On May 8th, 2012, the Dutch Senate voted to adopt the proposed amendment to the Telecommunications Act, which includes new rules regarding the use of cookies. The new cookie legislation has entered into force on 5 June 2012. For your convenience, we have provided a brief overview of the new legislation.

Summary

  1. The new legislation requires opt-in consent for all cookies that are stored on and retrieved from the devices Dutch users. Consent may not be inferred from the browser settings of users. The Dutch government and legislature has concluded that browser settings cannot adequately reflect the user's consent for the use of cookies. A way in which a website operator could obtain consent is by presenting users with a pop-up screen the first time they visit the the website. This pop-up screen should clearly inform users about the cookies that are used on the website and should give users the possibility to confirm their consent, for example by ticking a box stating "I accept all cookies from this site". 
  2. The Dutch cookie legislation has entered into force on 5 June 2012. In principle, enforcement of the law by the Dutch Telecom Authority (OPTA) will commence once the legislation has entered into force. However, the shift of the burden of proof in relation to tracking cookies (as detailed in paragraph 2.4) will not enter into force until 1 January 2013. Failure to comply may result in OPTA imposing penalty payments with a maximum of €450.000 and/or the Dutch Data Protection Authority (DPA) applying administrative coercion in order to compel businesses to adhere to the consent requirements for the processing of personal data.
  3. In order to implement these rules we recommend (i) a revision of your privacy policy and (ii) a technical implementation of the new rules. The privacy policy must inform users that their consent is required for the use of cookies and for what purposes cookies are placed. From a technical perspective, any website will now have to obtain the consent of the user and respect the user's choice if he or she chooses to decline.
  1. Changes to the rules regarding cookies

1.1 The amended Telecommunications Act requires that any party that wants to place cookies on devices connected to the (mobile) internet  in the Netherlands must:

  1. provide users with clear and unambiguous information about the purposes for which the cookies are placed; and
  2. obtain consent from users before placing the cookies.

1.2    This is an amendment to the previous opt-out regime in which it was sufficient to provide users with information on the purpose for which the cookies were used and provide instructions regarding how the user may object to the use of cookies.

1.3    The Dutch government, legislature or regulatory authorities have not provided instructions or guidelines on how consent may be obtained. The legislature has only indicated that the consent must be obtained in a user-friendly way. Consent is defined as the freely given, specific and informed indication of his wishes.

1.4    Based on the explanatory remarks accompanying the amendment it is clear that it is insufficient to obtain consent via the user's browser settings. Current browsers cannot adequately reflect the user's consent for the use of cookies since they accept cookies by default. Currently, the European Commission and the W3C are working on a "Do Not Track"-standard that should provide a practical solution for the consent of cookies. This would allow a user to indicate clearly whether or not he consents to the use of (certain types of) cookies However, this standard is not yet in place.[1]

1.5    If the use of cookies constitutes the processing of personal data in accordance with the Dutch Data Protection Act, the business which uses the cookies must obtain user consent in addition to one of the justification grounds set out in article 8 of the Dutch Data Protection Act (such as unambiguous consent, contractual obligation or a legitimate interest). Please note that the "normal" consent required based on the Telecommunications Act is a lighter form of consent than "unambiguous consent" or "explicit consent" which is required under the Dutch Data Protection Act.

1.6    The new rules apply to all forms of cookies, unless the cookies have the sole purpose to i) enable communication over an electronic communications network; or ii) perform the service that is requested by the user and for which the use of cookies is strictly necessary, for example cookies that enable the use of online shopping baskets.

Tracking Cookies

1.7    Moreover, the new law introduces a legal presumption that the use of tracking cookies constitutes the processing of personal data as defined in the Dutch Data Protection Act (and as set out in the European Data Protection Directive). "Tracking cookies" are cookies which are intended to collect, combine or analyse data regarding the use by the user of different services of the information society for commercial, charitable or ideological purposes.

1.8    Consequently, the Dutch Data Protection Act is presumed to apply to tracking cookies. This means that businesses which use tracking cookies will need to have a proper justification, as set out in the Data Protection Act. They are also bound by obligations to maintain accurate records, to store information only for as long as is necessary to achieve the purpose for which the information was obtained and to disclose all information related to an individual who requests such information. Finally, the rules regarding the transfer of personal data to countries outside the European Union presumptively apply to tracking cookies. This presumption can be overturned by a business that uses tracking cookies. The Dutch legislature has indicated that this legal presumption does not materially change the applicability of the Dutch Data Protection Act to tracking cookies.

  1. Enforcement

2.1    The amended Dutch Telecommunications Act (DTA), including the new laws on opt-in consent for cookies, has entered into force on 5 June 2012. For ease of reference we have added a translation of the provision on cookies as Appendix I to this memorandum. The burden of proof on tracking cookies (question 2 below) will enter into force on 1 January 2013.

2.2    In principle, enforcement of the law will commence once the law is entered into force, which means 5 June 2012, respectively 1 January 2013.

2.3    In the event a business violates the new cookie legislation the OPTA could impose incremental penalty payments or a fine with a maximum of € 450,000 per infringement. The Dutch DPA can moreover apply administrative coercion in order to compel a violator to adhere to the consent requirements for the processing of personal data. Finally, the decisions of these regulators are published and could lead to reputational damage.

  1. Recommendations

3.1    Compliance to the new cookie legislation requires change along two dimensions: it requires (i) an amendment to the privacy policy and (ii) a technical implementation on the website.

3.2    Until the new legislation went into effect, (most) privacy policies pointed out to users the right to refuse cookies by changing their browser settings. The privacy policy will now have to reflect the fact that users have to indicate in some way that they consent to the use of cookies. As was the case before, the privacy policy must inform the user of the purposes for the use of cookies.

3.3    Website are not commonly set up to allow users to object to the use of cookies. Therefore, the new rules force website operators to adjust their websites in a way that obtains consent to the use of cookies in some way. In principle, there is not one way in which this should be done and the implementation will differ according to the needs of each website or web service operator.

***

Our data protection practice is ready to advise you in your compliance with the new legislation. We would be happy to answer any questions you may have regarding the above.

APPENDIX I

Article 11.7a Dutch Telecommunications Act

  1. Any party that - by means of electronic communication networks - wishes to gain access to information stored in the terminal equipment of a user or wishes to store information in the terminal equipment of a user, has to:
    1. provide the user clear and comprehensive information in accordance with the Data Protection Act and in any case regarding the purposes for which the party wishes to gain access to the relevant information or for which the party wishes to store the information, and
    2. have received consent for such act. Any act, described in the opening of this clause, which is intended to collect, combine or analyze data on the use of different services of the information society by the user or subscriber for commercial, charitable or non-commercial purposes, will be considered to be an act of processing, as defined in article 1(b) of the Data Protection Act.
  2. The requirements mentioned in (1)(a) and (b) are also applicable to a situation where other than through the use of an electronic communications network, data is stored or access is provided, via a electronic communications network, to data stored on terminal equipment.
  3. Section 11.7a (1) and (2) are not applicable to the extent that it relates to the technical storage or access to data with the sole purpose:
    1. to achieve the communication over an electronic communications network; or
    2. to deliver a service of the information society requested by the subscriber or user and the storage or access to data was strictly necessary for that purpose.