- The Dutch cookie legislation has entered into force on 5 June 2012. In principle, enforcement of the law by the Dutch Telecom Authority (OPTA) will commence once the legislation has entered into force. However, the shift of the burden of proof in relation to tracking cookies (as detailed in paragraph 2.4) will not enter into force until 1 January 2013. Failure to comply may result in OPTA imposing penalty payments with a maximum of €450.000 and/or the Dutch Data Protection Authority (DPA) applying administrative coercion in order to compel businesses to adhere to the consent requirements for the processing of personal data.
- Changes to the rules regarding cookies
1.1 The amended Telecommunications Act requires that any party that wants to place cookies on devices connected to the (mobile) internet in the Netherlands must:
- provide users with clear and unambiguous information about the purposes for which the cookies are placed; and
- obtain consent from users before placing the cookies.
1.3 The Dutch government, legislature or regulatory authorities have not provided instructions or guidelines on how consent may be obtained. The legislature has only indicated that the consent must be obtained in a user-friendly way. Consent is defined as the freely given, specific and informed indication of his wishes.
1.7 Moreover, the new law introduces a legal presumption that the use of tracking cookies constitutes the processing of personal data as defined in the Dutch Data Protection Act (and as set out in the European Data Protection Directive). "Tracking cookies" are cookies which are intended to collect, combine or analyse data regarding the use by the user of different services of the information society for commercial, charitable or ideological purposes.
1.8 Consequently, the Dutch Data Protection Act is presumed to apply to tracking cookies. This means that businesses which use tracking cookies will need to have a proper justification, as set out in the Data Protection Act. They are also bound by obligations to maintain accurate records, to store information only for as long as is necessary to achieve the purpose for which the information was obtained and to disclose all information related to an individual who requests such information. Finally, the rules regarding the transfer of personal data to countries outside the European Union presumptively apply to tracking cookies. This presumption can be overturned by a business that uses tracking cookies. The Dutch legislature has indicated that this legal presumption does not materially change the applicability of the Dutch Data Protection Act to tracking cookies.
2.1 The amended Dutch Telecommunications Act (DTA), including the new laws on opt-in consent for cookies, has entered into force on 5 June 2012. For ease of reference we have added a translation of the provision on cookies as Appendix I to this memorandum. The burden of proof on tracking cookies (question 2 below) will enter into force on 1 January 2013.
2.2 In principle, enforcement of the law will commence once the law is entered into force, which means 5 June 2012, respectively 1 January 2013.
2.3 In the event a business violates the new cookie legislation the OPTA could impose incremental penalty payments or a fine with a maximum of € 450,000 per infringement. The Dutch DPA can moreover apply administrative coercion in order to compel a violator to adhere to the consent requirements for the processing of personal data. Finally, the decisions of these regulators are published and could lead to reputational damage.
Our data protection practice is ready to advise you in your compliance with the new legislation. We would be happy to answer any questions you may have regarding the above.
Article 11.7a Dutch Telecommunications Act
Any party that - by means of electronic communication networks - wishes to gain access to information stored in the terminal equipment of a user or wishes to store information in the terminal equipment of a user, has to:
- provide the user clear and comprehensive information in accordance with the Data Protection Act and in any case regarding the purposes for which the party wishes to gain access to the relevant information or for which the party wishes to store the information, and
- have received consent for such act. Any act, described in the opening of this clause, which is intended to collect, combine or analyze data on the use of different services of the information society by the user or subscriber for commercial, charitable or non-commercial purposes, will be considered to be an act of processing, as defined in article 1(b) of the Data Protection Act.
- The requirements mentioned in (1)(a) and (b) are also applicable to a situation where other than through the use of an electronic communications network, data is stored or access is provided, via a electronic communications network, to data stored on terminal equipment.
Section 11.7a (1) and (2) are not applicable to the extent that it relates to the technical storage or access to data with the sole purpose:
- to achieve the communication over an electronic communications network; or
- to deliver a service of the information society requested by the subscriber or user and the storage or access to data was strictly necessary for that purpose.