The subsequent debate in Parliament resulted in a legislative proposal for a revision of the Dutch cookie regulation on May 20, 2013. This proposal is currently subject to consultation initiated by the Minister of Economic Affairs until July 1, 2013.
The June 2012 cookie regulation is laid down in Article 11.7a TA which provides that anyone who wants to take access to data stored in the peripherals of a user by electronic communication or wants to store data in the peripherals of a user must:
- Provide clear and complete information in accordance with the Data Protection Act and, in any event, inform the user about the purposes for which data are used or kept, and;
- Obtain the user’s prior consent for the use and/or storage of data.
The proposal calls for two main changes:
- The cookie regime will be made subject to a number of additional exemptions, and;
- The prior consent criterion for the use of certain cookies will be given a less stringent interpretation.
Currently, the cookie regulation has two exemptions:
- Cookies that merely apply to executing the electronic communication, and;
- Cookies that are strictly necessary in order to perform the underlying service.
The proposal introduces an additional exemption for several types of cookies that are used in order to receive information about the quality and effectiveness of services of a website holder and that are of minor importance to the privacy of users. In a letter of guidance, the Minister clarified that this additional exemption initially relates to analytical cookies. If analytical cookies are merely used, for example, to map and analyze the use of a website, then a website holder does not have to inform nor ask consent from the user. In order to benefit from the new exemption, analytical cookies may not be used for other purposes. Besides analytical cookies, the exemption can also relate to affiliate or a/b testing cookies. According to the Minister, tracking cookies are capable of causing a “more than minor” effect to the privacy of users. Therefore, these do not benefit from the exemption.
According to the Minister, website holders who fulfill these requirements and wish to benefit from the exemption must take safeguard measures in order to minimize privacy risks. This implies that the website holder must ensure (by way of a processing agreement) that all third parties clearly agree with the website holder that they will not use the information in a way that affects the privacy of users more than necessary.
The proposal also softens the prior consent requirement to be obtained by the website holders in line with the views expressed earlier by the Working Party 29 (WP29). The WP29 is the consultative body of the European data protection authorities. The WP29 has already issued an opinion relating to cookie consent in June 2012.2 According to this opinion, consent may be given by an “indication by which the data subject signifies his agreement.” Hence, consent no longer needs to be explicit; it may also be given implicitly. As was confirmed in the explanatory note to the draft proposal and the letter of guidance, this means that, for example, a pop‐up with an “I consent” button would no longer be necessary. Moreover, the letter of guidance explains that consent may even be construed by the fact that a user has chosen to surf the website by, for example, clicking on various links.
In the Netherlands, questions were raised about the applicability of the Dutch cookie legislation to foreign websites (such as .com or .net). In the letter of guidance to the proposal, the Minister suggests that the purpose of the legislation is to protect Dutch users but does not limit the applicability of the current regime to Dutch websites. Whether or not a website indeed falls within that criterion would depend, for example, on the possibility to order products in the Netherlands, the language (Dutch) and “the nature of the information provided.” According to the Minister, the Dutch Authority for Consumers and Markets (ACM),3 the regulator enforcing the TA, explained that its first aim is to go for the most evident violations, such as cookies placed without any form of consent which largely affect privacy and are difficult for users to delete.
Industry stakeholders and other parties can submit their responses to the proposal until July 1, 2013 here. After the online consultation, the ACM and the Dutch Data Protection Authority will be asked to advise on the implications of the proposal. The legislative proposal will then be submitted to Parliament.
In the meantime, the current cookie regulation will continue to apply. The ACM can perform investigations on the basis of its own findings or signals from within the electronic market. The statute of limitations for the ACM to start investigations is five years after a possible infringement has taken place. ACM has the authority to impose fines up to a maximum of EUR 450,000.