Cookie legislation: have you brought your website into line?

Under the Dutch Telecommunications Act (DTA), several new provisions have been made regarding cookies. Under the new rules, websites are required to ask visitors for their consent before setting a cookie (or other information) on their PC, laptop or mobile phone.

Questions have arisen whether companies need to adapt their website and what risks they run if they do not make the necessary changes.

Below are some of the most common questions companies have regarding cookies.

1. Do I have to adapt my website?

If you only use functional cookies, there is no need to adapt your website. Functional cookies are “harmless” cookies. “Harmless” cookies make it easier to use the features on a website, such as saving visitors’ settings or registration details.

However, if you provide a service online and use tracking and/or third-party cookies, you will need to adapt your website. Tracking cookies are used to track the Internet user. Third-party cookies are set on an Internet user’s PC by a third party via your site. An example of this is a third party’s advertisement on your website.

2. What are the risks if I do not adapt my website?

If you do not adapt your website, you run the risk of heavy fines. OPTA – the Netherlands’ independent post and telecommunications authority – can impose a maximum fine of € 900,000 for each breach of the DTA.

You may also run into trouble with the Dutch Data Protection Authority (DPA). The DPA is an enforcement authority which can take tough measures if cookies are used to process Internet users’ personal data. Since the 1st of July 2016, by adjusting policy to the new maximum fines as stated in the DTA, a fine can amount to €900,000. This is an administrative enforcement order (a “last onder bestuursdwang” in Dutch, i.e. an administrative measure for the restoration of a legal situation).

It is therefore essential that you bring your website into line with the new legislation as soon as possible.

3. What changes do I need to make to my website?

Once you have established that you use tracking and/or third party cookies, you must make the following changes to your website:

1) Inform: before setting the cookie, you must inform the Internet user about the type of cookie. This means informing about its purpose, and what information the site will obtain concerning the Internet user.

2) Requesting consent: before setting cookies, you must request the Internet user’s consent. If the Internet user does not consent, you may not set the cookie. There are various ways of requesting consent. You can, for example, request consent via a dialogue window, or via the status bar or a warning bar, each time you want to set a cookie. There are, however, many other options. It is advisable to consult an ICT specialist to discuss the most suitable method for you.

Conclusion

This blog briefly answers the three most frequent questions regarding cookie legislation. For detailed guidance, please refer to the Cookie Compliance Guide. This guide explains at length the process you must undertake in order to satisfy the requirements of the new provisions on cookies.

 

Update: Since 2018, the European General Data Protection Regulation (GDPR) now affects how consent must be requested.