Last Tuesday, the Dutch Parliament agreed on amendments to the current cookies regulation in Article 11.7a Telecommunications Act (TA). Art. 11.7a TA contains the Dutch implementation of Article 5, par. 3 Directive 2002/58/EG. The amendments provide for (a) one more explicit exception to the required prior informed consent rule for the placing of cookies and similar software and for (b) a ban on the use of cookie walls by public agencies.  These amendments must still be approved by the Senate. 

(a) Current legislation provides for one exception only:  cookies which are strictly necessary for the provision of an information society service requested by the subscriber or user. All cookies that are not strictly necessary for the essential operation of the service required prior informed consent. Current legislation therefore did not further differentiate between cookies with no or little impact on the user’s privacy and other cookies. Placing of both cookies required prior consent.

The new exception relates to cookies that have little or no impact on the privacy of the internet user. One may think of first party analytic cookies, affiliate or performance cookies used for the purpose of paying affiliates or cookies used for testing the effectiveness of certain banners. These cookies are not strictly necessary for the operation of the service but they are useful for the provision of information about the quality or the effectiveness of these services and, if not used for other purposes, will have little impact on the privacy of the user.  The exception values the significance of consent, by restricting this instrument to serious cases and not for cases which do not infringe the privacy of the user.

Serious cases concern tracking cookies placed by third parties. An amendment requiring explicit consent for the placing of these cookies was rejected by Parliament. Consent must be informed and prior to the placing of cookies. It can be fulfilled by further clicking on parts of the website after the user is completely informed about the placing of cookies and its purposes. If the party responsible for the placing of cookies aims at collecting, combining or analysing data about the use of different information services by the user in order to treat these users differently, the said data are, subject to presumption of rebuttal, supposed to be personal data in the sense of the Dutch Data Protection Act (DPA). Consent then must comply with the requirements of the DPA which could imply explicit consent.

(b) the Parliament also accepted an amendment by one of its members on the use of cookie walls. According to the new Article 11.7a, par. 4a TA access to services of the information society delivered by public agencies shall not be dependent of prior consent. With this amendment, public agencies cannot refuse users who do not wish to pay for access to public services, by giving away their personal data.  As these services are already paid for by public resources, users should not, according to the explanatory note at this amendment, be forced to pay twice with their personal data.