https://ploum.nl/uploads/Artikelen_en_Track_Records_en_expertise/Privacy/pexels-cottonbro-studio-5474294.jpg

Dutch Data Protection Authority continues its hunt for bad cookie banners

17 Apr '25

Author(s): Lisanne Bruggeman

Cookies remain a key focus area for the Dutch Data Protection Authority ("Dutch DPA"), which oversees privacy regulations in the Netherlands. Early last year, the Dutch DPA already announced that it would start checking more frequently whether websites comply with cookie rules. At the same time, the Dutch DPA published examples of what, according to the regulator, are good and bad cookie banners.

Fines for Kruidvat and Coolblue

The next question, then, is whether enforcement will follow. We can now answer that question with a resounding “yes”. Last summer, it was announced that Dutch drugstore Kruidvat was fined 600,000 euros because the cookie banner on Kruidvat.nl did not comply with the rules. According to the Dutch DPA, Kruidvat placed tracking cookies without website visitors' consent. Last year, Dutch electronics store Coolblue also received a fine of 40,000 euros because it, according to the Dutch DPA, did not properly regulate consent and used pre-ticked boxes.

Dutch DPA continues enforcement

A few months ago, the regulator launched a public campaign to make people aware of cookies and their impact. Late last month, the Dutch DPA submitted a proposal to the minister to take on the entire supervision of cookies. And last week, the Dutch DPA announced that cookie banners will be monitored systematically in the coming years. It says the Dutch DPA will do this by constantly and automatically scanning the cookie banners of 10,000 websites. This week, it became clear that 50 organisations will receive a letter from the Dutch DPA telling them to adjust their cookie banner or stop tracking website visitors. If these are not complied with within 3 months, the Dutch DPA would launch an investigation and the likelihood of a fine would be high. In total, the privacy regulator plans to warn 500 organisations each year.

What often goes wrong?

In practice, we encounter non-compliant cookie banners more often than compliant ones. The following things often go wrong:

  • No consent is sought for the placement of tracking cookies.
  • Pre-ticked boxes are used to seek consent.
  • No clear and understandable information is given about the cookies being set.
  • No full information is given about the cookies that are set, what these cookies do, the purpose of these cookies and the retention period.
  • It is not as easy to reject cookies as it is to accept them. The "Accept" and "Reject" buttons are not placed next to each other.
  • Cookie walls are used and you can only proceed if you first accept tracking cookies.
  • Cookie banners and information are based on US regulations, such as the CCPA, rather than the European GDPR.

Received a letter from the Dutch DPA?

Our privacy team often advises on cookies and has experience with warnings from the Dutch DPA. Please feel free to contact us at privacy@ploum.nl if your organisation has received a letter from the Dutch DPA. We are available to you.

Contact

Attorney at law

Lisanne Bruggeman

Expertises:  Privacy law, IT-Law, Intellectual property rights, Contract law, Litigation,

Share this article

Stay up to date

Click on the plus and sign up for updates on this topic.

Expertise(s)