Netherlands: DPA rules websites must allow people to refuse tracking cookies

No. 3, 25 March 2019 Issue

Websites that allow visitors access only if they accept tracking cookies or comparable ways to track and record visitor behaviour do not comply with the General Data Protection Regulation (GDPR). That is the main message of the standard interpretation published by the Autoriteit Persoonsgegevens, the Dutch Data Protection Authority (DPA), on 7 March 2019.

The DPA received dozens of complaints from visitors of websites who were denied access after refusing to allow tracking cookies. The DPA announced that it will intensify its compliance checks and has sent a letter of warning to several potential offenders.

In the interpretation, the head of the DPA emphasised the importance of getting meaningful permission to track in order to protect the privacy of visitors of a website. He noted that only when permission is requested in a good manner will people be able to “consciously and correctly” make use of their right to the protection of their personal data. Otherwise, people give up personal information under pressure, and that is unlawful.

Consent must be free

Visitors of websites should be able to rely on their personal information being well protected. The GDPR prescribes the legal bases on which processing of personal information has to be based, the main one of which is user consent.

Consent is why many websites ask users for permission to use tracking technologies like cookies, tracking pixels or browser fingerprinting. Users do not need to consent to technologies which are needed for functioning of the website or which allow for a general visitor-analysis of the website. Permission is needed where the behaviour of individual visitors is analysed and tracked in a more thorough manner, or if this information is shared with third parties. This permission should be given without any form of pressure.

Cookie walls leave no free choice

In case of so-called “cookie walls” on websites (where if users do not accept to be tracked they will not be granted access), permission is not given in a free manner. Based on the GDPR, permission is not “free” or without pressure when there is no real or free choice. This includes the situation wherein a refusal to give permission has negative consequences, such as being denied access.

Compliance will be enforced

Now that the DPA has published this interpretation, websites will have to adjust their practices. Already, the websites for which the DPA have received the most complaints have received a letter with the interpretation and an announcement of intensified checks by the DPA to see whether the GDPR rules are applied in the correct manner.

There is no permission like free permission

Bits of Freedom welcomes this strict interpretation of the GDPR by the Dutch DPA. There is no permission like free permission, and a permission when access is denied in case of refusal is not free. The legal basis of consent is frequently misused, making the statement of the DPA especially timely. Bits of Freedom considers that free permission should include a truly informed form of consent. Cookie statements that are endlessly long or unnecessarily incomprehensible, and/or which steer people towards saying “yes” without genuinely knowing what they are agreeing to, are not acceptable.

Hopefully, this interpretation will spark the entrepreneurial zeal of website owners. It is time for sites to start investigating and investing in business models that do not require the unnecessary and unlawful processing of personal information.


By Lotte Houwing, Bits of Freedom