Not a refusal button, but post cookies? That will be a fine
:format(webp)/s3/static.nrc.nl/wp-content/uploads/2024/10/09152037/TESTCookies-FI.png "Not a refusal button, but post cookies? That will be a fine")
The approach to bad cookie people is getting harder. Dutch companies that do not offer their users a clear ‘refuse button’ run a greater chance of a fine than before. The Dutch Data Protection Authority (AP) has put extra people and a ‘bone’ on enforcement. Chairman Aleid Wolfsen: « It is now being serious. »
Cookies and cookie people who mislead users by making it very complex to refuse cookies are topics that the AP receives angry phone calls and emails from citizens every week. More than two hundred in 2024. « It is a major problem and we have the idea that the tricks and tracking methods are becoming more sophisticated, » says AP chairman Wolfen by telephone.
Those annoyances and problems have been there for a long time. Cookies were invented more than 25 years ago. Since 2011, the Netherlands has had a law that sets strict requirements for its use. And for seven years there has also been the European Privacy Act AVG with additional consumer protection.
Forest of misleading banners
In response to the laws, companies did not stop following users online, as intended, but they came up with a forest of misleading banners to get permission to place cookies and to resell data. Consumers became so tired of the pop-ups that they usually click away thoughtlessly.
Read also
This story about the 25th anniversary of the cookie and how they work
The AP and the Netherlands Authority for Consumers and Markets (ACM) – who are responsible – have hardly been able to maintain the law so far. Only in 2024 were fines imposed for the first time by the AP (for Kruidvat and Coolblue) because of the tracking of people without clearly informing them about it and having them choose them themselves.
« It should have been given attention sooner, » says Wolfsen. According to him, that this did not happen is due to a shortage of resources and people. « Now we really scale up. » The AP has the Minister of Economic Affairs On March 26, in consultation with the ACM, the supervision only proposed to invest at the Dutch Data Protection Authority.
The budget of the AP was increased from 2025 from 45.2 million to 49 million a year. In September 2023, the privacy supervisor also received half a million extra per year for three years, especially for the fight against follow -up software and misleading cookie people. That amount was used, among other things, to improve information to companies on how to do it.
‘Follow as a matter of course’
One of the greases of the AP is that a cookie banner is not necessary if a company does not profile its visitors and continues to follow. Merely statistics are also allowed without a banner. However, over the years it seems to have become a sort of self -evidentness to construct follow systems with every website.
« It also happens naive and thoughtful, » says Wolfsen: « And that really has to stop. If you walk out a store, you don’t think it’s normal to be asked at the exit which products you have all considered and at Propos, who is your partner? Companies have to wonder if they want to earn their money online in such a way. »
In the meantime, with the extra money, the AP has also built a bone that systematically checks the banners of ten thousand -based companies. They automated the bone automated the settings of the cookie kanners. It must be just as easy to refuse cookies as to allow them. The check marks for permission may not be checked in advance. The bone also checks what cookies are placed and whether that happens before permission has been given.
Tracking cookies continue to follow
The biggest culprits are the so -called Tracking cookies. They are used to follow website visitors while surfing, so not only on the website where they are at the time, but also afterwards. Those cookies are used to prepare profiles and, for example, to show personalized advertisements or offers.
That may seem harmless, says Wolfsen, but that is not. « That kind of profiles can also be used for political targeting during campaigns. They can be purchased by foreign intelligence services. Or companies are selectively dealing with offers. For example, they do not give them to people with certain profiles or from certain postcode areas. It can lead to exclusion. »
Companies with misleading cookie people first receive a letter with a warning. The first fifty will leave the house this week. Next month the next fifty. The companies and organizations receive three months to bring their cookie policy within the law. If they do not, a formal investigation starts, aimed at imposing a fine. This can amount to a maximum of 4 percent of the annual turnover of a company.
/s3/static.nrc.nl/images/gn4/data132972508-0686a6.jpg "Christmas Circus not liable for Val Acrobat from ‘Rad of Death’")
:format(webp)/s3/static.nrc.nl/wp-content/uploads/2025/05/22214607/web-2205BUIbill_vandaag2.jpg "Elon Musk’s political adventure is over")
