Organisations have more clarity on the content and layout of cookie banners but need to check their compliance

Like other European supervisory authorities, the Dutch Data Protection Authority (DPA) recently also provided more clarity on the use of cookies and similar techniques. For example, the Dutch DPA states that a "reject all" button is mandatory when using tracking cookies and clarifies which information must be shown in the first and second layer of a cookie banner.

The Dutch cookie rules apply to all websites of Dutch companies as well as to websites actively targeting the Dutch market. The Dutch DPA furthermore announced it will intensify its oversight of the use of cookies, which will be facilitated by a substantial increase in the Dutch DPA's budget for the coming years.

Intensified supervision

The DPA recently announced that it will crack down on misleading cookie banners in 2024 and intensify its supervision of whether organisations correctly ask consent for placing (tracking) cookies or other tracking software. By intensifying checks on cookie consent, the Dutch DPA aims to protect individuals' privacy rights and ensure organisations comply with legal requirements on cookies.

Between 2024 and 2026, the Dutch DPA will receive an additional budget of €500,000 per year, specifically for additional supervision on cookies and online tracking. The Dutch DPA states that it will use the budget not only for investigations and enforcement but also to publish more guidelines and develop tools for investigations.

The Dutch DPA's plans fit well within its overall enforcement strategy: the authority previously announced, in its annual plan for 2024, the launch of a multi-year project that addresses the unauthorised online tracking of people.

New cookie guidance

The Dutch DPA has also provided new guidance on its website, explaining how organisations should design cookie banners and how cookie consent can be obtained in a transparent and lawful manner.

The authority states that organisations regularly use misleading cookie banners. The new guidance is meant to clarify the applicable rules and, ultimately, to allow website visitors and other users to make well-informed decisions about whether to allow tracking or not.

Rules of thumb for compliant cookie banners

The Dutch DPA highlights nine important principles or "rules of thumb" that will help create a legally compliant cookie banner.

  • Provide information about the purpose of the cookie. Users must be provided with all necessary information to allow them to make an informed choice. This includes providing information on why cookies are used for each purpose (before the user makes a choice). "Vague" purposes, such as "we use cookies for social media", should be avoided. What is new about the guidance is that the Dutch DPA provides clear examples of what information is and is not complete and clear enough.
  • Do not pre-select checkboxes. By using pre-selected checkboxes, users will be automatically opted into tracking without their explicit consent. The Dutch DPA states that users must be able to actively choose whether to opt-in or opt-out.
  • Use clear and concise text. It should be completely clear to users which choice they are making. Buttons must contain clear words such as ''accept'', ''agree'', or ''decline'' or "reject". Moreover, it is not permitted to use vague or guiding wording such as "necessary cookies only" or ''yes, accept optimal cookies''.
  • Display different choices on a single layer. The Dutch DPA clearly states that if the first layer of the cookie banner contains an ''accept all'' button, the layer must also contain a ''reject all'' button. It had not stated this so clearly before.
  • Do not hide certain choices. The button which enables users to reject cookies must be clearly visible. It is not permitted to force the user to scroll down to the reject button if the user does not have to do the same for the accept button.
  • Avoid unnecessary clicks. Rejecting cookies must not take more clicks than accepting cookies. It is, for example, not permitted to show an additional pop-up asking users "are you sure you want to reject all cookies".
  • Do not use inconspicuous links in the text. The option to reject cookies should be made as visible as the option to accept cookies and must not be hidden as a link in the text (which would force the website visitor to unnecessarily look for the reject option);
  • Be clear about withdrawing consent. Before the user makes a choice about cookies, the user must be informed about how consent can be withdrawn at a later stage (for instance, by showing a hyperlink to the relevant cookie policy, in which further explanation is provided about cookie settings and opt-out manners);
  • Do not confuse consent with legitimate interest. Legitimate interest can only be used as a legal basis for functional and certain (limited) analytical cookies. In such cases, consent cannot be used as a legal basis. A checkbox or a slider in a cookie banner may cause confusion if used for those types of cookies and must, therefore, be avoided.

Other similar techniques

The guidance furthermore clarifies that the requirements for cookie banners also apply to other techniques that allow organisations to store information on or access the user's device. In addition to cookies, this includes, for example:

  • Placing non-essential data on the user's device; for example, via local storage
  • Tracking pixels
  • Web beacons
  • Fingerprinting

First and second layer

The Dutch DPA also clarifies that certain information must be directly visible in the first layer of the cookie banner. This concerns information about who is processing the personal data and for what purpose(s). Other information may appear on a second (or later) layer, provided that all information is provided in a clear manner.

Osborne Clarke comment

With its new guidance, the Dutch DPA offered organisations more clarity on several aspects relating to the content and layout of cookie banners. It is important organisations check whether their cookie banner complies with the rules as set out by the Dutch DPA and make any adjustments if necessary.

Considering the Dutch DPA will check more actively whether cookie banners comply with the requirements on consent, organisations should ensure compliance to reduce the risk of having an enforcement measure imposed on them by the authority.

The Dutch DPA has cookie compliance well on its radar, which is also reflected in its call for the European Data Protection Board to provide more clarity on the ''pay or OK'' models. All in all, there are plenty of developments to keep an eye on in the near future.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.