Websites in the Netherlands face strict rules about how they use cookies, track visitors, and show online ads. The Dutch Data Protection Authority now monitors around 10,000 websites each year and plans to warn 500 organisations annually for breaking these rules.
Recent fines of €600,000 and €40,000 show that enforcement has become serious.
You must obtain proper consent before placing tracking cookies on your website, and your cookie banner cannot use pre-ticked boxes, hidden reject buttons, or other misleading designs. The rules come from both the GDPR and the ePrivacy Directive, which work together to protect user privacy.
If you process personal data through cookies, both laws apply to your website.
This guide explains what types of cookies require consent, how to set up compliant cookie banners, and what you need to do for analytics and advertising. You will learn about Dutch privacy law requirements, how to manage user consent properly, and how to avoid the common mistakes that lead to warnings and fines.
Understanding Cookies and Their Types
Cookies are small text files that websites store on your device through your web browser. They range from essential files needed for basic website functions to tracking tools that monitor your behaviour across multiple sites.
What Are Cookies and Online Identifiers?
Cookies are processed and stored by your web browser when you visit a website. Each cookie contains data that helps websites recognise your device and remember information about your visit.
As online identifiers, cookies can store enough data to potentially identify you as an individual. They may track which pages you visit, what links you click, your preferences, and your location.
Cookie identifiers work alongside other data like internet protocol addresses to create profiles of your online activity. Under GDPR, cookies qualify as personal data when they are used to identify users.
This means websites must follow strict data protection rules when using them. The regulation specifically mentions that cookie identifiers can leave traces that help create profiles and identify individuals.
Duration and Storage: Session vs. Persistent Cookies
Session cookies are temporary files that expire when you close your browser. They help websites remember your actions during a single browsing session, such as items in your shopping cart.
Persistent cookies remain on your device until you delete them or they reach their expiration date. These cookies have specific expiration dates written into their code.
The ePrivacy Directive states they should not last longer than 12 months, though some may remain on your device longer if you do not remove them manually. Persistent cookies allow websites to remember your preferences across multiple visits.
They store information like your language settings, login details, and site preferences.
First-Party and Third-Party Cookies
First-party cookies are placed directly on your device by the website you are visiting. The website owner controls these cookies and uses them to improve your experience on their site.
Third-party cookies are placed by external parties like advertisers or analytics services rather than the website you are visiting. These cookies track your activity across multiple websites to build detailed profiles of your interests and behaviour.
Third-party cookies present greater privacy risks because they can collect significant amounts of data about your online habits. Multiple organisations may access the data from a single third-party cookie.
Since GDPR came into effect, the use of third-party cookies has declined.
Essential vs. Non-Essential Cookies
Strictly necessary cookies (also called essential cookies) are required for basic website functions. They enable core features like secure areas, shopping carts, and page navigation.
You do not need to give consent for these cookies, but websites must explain what they do and why they are necessary.
Non-essential cookies include several categories:
- Preferences cookies remember your choices like language, region, and login credentials
- Statistics cookies collect anonymous data about how you use a website to improve its performance
- Marketing cookies track your online activity to deliver targeted advertising
You must give explicit consent before a website can use non-essential cookies. Marketing cookies can share your information with advertisers and other organisations.
These are typically persistent and third-party cookies that create detailed profiles of your online behaviour.
The GDPR, ePrivacy Directive, and Dutch Law
In the Netherlands, website operators must comply with multiple layers of data privacy regulations that govern how you collect and process user data through cookies and tracking technologies. The General Data Protection Regulation (GDPR) works alongside the ePrivacy Directive and Dutch national laws to create a comprehensive framework for protecting online privacy.
European and Dutch Data Privacy Laws
The GDPR is the primary data protection regulation that applies across all European Union member states, including the Netherlands. It came into force on 25 May 2018 and directly applies without requiring national implementation.
The ePrivacy Directive, often called the “Cookie Law,” specifically addresses electronic communications and tracking technologies. Unlike the GDPR, this directive required EU countries to incorporate it into national law.
The Netherlands implemented these rules through the Telecommunications Act (Telecommunicatiewet). When these laws conflict, the ePrivacy Directive takes precedence over the GDPR for matters related to electronic communications and cookies.
The ePrivacy Directive is stricter in many ways, particularly regarding consent requirements for cookies. You must comply with both regulations if you operate a website targeting users in the Netherlands or broader European Economic Area (EEA).
The ePrivacy Regulation, which will eventually replace the directive, has been delayed but is expected to introduce updated rules for modern tracking technologies.
The Role of the Autoriteit Persoonsgegevens (AP)
The Autoriteit Persoonsgegevens (AP) is the Dutch Data Protection Authority responsible for enforcing both GDPR and ePrivacy rules in the Netherlands. The AP has the power to investigate complaints, conduct audits, and issue fines for non-compliance.
The AP can impose penalties of up to €20 million or 4% of your global annual turnover, whichever is higher, for serious GDPR violations. For breaches of Dutch cookie law, the AP can issue fines up to €900,000 or 10% of annual turnover.
The AP publishes guidance documents and rulings that clarify how you should interpret privacy laws in the Dutch context. You can report suspected violations to the AP, and users can file complaints if they believe you’ve mishandled their data.
Key GDPR Requirements for Cookies
You must obtain valid consent before placing non-essential cookies on users’ devices. Consent must be freely given, specific, informed, and unambiguous.
This means pre-ticked boxes and implied consent through continued browsing do not meet GDPR standards.
Strictly necessary cookies are exempt from consent requirements. These include cookies essential for:
- Maintaining user authentication
- Remembering shopping cart contents
- Ensuring website security
- Load balancing across servers
You must provide clear information about each cookie’s purpose, duration, and data processors before obtaining consent. This information should use plain language that average users can understand.
Users must be able to withdraw consent as easily as they gave it. You cannot deny access to your website simply because someone refuses non-essential cookies.
You must also document and store records of all consent you receive.
Obtaining and Managing Consent
Under GDPR rules, websites operating in the Netherlands must obtain valid consent before placing non-essential cookies on a user’s device. This requires clear communication about cookie usage, user-friendly consent interfaces, proper documentation of consent choices, and the ability for users to change their preferences at any time.
Valid Consent Under the GDPR
Article 7 of the GDPR establishes strict requirements for what counts as valid consent. Your consent must be freely given, specific, informed, and unambiguous.
This means users need to understand exactly what they’re consenting to before they make a choice. Freely given consent means users can say no without losing access to your website’s basic functions.
You cannot force people to accept cookies just to view your content. Pre-ticked boxes don’t count as valid consent because users must take an active step to agree.
Your consent request must use plain language that anyone can understand. Avoid legal jargon or technical terms that might confuse visitors.
You need to tell users what types of cookies you use, what data you collect, and how you use that information. You must keep detailed records of all consent actions.
This includes who gave consent, when they gave it, what information they received, and which specific cookies they accepted or rejected.
Consent Banners and User Experience
Your cookie consent banner serves as the primary tool for requesting permission from visitors. The banner must be highly visible when someone first arrives on your website, but it shouldn’t block access to the site entirely.
Design matters for both compliance and conversion rates. Your ‘accept’ and ‘reject’ buttons need to be equally prominent.
Making the reject button smaller, hiding it, or using manipulative design patterns violates GDPR rules and erodes user trust. Provide granular consent options that let users choose between different cookie categories.
Someone might accept essential and analytics cookies but reject advertising trackers. All default settings should be blank or set to opt-out.
Your banner should include a direct link to your detailed cookie policy. Keep the language simple and concise.
Display the banner in the user’s preferred language when possible.
Consent Management Platforms (CMPs)
A consent management platform automates the process of obtaining and recording cookie consent. These tools scan your website for cookies, block non-essential ones until consent is given, and manage user preferences across your entire site.
CMPs handle the technical complexities of GDPR cookie consent management. They automatically prevent tracking scripts from firing before users make their choices.
They also update cookie lists as your website changes, ensuring you always request consent for new trackers. Most platforms include geolocation features that adjust consent requirements based on where your visitors are located.
They store timestamped records of each consent action, including device information, browser type, and the specific cookie preferences selected. Quality CMPs offer customisation options so your consent banner matches your brand.
They also provide analytics about your opt-in rates, helping you optimise your consent strategy whilst maintaining compliance.
Changing and Withdrawing Consent
Users must be able to withdraw consent or change their cookie preferences as easily as they gave it. GDPR Article 7 explicitly states that withdrawing consent should be as simple as giving it.
Place a persistent link to cookie settings somewhere visible on your website. Many sites use a small banner at the bottom of each page or an icon that stays accessible whilst users browse.
When someone clicks this link, they should immediately see their current cookie preferences. Your CMP needs to process consent changes instantly.
If a user withdraws consent for advertising cookies, those trackers must stop collecting data straight away. Document these changes with the same level of detail you used for the initial consent.
You don’t need to ask why someone wants to change their preferences. The process should require minimal effort and no explanation.
Store the updated preferences so they apply during future visits to your website.
Types and Purposes of Cookies in Analytics and Advertising
Different types of cookies serve specific functions on websites, from measuring visitor behaviour to delivering targeted advertisements. Understanding these categories helps you identify which cookies require consent and how they process personal data.
Analytics Cookies and Data Processing
Analytics cookies collect information about how visitors use your website. These tracking cookies record which pages you visit, how long you stay, and where you click.
The data helps website owners understand user behaviour and improve their sites. Performance cookies fall under this category.
They gather data about site speed, error messages, and technical issues. This information is usually aggregated and anonymised, meaning it cannot identify individual users.
Cookie usage for analytics typically involves third-party services like Google Analytics. These tools process the collected data to create reports and statistics.
However, even anonymised data can qualify as personal data under GDPR if it could potentially identify you when combined with other information. You need consent for analytics cookies unless they are strictly for the website owner’s exclusive use and the data remains completely anonymous.
Most analytics cookies are persistent cookies that stay on your device until they expire or you delete them.
Advertising and Marketing Cookies
Marketing cookies track your online activity across multiple websites to build a detailed profile of your interests. Advertising cookies use this information to show you personalised ads based on your browsing history and preferences.
These tracking cookies are almost always third-party cookies placed by advertisers or ad networks, not by the website you are visiting. They follow you from site to site, collecting data about your behaviour and interests.
Cookie use in advertising also limits how many times you see the same advert. Without these cookies, you might see identical ads repeatedly on different sites.
Processing personal data through advertising cookies requires your explicit consent under GDPR. These cookies typically remain on your device for extended periods, sometimes months or years, unless you manually delete them.
Marketing cookies present the highest privacy risks because they collect substantial amounts of information about your online habits and can share that data with multiple organisations.
Functional and Performance Cookies
Functionality cookies remember your choices and preferences on websites. They store information like your language selection, region settings, or login credentials.
These cookies make your browsing experience more convenient by keeping your preferences across visits. Performance cookies measure how well a website functions.
They identify popular pages, detect navigation problems, and track loading times. Unlike analytics cookies, these focus specifically on technical performance rather than user behaviour patterns.
Most functional cookies are first-party cookies set directly by the website you visit. They are usually session cookies that expire when you close your browser, though some persist longer to remember your preferences for future visits.
You do not need to provide consent for strictly necessary functionality cookies that are essential for the website to work. However, cookies that enhance convenience rather than enable core functions may still require consent under GDPR rules.
Transparency, Cookie Policies, and User Rights
Websites operating in the Netherlands must provide clear information about their cookie usage and give users control over their data. Cookie policies need to explain what data you collect, why you collect it, and how users can manage their preferences.
Cookie Policy Requirements
Your cookie policy must list all cookies your website uses before you receive consent. You need to explain what each cookie does in plain language that an average person can understand.
The policy should state whether cookies are first-party or third-party, how long they remain active, and what specific data they collect. You cannot use vague descriptions like “to improve user experience” without explaining exactly what that means.
Specify whether a cookie remembers language settings, tracks pages visited, or monitors advertising clicks. Your policy must be easy to find, typically linked in your website footer or cookie consent pop-up.
The policy needs regular updates when you add new cookies or change how you use existing ones. You must document these changes and inform users if the updates affect their privacy significantly.
Privacy Notices and Data Transparency
Your privacy policy and cookie policy work together to meet GDPR transparency requirements. The privacy policy should explain how cookie data connects to other personal information you collect.
You need to identify all third parties who receive cookie data, such as analytics providers or advertising networks. Cookie walls that block access to your website unless users accept all cookies violate GDPR rules.
You must allow users to access your services even when they reject non-essential cookies. Your cookie consent pop-ups need clear options for accepting or rejecting different cookie categories.
You cannot pre-tick consent boxes or use confusing language that misleads users. The “reject” option must be as easy to find and use as the “accept” option.
User Rights and Cookie Preferences
Users have the right to withdraw cookie consent as easily as they gave it. You must provide a visible way for them to change their cookie preferences at any time, not just during their first visit.
Most websites add a “Cookie Settings” link in their footer or a floating button on each page. You need to store records of user consent, including when they gave it and what they agreed to.
These records help prove compliance if regulators investigate your website. Users can request copies of this consent data under GDPR access rights.
Your preference centre should let users control different cookie categories separately. You cannot force users to accept marketing cookies to use preference cookies.
Risk Management, Compliance, and Best Practices
Managing risks requires regular assessments of your data processing activities and maintaining ongoing cookie compliance. You must also prepare clear procedures for responding to data breaches when they occur.
Data Protection Impact Assessments (DPIA)
A Data Protection Impact Assessment is a legal obligation under GDPR when your processing activities are likely to result in high risks to individuals’ rights and freedoms. You must conduct a DPIA before implementing new tracking technologies, analytics tools, or advertising systems that process large amounts of personal data.
Your DPIA should identify what data you collect through cookies, why you need it, and what risks exist. Document whether you’re relying on consent, legitimate interest, or another legal basis for processing.
Include measures to reduce risks, such as data minimisation, pseudonymisation, or using HTTPS to protect data in transit. You must consult your Data Protection Officer if you have one.
When a DPIA shows high risks that you cannot mitigate, you need to consult the relevant data protection authorities before proceeding. Keep your assessments updated when you change your tracking methods or add new analytics platforms.
Ensuring Ongoing Cookie Compliance
You need to audit your website regularly to verify that all cookies match what you disclose in your cookie banner and privacy policy. Check that cookie consent compliance mechanisms work properly and respect user choices.
Review your cookie management platform monthly to ensure it blocks non-essential cookies until users provide consent. Test your banner on different devices and browsers.
Verify that analytics cookies and advertising cookies don’t load before consent. Monitor changes to GDPR compliance requirements and guidance from data protection authorities.
Update your consent mechanisms when regulations change. Train your marketing and development teams on privacy compliance requirements.
Document all compliance activities, including when you update consent tools, review cookie inventories, or modify tracking scripts. Keep records of consent preferences and make sure users can withdraw consent as easily as they gave it.
Responding to Data Breaches
You must report certain data breaches to the Dutch Data Protection Authority within 72 hours of becoming aware of them. A breach involving cookie data or analytics information may require notification if it poses risks to individuals’ rights and freedoms.
Create a response plan before a breach occurs. Identify who will assess the breach, determine if reporting is necessary, and communicate with authorities.
Document what data was affected, how many users, and what steps you’re taking to address it. If your analytics provider or advertising platform experiences a breach, you remain responsible as the data controller.
Contact them immediately to understand the scope. Assess whether you need to notify users directly, particularly if the breach involves sensitive tracking data or could lead to identity theft or fraud.
Keep detailed records of all breaches, including ones that don’t require reporting to data protection authorities. This documentation demonstrates your GDPR compliance efforts during audits.
Frequently Asked Questions
Understanding cookie consent, data collection, and advertising requirements under GDPR in the Netherlands requires clear answers to common compliance questions. The Dutch Data Protection Authority enforces specific rules about consent mechanisms, transparency requirements, and acceptable tracking practices.
What are the requirements for obtaining consent for the use of cookies in the Netherlands under GDPR?
You must obtain explicit consent from users before placing non-essential cookies on their devices. This means you cannot use pre-ticked boxes or assume silence means agreement.
Your consent banner must present all options on a single layer. Users should be able to accept or reject cookies with equal ease.
The Dutch Data Protection Authority prohibits designs that require users to click through multiple pages to reject cookies whilst allowing acceptance in one click. You need to provide clear information about what each cookie does.
Plain language works best, avoiding technical jargon that confuses users. The purpose of each cookie category must be visible before users make their choice.
Certain cookies do not require consent. These include cookies that are strictly necessary for your website to function properly.
Analytical cookies that minimally impact privacy may also fall into this category, but this exemption has strict limitations.
How can organisations ensure their online advertising practices comply with GDPR regulations?
You must obtain consent before using cookies that track users for advertising purposes. This applies to both first-party and third-party tracking cookies used to serve targeted advertisements.
Your advertising partners need to comply with GDPR as well. You remain responsible for ensuring that third parties you work with follow proper data protection practices.
This means reviewing contracts and data processing agreements with advertising networks. You cannot share personal data with advertisers without proper legal grounds.
Consent remains the most common basis for advertising activities, though you must document this consent and make it easy to withdraw. Profiling users based on their interests, political preferences, or personal characteristics requires explicit consent.
Tracking cookies that follow users across multiple websites to build detailed profiles fall under this requirement. You must explain this data collection clearly in your privacy notices.
What steps should be taken to maintain transparency in data analytics while respecting user privacy?
You need to inform users about what data you collect through analytics tools. Your privacy policy must explain which analytics services you use and what information they gather.
Analytical cookies that have minimal privacy impact may not always require consent. However, this exemption only applies when the cookies collect limited data and cannot identify individual users.
Most standard analytics tools do not qualify for this exemption without configuration changes. You should configure analytics tools to protect user privacy.
This includes disabling features that collect IP addresses in full, turning off data sharing with the analytics provider for their own purposes, and limiting data retention periods. Cookie consent preferences must extend to your analytics tools.
When users reject non-essential cookies, your analytics tracking should stop. You need technical measures in place to ensure this happens automatically.
What are the specific regulations regarding the use of third-party cookies and trackers for marketing purposes?
Third-party tracking cookies require explicit user consent before placement. These cookies follow users across different websites and applications, creating detailed behavioural profiles for marketing purposes.
You must identify all third-party trackers on your website. Your consent management system should list these clearly and allow users to accept or reject them individually or by category.
Bundling all trackers under vague categories violates transparency requirements. Marketing pixels and similar tracking technologies fall under the same rules as cookies.
This includes social media tracking pixels, conversion trackers, and retargeting tags. You need consent for all these technologies before they can collect user data.
The Dutch Data Protection Authority specifically monitors tracking cookie compliance. In 2024, they announced increased inspections of websites to check for proper consent mechanisms.
Half of the websites they surveyed failed to meet requirements.
How can companies effectively inform users about their data collection practices in line with GDPR?
Your cookie banner must use clear, plain language that users can understand. Avoid legal terminology and technical jargon that obscures what you actually do with collected data.
Information about cookies should be easily accessible. You can link to a detailed cookie policy from your banner, but essential information must appear upfront.
Users should not need to search for basic details about what they are consenting to. You must list the specific purposes for data collection.
General statements like “improving user experience” do not meet transparency requirements. Instead, explain exactly what you will do with the data and who will have access to it.
Regular updates to your privacy documentation are necessary. When you add new cookies or change how you process data, you must inform users and obtain fresh consent where required.
What are the penalties for non-compliance with GDPR in the context of cookies and online advertising?
The Dutch Data Protection Authority can impose significant fines for GDPR violations. These fines can reach up to €20 million or 4% of your annual global turnover, whichever amount is higher.
Non-compliant cookie banners specifically attract regulatory attention. The Authority has identified misleading consent mechanisms as a priority enforcement area.
Hidden reject buttons, unnecessary clicks to refuse cookies, and unclear information all count as violations.
Beyond financial penalties, you may face orders to cease processing activities. The Authority can instruct you to stop using non-compliant cookies immediately and delete data collected without proper consent.
Public announcements of violations and fines can harm your brand and erode customer trust in your data practices.
