On 11th of March 2015, the long anticipated new cookie rules came into force in the Netherlands. The new rules are an amendment of the existing cookie legislation and provide – inter alia – for a more lenient regime for the use of analytic cookies with a low privacy risk. Immediately following the introduction, the primary Dutch regulator (ACM) announced that it will pro-actively enforce the new cookie rules. Companies are advised to assess to what extent these (broad) rules apply to their websites, apps and devices and how they can benefit from the amendments.
The new rules in a nutshell:
- Despite the name, the cookie rules apply to various techniques (‘any information written or accessed from an end user’s device’, such as regular html cookies, fingerprinting and pixel tags) and to various digital environments, including websites, apps, smart TV’s and other devices.
- Any party placing or accessing the cookies must duly inform the user and ask for his consent before cookies are placed or read out. ‘Consent’ must constitute an (active) act, thereby excluding opt-out and implied consent constructions.
- Cookies that are required for transmission and the working of the website itself, and cookies that are technically necessary to provide specific services over that website (like a web shop), are exempted from the information- and consent requirement.
- New: the above mentioned exemption also applies to cookies that are used to obtain information about the quality and efficiency of the website, under the condition that they do not, or have a limited, impact on the privacy of the users.
- New: the user access to a website provided by, or on behalf of, a legal entity established under public law is not dependent on the grant of authorization referred to in the first paragraph (i.e. a prohibition on so-called “cookie walls”).