Dutch Data Protection Authority’s (AP) Campaign on Cookie Privacy Risks

Introduction

On December 16, 2024, the Dutch Data Protection Authority (AP) launched a two-week public campaign to raise awareness about the privacy risks associated with cookies. This campaign emphasizes the responsibilities of organizations regarding cookie compliance. Key topics covered in the campaign include cookie policy, cookie wall, and cookie banners.

Cookie Policy

I. Significance of Cookie Policy

Many organizations place small files, which are known as cookies, on the devices of their website or app visitors. Some cookies are necessary for a website or app to function properly, while others are used to track visitors' online behavior. Cookies are useful for organizations because they indicate the interests and preferences of website or app visitors; however, they can also affect the privacy of these visitors. Therefore, organizations need to ensure that they develop a comprehensive cookie policy for the visitors to their website or app. By being clear about the use of cookies, organizations can gain the trust of their visitors.

II. Reviewing Cookie Policy

As suggested by the AP, the following questions can help organizations with the review of their cookie policy:

• Are all the cookies collected by your organization essential for the functionality of your organization’s website or app?
• Does your organization really need all the data collected by it through the use of cookies?
• What does your organization want to know about the visitors through the use of cookies, and what is the utility of such knowledge?
• Does your organization use cookies that are likely to pose a high privacy risk?
• Does your organization ask visitors to its website or app for permission to place cookies in the correct manner?
• Does your organization clearly explain to the visitors what types of cookies it uses and for what purpose?
• Does your organization explain to the visitor that it shares their data collected through cookies with third parties, who these third parties are, and why the data is shared with them?
• Does your organization explain to its visitors the period that cookies remain active on the visitors’ computer, phone, or other device?

III. Developing a Comprehensive Cookie Policy

Developing a comprehensive cookie policy requires organizations to at least provide the following information in their cookie policy:

• Types of cookies used: Clearly specify the cookies the organization uses and only use cookies that are necessary for the website or app.
• Type of data collected: Describe the types of data the organization collects about visitors.
• Purpose of data use: Explain how the collected data is utilized by the organization.
• Conducting DPIA: State whether your organization conducts a Data Protection Impact Assessment (DPIA) before processing data that poses a high privacy risk. You can read more about the list of criteria needed to assess whether an organization is obligated to carry out DPIA here.
• Consent: Website operators must ask visitors for permission before placing cookies, except for functional cookies. A cookie banner should clearly explain what data is collected, how, and why.
• Refusal to Cookies: Organizations must ensure visitors can refuse cookies as easily as they can accept them without experiencing any negative consequences. The process for declining cookies should be just as straightforward as granting consent.
• Third-party sharing: Identify any companies or third parties with whom the visitors’ data is shared.
• Retention period: State how long the cookies are stored or remain on visitors’ devices. Organizations should also ensure that visitor data is stored securely and protected from loss or theft during the data retention period.

Cookie Walls

AP provides the following guidance to organizations with respect to the use of cookie walls on their website or app:

• The use of cookie walls is not allowed as per the General Data Protection Regulation (GDPR). This is because cookie walls do not let visitors give valid consent for tracking cookies unless they are offered a reasonable alternative.
• An organization running a website, an app, or any other service is required to ask for permission from its visitors or users before the placement of tracking cookies. Visitors must have the option to refuse tracking cookies—for example, through a clear pop-up or information bar that offers a simple “yes” or “no” choice. In case a visitor refuses cookies, they must still be offered access to the organization’s website or app by providing them with a reasonable alternative.
• If the visitors refuse cookies and they are not provided with a reasonable alternative, such as allowing access to the website by paying a certain amount, on the first layer of the website, visitors do not have a real or free choice.
• Cookie walls that do not allow visitors a reasonable alternative to access the website are prohibited, as refusing cookies in such circumstances is not without negative consequences.
• It is important to note that cookie walls are not just about placing cookies. They also apply to similar technologies that require permission, like JavaScript, Flash cookies, HTML5 local storage, and/or web beacons.

Cookie Banners

I. Significance of Cookie Banners

Cookie banners are used by organizations to explain to their website visitors how and why their personal data is collected using cookies. Upon visiting a website, visitors are often presented with a cookie banner which is also known as cookie notification or cookie pop-up. A cookie banner allows visitors to choose which types of cookies they want to allow or block.

It is also important for organizations not to solicit consent misleadingly via cookie banners. For instance, there should be no pre-selected options on the cookie banner.

II. Creating Clear Cookie Banners

As per the AP’s guidance on cookie banners,  having clear cookie banners allows website visitors to make a well-considered choice about whether or not to grant permission for the placement of cookies on their devices.

A. Obtaining Consent

With regard to obtaining visitors’ consent before processing their personal data through the use of cookies, organizations need to adhere to the following:

• Obtain the consent of your website visitors before placing cookies on their devices.
• Your website visitors must actively give consent by clicking an option. Consent cannot be assumed just because someone visits your website.
• You must be clear to website visitors that you are asking for their consent with the cookie banner.
• Your website visitors must be able to grant their consent in a free, specific, informed and unambiguous manner. Unambiguous means that it is very clear that someone has given consent.
• Your website visitors must have a neutral choice, with no one option being emphasized over another.
• Your website visitors should be able to withdraw their consent just as easily as they provided their consent.
• You must properly inform your website visitors about how you use cookies and for what purposes.

It is important to note that processing personal data via cookies is almost always based on consent, except for the use of functional and limited analytical cookies, which may use legitimate interest as a legal basis for processing personal data.

B. Important Aspects of Cookie Banner

The AP highlights the following nine aspects that need to be considered in order to create a clear cookie banner:

• Provide information about the purpose: Organizations should provide their website visitor with clear and complete information that is necessary for them to make a well-considered choice. For example, it is important for an organization to be clear about why it uses cookies and for what purpose.
• Avoid pre-checked boxes: Organizations should avoid pre-checking the checkboxes in their cookie banner. Checking the boxes on behalf of visitors does not count as consent.
• Use simple and clear language: Organizations should use clear words like 'accept', 'agree', or 'refuse' on their cookie banner buttons. This helps visitors clearly understand that they are giving permission or making a choice.
• Present all choices on one layer: Organizations should place the 'accept' and 'refuse' buttons on the same level, so visitors do not need to click through extra steps to refuse cookies.
• Do not hide certain choices: Organizations should ensure that the button to refuse cookies is clearly visible. For example, visitors should not be required to unnecessarily scroll just to refuse cookies.
• Do not require extra clicks: Organizations should make sure that refusing cookies is as easy as accepting them. For example, visitors should not be asked to confirm again if they want to refuse cookies.
• Avoid hidden or inconspicuous links: Organizations should ensure that the option to refuse cookies is as visible as the option to accept them. They should avoid hiding the refusal option as a link within the text, making visitors search for it unnecessarily.
• Clarify how to withdraw consent: Organizations should clearly explain how visitors can withdraw their consent.
• Differentiate consent from legitimate interest: As mentioned earlier, only functional and certain analytical cookies can be used based on legitimate interest to process personal data. Consent is not required to set or read such cookies. Though consent is not required to set these cookies, organizations are still required to provide clear information to visitors about the way personal data is processed for the purposes of these functional and analytical cookies.

Conclusion

Tracking cookies allows organizations to monitor website visitors’ behaviour on the internet. Since what people do on the internet is very personal to them, monitoring their behaviour on the internet requires their explicit consent. AP’s guidance on the topics of cookie policy, cookie wall, and cookie banners prove vital for the organization collecting personal data of their website visitors through cookies. Adhering to AP’s guidance on the aforementioned topics will allow organizations to comply with the legal requirements and to stay away from using misleading ways to obtain consent for cookies.