The Dutch telecommunications supervisory authority, the Authority for Consumers & Markets (“ACM”), has established that the Netherlands Public Broadcasting (“NPO”) violated the rules for placing cookies. On various websites managed by the NPO, the NPO places cookies at user’s devices without having obtained their priot informed opt-in consent. By doing so, the NPO violates Dutch cookie law as laid down in the Telecommunications Act (Telecommunicatiewet “Tw”). Under the Tw, it is prohibited to place cookies without having informed users properly and without having obtained their prior opt-in consent.

Background decision ACM

In 2012, the ACM sent letters to a large number of Dutch government websites or websites linked to the government on the compliance with Dutch cookie law. The ACM holds the opinion that now that the government is (indirectly) involved, it is of importance that these websites set a good example in this respect. Therefore, the ACM currently takes enforcement action where government websites are concerned.

The websites managed by the NPO fall within the scope of government websites. According to the ACM, it had confronted the NPO with its violating behavior several times. Since the NPO failed to come up with a satisfactory response and in order to force the NPO to adjust its current policy, the ACM imposed an order subject to a penalty for noncompliance amounting to EUR 25,000 per week with a maximum of EUR 125,000.

Background Dutch cookie law

Under Dutch cookie law, website operations need to consider the application of article 11.7a of the Tw for the use of cookies. Cookies that are placed on, or read from, a user’s computer require informed prior opt-in consent before being placed. The principle of informed prior consent does not apply where functional cookies are concerned, i.e. cookies that are strictly necessary for the provision of an information society service requested by the user. For example, tracking cookies do not fall under this “strictly necessary”. On the contrary: tracking cookies or similar data files placed or accessed, are considered to be personal data, unless the party placing such cookies or information can prove otherwise. If the placement of cookies – like tracking cookies – also involves the processing of personal data, the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens“Wbp”) also applies. Under the Wbp, a legal basis for the processing of personal data is required, which can often be found in the unambiguous consent of the user. Currently, the Dutch cookie legislation is being reviewed and it is very likely that after the summer holidays, new legislation comes into force.

In reply to ACM’s decision, NPO confirmed it will change its policies.