Legislative proposal to relax Dutch cookie rules sent to Parliament

08 April 2014

On 28 March 2014, a legislative proposal that aims to relax the Dutch cookie rules was sent to Dutch Parliament. The objective of the legislative proposal is to provide a solution to the problems and nuisance that the current cookie rules imply. However, the strict rules on targeting cookies are not affected by the proposal.

Since June 2013, the Dutch Telecommunications Act states that cookies may only be placed and read if the user has provided his consent for this, after he has been clearly and fully informed about inter alia the purpose for which the cookies are used. In addition, the Act stipulates that the use of so-called tracking (i.e. cookies used to analyse the internet user's behaviour over time and across a number of websites) is to be considered the processing of personal data, implying that the Dutch Data Protection Act applies and the Dutch Data Protection Authority has powers to enforce the cookie rules.

The legislative proposal that was sent to Parliament does not affect these tracking cookies. It only extends the scope of the exemption for technical or functional cookies, such as cookies used to store language settings or other user preferences. The proposal aims to remove the consent requirement for cookies that are applied to get information on the quality and effectiveness of websites, provided that these cookies have no or only marginal effect on the user's privacy. Examples are first party analytic cookies, performance or affiliate cookies and A/B-test cookies.

The legislative proposal also explains a number of issues regarding the cookie rules, such as on how users can give their consent for the cookies that are not covered by the exemption. It confirms that an internet user could give his consent by clicking on parts of a website, if he has been told in a sufficiently clear manner that this is considered as consent for the use of cookies. Therefore, pop-ups are not the only way to get the user's consent. Websites can make use of (clearly worded) banners that inform the user that cookies will be placed if he continues his visit to the website.

More importantly, the memorandum clarifies that unambiguous consent is not the only processing ground for cookies that involve the processing of personal data, such as tracking cookies. The internet user's unambiguous consent is only required if other processing grounds, such as performance of a contract or legitimate interest, are not feasible.

Interestingly, this approach on unambiguous consent seems not completely synced with the Dutch Data Protection Authority's views on the cookie rules. According to the DPA, unambiguous consent is the only possible processing ground, particularly if the cookies are used to analyse the internet user's web-surfing behaviour. Reportedly, the DPA is currently in the process of enforcing this requirement for unambiguous consent.

Finally, the explanatory memorandum to the legislative proposal provides some explanation on browser settings consent. Such consent could be valid if an internet browser allows internet users to indicate, by means of an active adaptation of the settings, that he gives consent for a particular type of cookies.

The text of the legislative proposal and the other parliamentary documents (all in Dutch) can be downloaded here.