The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, hereinafter: AP) has recently sent letters to dozens of organizations warning them that their cookie banners are misleading and do not comply with current legislation. The AP is giving these organizations three months to adjust their cookie banners. If, after these three months, the cookie banner is still not compliant, the AP may initiate an investigation, and the organization risks a fine.
In the coming years, the AP will continue to monitor cookie banners and send warning letters. With this approach, the AP hopes that organizations will adjust their cookie banners and be more transparent towards visitors about the placement and reading of cookies. In this blog, we discuss the requirements that apply to cookie banners and provide several examples of what is not allowed in a cookie banner.
When Is a Cookie Banner Required?
A cookie banner is required if cookies are placed on the website that are not strictly necessary for the functioning of the website. For example, if only cookies are placed that remember what is in a visitor’s shopping cart, a cookie banner is not required.
The cookie banner must clearly state which cookies are placed, for what purpose the cookies are used, what information they collect, and with which parties the data is shared. It is mandatory to properly and fully inform visitors in the cookie banner about the use of cookies. Furthermore, non-essential cookies may only be placed if the visitor has given consent. This consent must meet several requirements. For instance, consent must be able to be refused, and accepting cookies may not be a condition for using the website. In addition, it must be possible for the website visitor to refuse consent immediately and without undue effort.
On its website, the AP has published several rules of thumb with examples of what a cookie banner may look like and what is not allowed in a cookie banner.
Most Common Mistakes in Cookie Banners
Often, cookies are placed immediately when a visitor lands on a website, regardless of whether consent has been obtained. Even when consent is requested, this is often done incorrectly. For example, it is required that visitors have the option to reject the cookies. The reject button can’t be hidden and shouldn’t be less prominent than the button to accept cookies. Additionally, consent to the cookies can’t be pre-selected: the visitor must actively indicate their choice themselves. Finally, it must be possible to easily withdraw consent at any time.
Would You Like to Know More About the Rules for Placing and Reading Cookies? Please see our cookie factsheet.
