IDC Names Securiti a Worldwide Leader in Data Privacy


An Overview of Netherlands’ Updated Guidelines for Online Consumer Protection

By Securiti Research Team
Published December 13, 2022 / Updated July 24, 2023

In November 2022, the Netherlands Authority for Consumers and Markets (ACM) updated its Guidelines on Online Consumer Protection, originally published in 2020 (Guidelines).

The updated Guidelines offer key insights into how deception in an online environment must be prevented and serve as a useful tool for entities involved in the design of online environments and the online sale of products to consumers.

These Guidelines are useful for internally and externally hired marketers, UX designers, compliance officers, legal advisors, and managers who make decisions about targets and incentives in a digital setting.

The Guidelines are formulated based on principles outlined in Netherlands’ consumer protection law, specifically the Unfair Commercial Practices Rules, and specify the legal framework applicable to common digital influence techniques. Therefore, the Guidelines are not exhaustive in nature and are only meant to serve as a guiding resource for businesses operating in the digital environment.

The Guidelines highlight the principles to be followed by business entities while designing their online platforms so they may enable their consumers to make informed and deliberate choices with respect to the use of their personal data.

Providing Accurate Information to Consumers

Businesses should timely provide correct and complete information in a prominent manner to the consumers regarding their products, taking into account appropriate colors and fonts for displaying information.

User transparency will help consumers make informed decisions with respect to the processing of their personal data. Any information provided to the users should be easy to comprehend and provided through a proper channel.

The use of dark patterns is illegal. Dark patterns refer to tricks and techniques that can influence or manipulate a user’s choice. These are design interfaces that trick a consumer into making a purchase of a product or giving consent for the processing of their personal data.

It is useful to provide information in layers in a privacy notice or a cookie banner, with significant information being presented on the first layer. The information layers should be interlinked so users can easily access the second layer for detailed information.

Any useful information should not be hidden in a platform’s terms and conditions. If any information is required to be specified in the platform’s terms and conditions, the terms and conditions should:

  • be user-friendly;
  • clear and understandable;
  • available to the consumers for perusal before making a purchase;
  • not contain any unreasonable provision;
  • not constitute the core of the offer itself, such as the price, quantity or color of the product; and
  • be interpreted in a manner that is most favorable to the consumer.

In addition, consumers should be timely informed of how their personal data is being treated, that is, whether it is sold or shared with third parties, or if it is used to determine or personalize prices or marketing communications.

If a website uses cookies or similar tracking technologies, the website operator should clearly inform users, on the first page of the website, what personal information is collected about them via such technologies, the means of collecting their personal information, and how their personal information is utilized.

This can be done with the help of adequate cookie consent banners. ‘Accept’ and ‘Reject’ options should be equally prominent on cookie consent banners so that consumers are not misguided due to design choices.

Personalizing Online Offers and Online Advertising

The processing of personal data for the purposes of personalizing online offers or targeted advertisements must be done as per the consent requirements of the GDPR. While using personal data for the purposes of personalizing online offers or targeted advertisements, businesses must clearly convey due information to their consumers regarding the collection and use of their personal data. Consumers should also be provided with an option to easily turn off personalization or the use of their data for online advertising purposes.

It is important to note that in the Netherlands, digital platforms shall be required to comply with the provisions of the European Union’s Digital Services Act (EU DSA) from 2024. In this respect, they would be required to explain the means and criteria of making personalized recommendations to consumers and provide them with the ability to opt-in to non-personalized recommendations on very large platforms.

The EU DSA will also prohibit businesses from doing targeted advertisements based on sensitive personal data, such as sexual orientation, or targeted advertisements to minors.

Digital Default Settings

Businesses should ensure that their digital platforms adhere to the principles of fairness-by-design and fairness-by-default. This means that the design of platforms must allow users to make free, informed and fair choices.

Similarly, businesses must ensure that default settings on their websites or apps should benefit consumers. To ensure that consumers are provided with the strictest privacy settings by default, businesses must allow consumers to provide their consent for every purchase by default. This indicates that consent checkboxes must not be preselected by default. Similarly, subscriptions must not be automatically renewed at the end of a term.

Consumers should also be able to change default settings easily without taking any unnecessary steps. Moreover, consumers should be able to opt-out once their consent has been granted for any option/facility, with the help of easily accessible opt-out mechanisms.

Canceling Agreements Online

Businesses should facilitate consumers in canceling any subscription, membership, or other agreement they have entered into with the business. Hindering consumers from doing so constitutes an unfair commercial practice and, thus, is a legal violation.

Consumers should be provided with conspicuous information on how they can cancel a particular contract before they enter into it. The process of canceling a contract should be as easy and designed in the same manner as the process of entering into it and should not require any additional or unnecessary steps from the consumers.

Preventing Deception with Automatic Click Behavior

Businesses operating in digital environments should design their platforms in a way that helps prevent the deception of consumers. For this purpose, the following measures should be adopted:

  • buttons, drop-down menus and click sequences should be presented in a logical and neutral way;
  • icons, colors, texts and images on the website should be presented in a customary manner so consumers do not make unwanted choices due to automation;
  • at the end of the ordering process, a clear button should be presented in a logical place showing that the consumer is ordering something;
  • consumers should not be automatically steered towards a choice that is beneficial to the business - such as, using a prominent button for ‘Yes’ to capture the consumer’s consent and a less prominent button for ‘No’; and
  • the click sequence should not be changed unexpectedly as a consumer is inclined to instinctively click through in the same manner.

Enhancing Safety for Minors In In-Game Sales

The Guidelines advise limiting the use of influencing tactics and dark patterns directed at minors. In this respect, special consideration should be given to the use of loot boxes and digital currencies (found, for instance, in games, and other online platforms).

The relationship between digital currencies and actual money is obscured. In apps and games, they also go by other names and values, due to which customers may become confused and spend money they otherwise would not have. Moreover, as the contents of each unique loot box remain a mystery to the players, their use closely mimics gambling and can lead to addiction.

Consequently, businesses must ensure that their marketing practices do not include elements that negatively target or influence minors. Further, additional thresholds should be set up in games played by children so they cannot make purchases without their parental authority's permission.

The ACM strictly assesses selling techniques employed by digital platforms when directed at children under 18, as children are more susceptible to consumer deception.

In a Nutshell

The Guidelines provide a comprehensive overview of the practices that businesses operating in the digital sphere should employ to comply with the legal framework applicable to consumer protection and personal data protection.

It is also significant to highlight that new rules will come into force from 2024 under the EU DSA, which will prohibit online platforms from using ‘dark patterns,’ that is, techniques that interfere with or limit the consumers' ability to make free and informed choices.

How Can Securiti Help?

The ACM encourages user transparency to ensure individuals retain control over their personal data and the choices they make on digital platforms. Website designs or user interface designs that mislead users or manipulate their choices should be avoided in all circumstances. Any information must be provided clearly and comprehensively, and users should also have the opportunity to withdraw their consent once granted at any time without facing any adverse consequences.

Our experts at Securiti continue to closely monitor legal developments in relation to consent, the use of cookies and online marketing. Securiti’s Consent Management Solution helps organizations obtain consent as per the applicable legal requirements.

Request a DEMO today to understand how you can ensure legal compliance.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend