administrative fines of up to EUR 450 000.