On 20 May 2013 a draft bill was published (for public consultation) under which the rules on cookies laid down in the Dutch Telecommunications Act (Telecommunicatiewet) will be relaxed. For cookies that "provide insight into the quality or effectiveness of services delivered via the internet and have little or no impact on the internet user's privacy", it will no longer be required to inform the user and request his consent pursuant to the Telecommunications Act. Examples of such cookies are analytic cookies, a/b testing cookies and affiliate cookies.
For tracking cookies the duty to inform and request consent will remain in effect. It should be remembered that the cookie rules also apply to other automatic data collection procedures such as the use of web beacons and device fingerprinting. As formulated in the Telecommunications Act, the rules apply to "the storage or accessing of information in a user's peripheral/terminal equipment".
According to a letter from the Minister of Economic Affairs and the explanatory memorandum to the draft bill, consent need not be obtained through e.g. a pop-up box, but can also be obtained through some other positive act. For example, by continuing to browse after the appearance of an information bar indicating that to do so will result in cookies being placed, which cookies, the purpose thereof and by whom. According to the Minister, this is also possible under the existing law. The cookies may not be placed before a user has performed the requisite positive act (at the time of his/her first visit). As a general rule, a failure to amend default browser settings allowing cookies cannot be viewed as the expression of an informed, conscious choice by the internet user and will not readily be seen as consent. This may be otherwise with the new generation of browsers if the allowance of cookies is not one of the default settings.
To the extent that personal data are processed, the provisions of the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens) apply. These provisions may impose additional obligations, such as with regard to the furnishing of information, the obligation to notify processing activities with the Dutch Data Protection Authority, the conclusion of a data processing agreement and the transfer of personal data to countries outside the European Union.
Comments on the draft bill will be accepted until 1 July 2013. Subsequently, the Data Protection Authority and the Netherlands Authority for Consumers and Markets will be asked to advise on the draft bill and it will be sent to the Council of State. Submission to the lower house of Parliament is expected in the autumn of this year.
Current rules and proposed amendment
Since 5 June 2012 the Telecommunications Act has required that consent be requested and information be furnished before placing certain types of cookies. Those requirements do not apply to cookies that are (i) used for the sole purpose of carrying out the transmission of a communication over an electronic communications network or (ii) are strictly necessary to provide the requested service. Examples include cookies making it possible to use shopping carts or store language preferences.
Since 1 January 2013 the placing of cookies for the purpose of collecting, combining or analysing information about the use of various services of the information society (in other words, for the purpose of monitoring websites surfing behaviour using tracking cookies) has been presumed to constitute a processing of personal data. Consequently, the burden of proof is reversed: the supervisory authority is not required to prove that personal data have been processed, but the company must prove that it has not processed personal data. Besides the reversal of the burden of proof, it can be argued that the impact of this rule is limited. Either personal data are processed, in which case the Personal Data Protection Act must be complied with, or personal data are not processed, in which case the Personal Data Protection Act does not apply.
Under the bill, an exemption will be added for cookies that are strictly necessary "to obtain information about the quality or effectiveness of a service provided by the information company, provided that this will have little or no impact on the privacy of the relevant subscriber or user." Examples of cookies that can fall under this exemption are discussed below.
Analytic cookies are used to gather information about and analyse the use of a particular website in order to improve its quality. The use – and possible further use – of these cookies must have little or no impact on the internet user's privacy. Accordingly, it is not permitted to draw up a user profile (also not by a third party). Both first-party and third-party analytic cookies can fall under the exemption. If a third party is involved in the placement of the cookies or receives user data, the website administrator must enter into a (data processing) agreement with the third party under which it is clear that the third party may not use the data for his/its own purposes or may only do so for purposes that are explicitly demarcated in the agreement and will have little or no impact on the privacy of the subscribers or users.
Affiliate/performance cookies are used to collect information regarding which advertisements lead to purchases so that the party who has displayed the relevant advertisement (the affiliate) can receive payment for this. One way in which to demonstrate that a cookie will be used only to collect such information is that its lifespan is no longer than necessary for that purpose.
This applies where two different versions (version a and version b) of, for example, an advertising banner or a website are shown and a cookie is used to monitor which of the two is more effective. Here too, the lifespan of the cookie is relevant.
Click here for the letter from Minister Kamp to the lower house of Parliament
Click here for the draft bill and the explanatory memorandum