The Dutch Data Protection Authority (AP) is going to take enforcement actions against cookies, but what are the actual rules?

October 31, 2023

The Dutch Data Protection Authority (AP) is going to take enforcement actions against cookies. It will receive half a million euros a year extra for cookie supervision. This is good news for anyone annoyed by unfair cookie banners with a very big Yes button, while you have to click a hundred times if you want to say No to all cookies.‍But that extra money is potentially bad news for website owners. We can well imagine that the AP will use the extra money to get rid of the pile of previously filed cookie complaints. And then you will look bad if the AP' checks on you in 2024,finds that you've done nothing with a visitor's complaint, and still don't get valid consent. So quickly check your website and app if you are now properly informing about all cookies, and asking for consent where necessary. Check the answer to question 5 for some useful free tools to see exactly what cookies you are using.‍ At Privacy Company, we like to help website and app owners comply with the rules. We list the rules below, in the form of five questions and answers.

‍1. Where can I find the rules?

Unfortunately, there is not a single clear law for cookies. In the Netherlands, the rules in Article 11.7a of the Telecommunications Act apply. Dutch regulator ACM explains the difference between functional, analytical and privacy-sensitive tracking cookies. But if you reside in another member state, or do business in multiple member states, you will encounter different national laws and rules. This is because there is still no ePrivacy Regulation with harmonised rules for cookies. Each country in the EU therefore applies the rules in its own way. And to make it even more complicated: with privacy-sensitive cookies for e.g. advertisements, you also process personal data. That means the General Data Protection Regulation applies, and you therefore have to take into account the interpretation of the data protection authorities.

Due to differences in legislation, data protection authorities have still not managed to produce common guidelines for tracking cookies. Normally, the EDPB guidelines would be the first source you should look at. In the Netherlands, you can look at the website of the AP, but that explanation is too limited, also because the AP only publishes a very small part of the outcomes of complaints and investigations. To know exactly what you can and cannot do, you also have to look at rulings of the European Court of Justice, court rulings, and decisions of other regulators. Fortunately, the NGO None Of Your Business (NOYB) has built the GDPRhub.eu website where volunteers summarise rulings by regulators and judges from all over the EU.

‍2. What is the highest fine imposed for cookie violations?

The French data protection authority CNIL has imposed the highest fines for using tracking cookies without consent. On 31 December 2021, Google Ireland and Google America were jointly fined €150 million. In 2022, the CNIL imposed a €60 million fine on Microsoft for cookie use in its search engine Bing. The next two high fines since January 2022, of €8 million for Apple and €5 million for TikTok, were also imposed by the CNIL. In 2022, the French Council of State confirmed two other 2020 mega fines by the CNIL of 100 million euros against Google and 35 million euros against Amazon for lack of consent for tracking cookies, respectively.

Highest cookie fines from 1 January 2022 - September 2023

Microsoft used two multi-purpose cookies in its Bing search engine without consent, for fraud prevention AND advertising purposes. The reject option was hidden under 'more information'. So there was no equivalent choice between Yes and No, and Microsoft had (accidentally) classified a cookie as 'necessary', while consent was required.

The Apple fine is about reading unique identifiers from iOS version 14.6 of the iPhone. The default setting on the phone was that advertisers could use the unique advertising ID for targeted ads in the app store. Users could therefore not actively consent, and had to dig very deep into the settings to turn off tracking. Because advertisers could select by users' age and gender, among other things, there was profiling.

The TikTok fine was about the difference in convenience between giving consent, with one click, and refusing consent. Moreover, refusing didn't help: ad cookies were still placed if you said No.

In 2021, the Luxembourg data protection authority imposed a record fine of €750 million on Amazon. The content of that decision is unfortunately secret, but it is quite conceivable that the fine was also imposed in connection with tracking cookies. The decision will not become public until all appeals are exhausted and the decision is final. The (first) hearing at the Luxembourg court on the appeal filed by Amazon in October 2021 is scheduled for 9 January 2024 on the appeal (!).

3. What about Google Analytics cookies?

There are 11 well-known rulings (available via GDPRhub.eu) on the use of Google Analytics, by the EDPS and the Finnish, French, Italian, Norwegian, Austrian and Swedish data protection authorities. Most of these rulings deal with unlawful transfers of personal data via cookies and IP addresses to the United States. That is no longer a big issue since 10 July 2023, the European Commission's new adequacy decision. But the rulings also address the consent requirement for cookies, as Google's Analytics cookies and IP addresses can track users' behaviour across multiple websites, despite all sorts of pseudonymisation options. As far as we are concerned, the rulings from the data protection authorities are technically unsubstantiated. In the Netherlands we are still waiting for the explanation from the AP. The AP initially promised to provide an explanation ‘in early 2022’, but later changed that to ‘during 2022’ and subsequently moved the promise to its archive website, without any explanation about the delay.

‍4. Can I use a tracking wall?

A tracking wall is a big pop-up on a website that you have to give consent for tracking cookies to access the site's content, or that you have to pay. According to the AP, website owners may not enforce that visitors have to accept tracking cookies to visit the site: visitors should really be free to give consent, or not. The Belgian data protection authority also announced in September 2023 that it would take strict enforcement actions against tracking walls. But there is still no unified tracking wall standard in Europe. The Austrian data protection authority first ruled that the newspaper Der Standard was indeed allowed to offer a choice between tracking cookies or paying to visit the website, but recently took the opposite position. According to the Danish data protection authority, media may charge a reasonable price for access, but not offer a choice between tracking cookies or paying (See their investigation into Jysk Fynske Meddler and GulogGratis). And one of Germany's regional data protection authorities (from Lower Saxony) found that the German e-zine Heise was indeed allowed to have a tracking wall because visitors could get the same service without the tracking cookies for a fee.

‍5. What should I do as a privacy officer or data protection officer?

We recommend the following six steps:

Visit your own organisation's websites and use its apps. What does the cookie consent question look like? There should really be an equivalent choice between Yes and No, immediately when you first visit a website or install an app, with no difference in colour and shape (no dark patterns).
If you use a cookie consent manager from an external supplier, which asks for consent for your organisation, do not blindly rely on the classification into functional, analytical and advertising cookies. Check the cookies as well as outgoing traffic on your websites yourself using your browser's inspector mode. Or use 1 of the following three handy free tools to check your website:
1. ‍https://webbkoll.dataskydd.net/.
2. The excellent open source inspection software from the European Data Protection Supervisor EDPS.
3. Brenno de Winter's open source Vulnerabilities Analysis Tool, OpenKAT, which has just been supplemented by Privacy Company technologist Floor Terra's cookie tooling.
Read the terms of the European Court of Justice from the Planet49 judgment (C-637/17, ECLI:EU:C:2019:801) on how to inform about cookies, i.e. including the name of the cookie, its purpose and retention period (validity). Remember that you must also inform about necessary (session) cookies, not just about advertising cookies.
Keep in mind the sensitive nature of information about surfing behaviour. You can quickly infer sensitive personal data from surfing behaviour, which means, you may only process these data with explicit consent, as explained by the European Court of Justice in its. ruling on Meta. (Case C-252/21, German Competition Authority v Meta, ECLI:EU:C:2023:537). In the Netherlands, this reasoning about the inference of sensitive data was confirmed in March 2023, in a class action against Meta (Amsterdam District Court, ECLI:NL:RBAMS:2023:1407).
Keep in mind that you will quickly become a joint controller with the third parties that place tracking cookies on your website. Because withdrawing consent should be as easy as giving it, as a website owner, you should be able to pass on a consent withdrawal request to all parties that have been able to read the cookie. If you use real time bidding auctions, which in turn allow other real time bidding auctions, you have no idea who all those third parties are, and what they are doing with your cookies. This means you cannot actually comply with this legal requirement.
Stop using tracking pixels in newsletters, or get clear (separate) consent for them at the time people sign up.

If you would like more help, please feel free to contact us at info@privacycompany.nl‍

Download

—

Sjoera

Consultant