Dutch Data Protection Authority targets misleading cookie banners

Under the regulator’s plans, 500 organisations each year – a total of 10,000 organisations – will be told to either amend their misleading cookie banner or stop intrusive tracking of their users. Failure to comply with these instructions within three months may result in formal investigation and carries risk of substantial fines. Last week, the AP announced that it had sent warning to the first 50 affected organisations in the Netherlands.

Increased enforcement of compliance with the data protection laws will enable users to make more informed decisions about their privacy, according to data protection law experts.
Cookies are small data files that websites store on a user’s device to track user actions and preferences, enhance website functionality and improve user experience. Functional cookies allow websites to remember the choices a user makes on the website such as language preference, while analytical cookies allow websites to understand users’ interactions with the website and tracking cookies mainly allow websites to collect information about users’ browsing habits. As tracking cookies, and in some cases analytical cookies, involve processing of personal data, the General Data Protection Regulation (GDPR) applies, and websites need to obtain prior consent from their users. In such cases, implementing a cookie banner is mandatory. 
Data law expert Andre Walter of Pinsent Masons said: “Cookie banners should be clear and transparent, enabling users to make informed decisions about their privacy. Organisations must avoid misleading practices and ensure that users can refuse cookies as easily as they can accept them. Compliance with GDPR is essential, and the AP actively monitors adherence.”

According to the AP, cookie banners should be designed in a specific way and obtain user consent in a lawful and transparent manner. This is crucial because tracking cookies allow websites to examine users’ internet behaviour and provide websites with a deep knowledge of their actions and preferences. Users should be able to refuse these cookies. Walter said that cookie banners that incorporate ambiguous design features are therefore at risk of attracting regulatory scrutiny.

The aim to structurally monitor cookie banners follows from the AP’s investigation into five organisations back in 2024, where it found that these organisations did not correctly obtain consent for tracking cookies. This issue has been a hot topic for years: in March, the Dutch consumer association discovered that 38% of 100 websites it examined showed incorrect cookie banners while, in 2023, the European Data Protection Board (EDPB) published a report on cookie banners focusing on ‘dark patterns’ such as pre-ticked boxes, deceptive colours and contrasts, inaccurately classified cookies and the absence of withdraw icons.

To enhance compliance, in April, the AP published nine rules on clear cookie banners in April. These include information obligations, such as the purpose of cookies and clear and understandable text; prohibited designs, including pre-ticked consent boxes, additional clicks to refuse cookies and hiding certain options; and rules on obtaining proper consent. Website operators must obtain consent before placing cookies and provide users with an active action to provide that consent, which should be given in a free, specific, informed and unambiguous manner.
Technology and platform law expert Michelle Seel of Pinsent Masons said that although the AP is largely focused on compliance by the bigger platforms, by notifying 500 organisations annually, its scrutiny is not limited to only these large organisations.

“It’s the AP’s goal to ensure that all entities – whether small or large – adhere to the relevant data protection laws,” she said. “Consulting legal experts can help ensure compliance and minimise the risk of these banners being classified as so called ‘dark patterns’.