On 11th of March 2015, the long anticipated new cookie rules came into force in the Netherlands. The new rules are an amendment of the existing cookie legislation and provide - inter alia - for a more lenient regime for the use of analytic cookies with a low privacy risk. Immediately following the introduction, the primary Dutch regulator (ACM) announced that it will pro-actively enforce the new cookie rules. Companies are advised to assess to what extent these (broad) rules apply to their websites, apps and devices and how they can benefit from the amendments.
The new rules in a nutshell
See our earlier coverage.
- Despite the name, the cookie rules apply to various techniques ('any information written or accessed from an end user's device', such as regular html cookies, fingerprinting and pixel tags) and to various digital environments, including websites, apps, smart TV's and other devices.
- Any party placing or accessing the cookies must duly inform the user and ask for his consent before cookies are placed or read out. 'Consent' must constitute an (active) act, thereby excluding opt-out and implied consent constructions.
- Cookies that are required for transmission and the working of the website itself, and cookies that are technically necessary to provide specific services over that website (like a web shop), are exempted from the information- and consent requirement.
- New: the above mentioned exemption also applies to cookies that are used to obtain information about the quality and efficiency of the website, under the condition that they do not, or have a limited, impact on the privacy of the users.
- New: the user access to a website provided by, or on behalf of, a legal entity established under public law is not dependent on the grant of authorization referred to in the first paragraph (i.e. a prohibition on so-called "cookie walls").
After the first generation cookie rules came into force in 2010, a long period followed in which both regulator and market were staring each other in the eye: the market hesitant to implement the rules due to their potential effects in revenue and the regulator undecided on how to enforce the rules. Nevertheless, around 2012, websites slowly started implementing cookie banners, pop-ups and cookie walls, in order obtain the required consent, or as an attempt to comply with the rules.
Not much later, it became clear that the popping up of banners and permission windows during or before entering a website was an annoyance to many internet users. Websites owners in turn, considered the cookie rules to be a threat to their online businesses: a substantial number of - seemingly - free websites and services run on a business model that relies on advertisement revenue through cookies and similar techniques. Any threat to the use and acceptance of cookies is a threat to their revenue.
The complaints were reason for the Dutch legislator to act upon and to propose an amendment of the cookie rules. The original amendment was aimed to make the cookie rules more user-friendly, ia by clarifying the rules for consent and an exemption for analytic cookies. Below we will see that the legislator has only partly succeeded, and further to this introduced stricter rules for public bodies through an amendment during the legislative process.
What the new rules do, and don't
For businesses, the most pregnant changes concern the expansion of the exemption to cookies that (1) have little or no impact on the privacy of users and (2) which are solely used to gain information on the quality and efficiency of a website. Since the cookie rules are - in conformity with the Directive - formulated in technique-neutral terms, the exemption appears rather abstract and requires a translation for practical use.
The Explanatory Memorandum provides for concrete examples of types of cookies that are likely to fall under the exemption. For example, website owners who use analytic cookies may benefit from the exemption, as well as a third party to which the placement and reading of such cookies is outsourced; as long as it does not result - or a little at most - impact on the privacy of the user.
The exemption might also apply to affiliate cookies, which are used to keep track of the success rate of advertisements in order to reward the affiliated advertiser. Also A/B testing cookies, which help websites to pick the most effective design or commercial, is mentioned in the Explanatory Memorandum. The Memorandum notes that relying on the exemption might get more complicated when multiple parties are involved trafficking a palette of different cookies.
All other cookies (that do substantially impact privacy and/or serve other or further goals) do still require consent from the user.
Though some believed that the strict consent requirement would go away with the new rules, it is now clear that the notorious strict consent requirement in the Netherlands is here to stay. There is no amendment on this part of the rules, and at best the Minister has stated that there are various ways to go about getting rightful consent from a user.
Lastly, the new rules do (still) not clarify who is the party that needs to comply. This is important, because a website is not always the party placing and reading the cookie: for example with advertisement networks, the ad-network is generally placing these cookies on the publisher's website. This is an important point which was left unaddressed in the legislative history. Hence, the best answer might be: both parties need to comply. Due to the general administrative complicity-clause, ad networks as well as websites that make use of such "third party" cookies might be hold accountable. And the Dutch regulator has recently shown that it is willing to enforce such affiliate networks, after fining Daisycon 810 thousand euros for violation of anti-spam law.
Dual enforcement and fines
The cookie rules will primarily be enforced by the Dutch Authority for Consumer and Market. However, the new cookie rules introduce an onus of proof that personal data is processed when tracking cookies are used, thereby underlining the regulatory realm of data protection which is enforced by the Dutch Data Protection Authority (CBP). Consequently, two authorities are entrusted with enforcement of the new cookie rules.
ACM can impose fines of up to EUR 450.000,-, whereas the DPA currently has little competences to impose fines. This might, however, change in the near future. An upcoming change of the Dutch Data Protection Act endows the DPA with the power to impose fines to a maximum EUR 810.000
Regulators, industry and other stakeholders in talks
On the background of these changes in legislation, regulators and stakeholders have been in talks for a few months now to discuss guidelines which are aimed to improve and assist with compliance with the rules. Though it is unsure how these guidelines will end up to be, with the involvement of both regulators the guidelines could be something to look out for the coming year.
What are the consequences of the new cookie rules for your company?