Archive for the ‘Cookie rule’ Category

History in the making: the first ‘cookie rule’ fines in Europe

Posted on January 30th, 2014 by



On 14 January, the Spanish Data Protection Regulator (the “Spanish DPA“) issued its first fines for infringement of Spain’s implementation of the EU’s “cookie consent” requirement. The decision (in Spanish) may be found here.

The decision

Two companies were investigated and fined. The decision concludes that the two companies had failed to comply with the obligation to provide clear and comprehensive information about the cookies they used.

The total amount of the fines, 3,500 EUR, is very modest, especially if one considers the great enforcement powers of the Spanish DPA who could have potentially issued a fine up to 30,000 EUR per infringement in this case.

Does this mean that European regulators are going to be ‘soft-touch’ when it comes to the cookie rule enforcement? Let’s not rush into conclusions and consider some key facts and take-away points from this case.

Why were these companies targeted?

Like most privacy enforcement actions, the investigation in this case was triggered by the complaint of an individual to the Spanish DPA in September 2012. The services provided by the websites investigated and the cookies used are not uncommon or particularly intrusive to individuals’ privacy. The companies belong to the jewellery sector and most of the websites were purely promotional, with only one of them (out of 8) selling products on-line.

Long-winded process

The actual enforcement procedure did not start until 15 July 2013 (nine months after the complaint) and it took another six months to issue the fines. In my view, the timings of this case tell us two things.

Firstly, it took the industry and data protection regulators a while to figure out how the cookie rule should be complied with in practice. In fact, the time of the investigation coincides with the publication by the Spanish DPA, together with representatives of the advertising industry, of a guidance document on the use of cookies in April 2013.

Secondly, the Spanish DPA took its time to thoroughly investigate the websites and cookies used and to review the documents provided by the companies.  This is as you would expect, given that it was the first time it carried out a formal investigation in this respect.

Setting the bar high  

Reading the decision one gets the impression that the companies fined tried hard to cooperate and get things right. At the time the investigation started, most of the websites did not include any information about the use of cookies. By the time the investigation finished the companies had made a number attempts to satisfy the relevant transparency and consent requirements. These were not considered sufficient to meet the standard of compliance that the Spanish DPA seeks.  

Importantly, the decision confirms what was said in the guidance document, namely that information may be provided by implementing a layered approach and that an action-based consent mechanism would work in Spain. The decision also lays out the minimum information that the first and second layer must include and, in doing so, it provides useful insight to what exactly in practice will be compliant or not. The main point to take away is that the level of detail required in cookie notices is high.

What about consent?

The Spanish DPA briefly examined whether consent was lawfully obtained or not. The conclusion it reached was that consent was not validly obtained because the information provided was not sufficient.

However, the actual consent mechanisms used were not analysed in detail, and so the Spanish DPA did not discuss the legitimacy of implied versus express consent mechanisms. This is because, for technical legal reasons specific to Spain (but not other EU Member States), the Spanish DPA cannot currently impose fines for failing to comply with the consent requirement – only the information provision requirement.

This issue is expected to be addressed by a draft law that is on its way. The new law will introduce a two tier approach that allows the Spanish DPA to fine for failure to implement a valid consent mechanism.  Minor infringements (up to 30,000 EUR) and serious infringements (max 150,000 EUR) will apply depending on the facts of each case.

Messages to take away

  • Even though cookies are part of our every day life, European regulators perceive the use of cookies as intrusive – this is explicitly stated in the decision. As a result, time, resources and efforts will be invested to tackle their unlawful use.
  • Unconfirmed reports state that another 19 cases are under investigation in Spain. Having taken the lead, it is entirely possible that other European regulators will now follow suit. Their enforcement actions will be determined by their local enforcement strategy and the powers they are granted under local laws.
  • The low level of this fine should not be interpreted as necessarily meaning that regulators will take a soft approach to cookie enforcement. In this particular case, attenuating circumstances and the technical legal issues impacted the calculation of the fine.
  • Final and most important point is that the grace period has long been over. If you have not already done so, it is important to get your house in order now. 

Getting cookie consent throughout the EU – latest Working Party guidance

Posted on October 19th, 2013 by



Thinking back to the early days when Europe’s controversial “cookie consent” law first passed, many in the privacy community complained about lack of guidance on obtaining consent.  The law required them to get consent, but didn’t say how.

In response to this, legislators and regulators – at both an EU and a national level – responded that consent solutions should be market-led.  The thinking went that the online industry was better placed to innovate creative and unobtrusive ways to get consent than lawyers, regulators and legislative draftsmen.

As it transpired, this is precisely what happened.  In the four years since Europe adopted cookie consent, online operators have now evolved and embraced implied consent models across the EU to obtain their visitors’ consent to cookies.  However, this is not where the story ends.

In an opinion last week, the Article 29 Working Party published further guidance on obtaining cookie consent (“Working Document 02/2013 providing guidance on obtaining consent for cookies” – available here).   This supplements several previous opinions that, directly or indirectly, also address cookie consent requirements (see here, and here, and here, and here, for example).

The rationale behind the latest opinion, on the face of it, is to address the question: “what [cookie consent] implementation would be legally compliant for a website that operates across all EU Member States?”  But in answering this question, the guidance veers towards a level of conservatism that all but ensures it will never see widespread – let alone pan-European – adoption.

It doesn’t start off well: in discussing how a user can signify choice over whether or not to receive cookies, the guidance at one point states: “it could include a handwritten signature affixed at the bottom of a paper form“.

It then goes on to say that “consent has to be given before the processing starts … As a result a website should deliver a consent solution in which no cookies are set to user’s device … before that user has signalled their wishes regarding such cookies.”  In other words, the guidance indicates the need for a pop-up or a barrier page for users to click through before cookies can be set, harking back to the worst fears of industry at the time the cookie consent law was originally proposed.

When we’re talking about a fundamental human right, like privacy, the attraction of prior consent is obvious.  Unfortunately, it’s practically and technically very challenging.  However easy it sounds in theory (and it does sound easy, doesn’t it?), the realities are much more problematic.  For example, do you really require website operators to build two versions of their websites: one with cookies, and one without?  What happens to ‘free’ content on the web whose cost is subsidised by targeted advertising currently – who wants to return to a subscription-funded Internet?  If you’re a third party service provider, how do you guarantee prior consent when it is your customer (the website operator) who has the relationship with its visitors?

More importantly, prior consent is not what the e-Privacy Directive requires.  The word ‘prior’ never appears in the revised Article 5(3) of the e-Privacy Directive (the Article that imposes the consent requirement).  In fact, the word ‘prior’ was originally proposed, but was later dropped during the course of legislative passage.  Contrast this with Article 6(3), for example, which deals with processing of communications metadata (think PRISM) and DOES call for ‘prior’ consent.  Article 13 on unsolicited communications also uses the word ‘prior’ next to its requirement for consent.

What conclusions should we draw from this?  That’s a debate that lawyers, like me, have been having for a long time.  But, frankly, it’s all pretty academic.  Let’s deal instead in realities: if we were to be faced with cookie pop-ups or barrier pages on entry to EVERY website on the Internet, how quickly would we would become fatigued and simply click away the notices just to get rid of them?  What would that say about the validity of any ‘prior’ consents we provide?

Industry evolved implied consent as a solution that struck a balance between protecting individuals’ rights, addressing legal compliance and enabling online business.  Over time, it has done wonders to improve online tracking transparency and choice – implied consent has now become so widespread in the EU that even companies for whom cookies are their lifeblood, like Google, have implemented cookie consent transparency and choice mechanisms.

Critically, when done right, implied consent models fully satisfy the legal requirement that users’ consent must be “freely given, specific and informed”.  So here’s my suggestion: if you are looking to implement a cookie consent solution across Europe, don’t automatically jump to the most conservative standard that will put you out of alignment with your competitors and that, in most cases, will go further than national legislation requires.

Consider, instead, implied consent – but, if you do, embrace it properly:  a slight revision to your privacy policy and a new link to a cookie policy in the footer of your website won’t suffice.  Your implied consent model needs to provide prominent, meaningful notice and choice to visitors.  And to see how to do that, see our earlier post here.

Privacy pointers for appreneurs

Posted on May 31st, 2013 by



While parts of the global economy are continuing to suffer serious economic shocks, an individual with a computer, internet access and the necessary know-how can join the increasing ranks of the appreneurs – people developing and hoping to make money from apps. Buoyed by the stories of wunderkids such as 17 year old Nick D’Aloisio who sold his Summly app to Yahoo for around £18m earlier this year, many are seeking to become appillionaires! And undoubtedly a rosy future will beckon for those fortunate enough to hit on the right app at the right time.

As the popularity of mobile and tablet devices rises, the proliferation of apps will continue. But some apps will sink without a trace and some will become global hits. Amidst all the excitement, those developing apps would do well to consider certain essential privacy pointers in order to anticipate any potential obstacles to widespread adoption and in order to avoid any unwelcome regulator attention down the road. These include:

1. Think Privacy from the beginning – design your app so that it shows an understanding of privacy issues from the start i.e. include settings that give an individual control over what data you collect about them, usually through providing an opt-out;

2. Tell individuals what you’re doing – include a notice setting out how you use their data, make sure that the notice is accessible and in a language that people can understand, and adopt a ‘surprise minimisation’ approach so that you can reasonably argue that individuals would not be surprised by the data you collect on them in a given context;

3. Decide whether you’re sharing the data you collect with anyone else – if so, make sure that there’s a good reason to share the data, tell individuals about the data sharing and check to see whether there are any rules that require you to obtain individuals’ consent before sharing their data i.e. for marketing purposes;

4. Check to see whether you’re collecting special types of data – be aware that certain types of data (such as location data or health data) are considered more intrusive and you may need to obtain an individual’s consent before collecting this data;

5. Implement an implied consent solution when using cookies or other tracking technologies in the EU - the debate is pretty much over on how to comply with the EU cookie rule since implied consent is increasingly being adopted by regulators (see Phil Lee’s recent blog)

While an initiative scrutinising App privacy policies and practices (similar to the ‘Internet Sweep Day’ we have seen initiated recently by the Global Privacy Enforcement Network) is probably some time off, appreneurs that can get privacy ‘right’ from the start will have a competitive advantage over those that do not.

Implied consent getting ever closer in the Netherlands

Posted on May 25th, 2013 by



On 20 May 2013, Dutch Minister Kamp (Minister for Economic Affairs) presented a bill to amend Article 11.7a of the Dutch Telecommunications Act (‘the cookie law’). Once it passes into law the bill will, among other things, allow website operators to rely on visitors’ implied consent to serve cookies and will also exempt analytics cookies from the consent requirement.

Why these changes are needed

In February this year the Dutch government concluded that the cookie law had overshot its intended objective. The current cookie law require website owners to obtain visitors’ opt-in consent to virtually all types of cookies, except those which are strictly necessary. This led to widespread adoption of opt-in consent barriers and pop-up screens which, the Government accepts, is undesirable from both a consumer and business standpoint.

The Government believes the problem with the current law is that it applies equally to all cookies, even those with little privacy impact. Because of this, it proposes that the scope of the consent exemptions should expand to include more types of cookies.

New exemptions: analytics cookies, affiliate cookies and a/b-testing cookies

Currently, a website operator does not have to obtain consent if cookies are strictly necessary to provide a visitor-requested service. Once the bill enters into effect, a further category of cookies will be exempted from the consent requirement – those which are “absolutely necessary […] to obtain information about the quality and effectiveness of an information society service provided  – provided that this has no or little consequences for the privacy of the user.

First-party and third-party analytics cookies, affiliate referral cookies and a/b testing cookies all seem likely to fall within the scope of this new exemption.  However, to ensure that these cookies qualify as having “no or little consequences for the privacy of the user”:

  • the data collected by these cookies must not be used to make a profile of the visitor (e.g. for targeting purposes); and
  • if the website operator shares cookie data with a third party (e.g. an analytics service provider), it must conclude an agreement with the third party that either requires the third party not to use the data for its own purposes or, alternatively, only for defined purposes that have no or little effect on visitors’ privacy.

Implied Consent

For other types of cookies (in particular, targeted advertising cookies), the consent requirements of the cookie law apply in full.  However, the explanatory memorandum to the bill discusses the interpretation of ‘consent’ in great detail and advocates the legal validity of implied consent solutions.

In particular, it advocates that implied consent may be legally derived from the behavior of the visitor of a website – for example, in the case where a visitor is presented with a clear notice about the website’s use of cookies and given options to control those cookies but continues to browse the website.  This is at odds with previous regulatory opinions of the ACM (formerly the OPTA, the relevant regulator for these purposes) which said that implied consent would not constitute valid consent.

Although Dutch recognition of implied consent has been anticipated for a while (see here), this is a critical development for online businesses in the Netherlands.  Once the bill enters into force, website operators will be able to replace their current explicit consent barriers and pop-ups with more user-friendly implied consent banners indicating that continued use of the website without changing cookie settings will constitute consent.

All in all, the bill is a major step towards a more pragmatic implementation of the cookie law. With these changes, Dutch law will better balance the privacy interests of website visitors with online businesses’ legitimate data collection activities.

When will the bill enter into force?

The bill is open for public consultation until 1 July 2013, and the Minister must also consult the Council of State and the Dutch Data Protection Authority. On the basis of the consultation responses, the minister may then decide to amend the bill or submit it to Parliament as currently drafted. Parliamentary discussion can be completed within a few months, but may potentially take up to a year. However, given the current momentum behind adopting a more pragmatic cookie regime in the Netherlands, it is anticipated that the overall process will be toward the shorter end of this timescale.

With thanks to our friends Nicole Wolters Ruckert and Maarten Goudsmit, Privacy Attorneys at Kennedy Van der Laan, for this update. 

 

Cookie consent update – implied consent now widespread

Posted on May 15th, 2013 by



Our latest EU cookie consent tracking table has just been published here.

Latest regional developments:

Our latest table reveals:

* ‘Implied consent’ is currently a valid solution for cookie compliance in nearly three-quarters of EEA Member States.

* Since our last update, cookie consent implementations have been introduced in Norway and Poland.

* Ongoing cookie regulatory developments in Denmark, the Netherlands, Slovenia and Spain.

Other notable developments

Aside from the regional developments shown in our table, other notable developments include:

* Growing recognition that cookie consent is every bit as relevant in mobile platforms as in desktop platforms – see, for example, the Working Party’s latest opinion on mobile apps (here).

* Major online players like Facebook and Google are adopting notice and choice solutions, likely driving wider industry compliance efforts (see here).

* Consumer protection and advertising regulatory bodies like the OFT and ASA are increasingly showing interest in online tracking and notice/choice issues (see here and here).

* Increasing co-operation between global DPAs on online privacy compliance issues (see here).

All in all, online privacy compliance continues to attract ever greater attention, both within data protection circles and from the wider regulatory environment.  As this issue continue to run and run, the picture emerging is that implied consent is the clear compliance front-runner – both from a regulatory and also from a market-adoption perspective.

UK e-privacy enforcement ramps up

Posted on April 29th, 2013 by



The times when one could say that the UK ICO was a fluffy, teethless regulator are over. Recently, the ICO has been going through its most prolific period of enforcement activity – by the end of 2012 it had imposed 25 fines, issued 3 enforcement notices, secured 6 prosecutions and obtained 31 undertakings and 2013 looks set to bring similar activities (in March for example the ICO issued its first monetary penalty for a serious breach of the Privacy and Electronic Communications Regulations 2003 (‘PECR’) relating to live marketing calls – a £90,000 fine for Glasgow-based DM Design for unwanted marketing calls.

To coincide with such activities, the ICO has recently updated the enforcement section of its website. What this tells us is that whilst data security breaches will continue to be a significant area of focus for the ICO, PECR breaches will also figure highly in the ICO’s enforcement agenda. In this regard, the ICO tell us that it has already been active in the areas of ‘spam texts’, sales calls and cookies.

Spam texts are identified as ‘one of the biggest concerns to consumers’ (the ICO refers to texts about accident and ‘PPI’ claims, in particular) and refers to the work it has carried out with members of the mobile phone industry in order to identify an organisation which is now the subject of enforcement action. The ICO also identifes ‘Live’ Sales Calls and ‘Automated Calls’ as other areas of priority, and have explicitly identified (and published) the names of a number of companies where they have either met to discuss compliance issues; or indeed are in the process of activeley monitoring ‘concerns’ about compliance with a view to considering enforcement action. This is not only related to UK-based companies, but also those based overseas who are targeting UK-based consumers. The ICO tell us that they are actively working with the FTC in the US and with other regulators based in Ireland, Belgium and Spain through Consumer Protection Co-operation arrangements.

Finally the ICO tells us that between January and March 2013 it received a further 87 reported concerns via its website from individuals about cookies (many less than the amount of concerns about unwanted marketing communications from individuals, it has to be said). The ICO will continue to focus on those websites that are doing nothing to raise awareness of cookies or obtain users’ consent, and also on those sites they receive complaints about or are ‘visited most by consumers’. However the ICO also say that they have ‘maintained a consumer threat level of ‘low’ in this area due to the low level of concerns reported’.

It is obvious that as consumer technologies such as tablets and smart-phones continue to develop, so too will the ICO’s enforcement strategy in this area. Compliance with PECR should therefore also figure highly on any business’s data protection compliance strategy.

Poland and cookies – what’s the story?

Posted on April 22nd, 2013 by



Last month Poland joined the club of EU Member States to implement Europe’s consent requirement for cookies set on users’  devices.  Rumoured to be one of the Member States contemplating strict opt-in, all eyes were watching to see how exactly it would implement the cookie consent rule.

Cookie rules

Poland’s cookie consent law entered into force only on 25 March 2013 and seemingly introduced an opt-in requirement before setting cookies - with potential fines of up to 3% of revenue for website operators in breach.

Specifically, the new law imposes an obligation to inform users in advance, in a clear, unambiguous and easily understandable manner about:

1)      The fact that cookies are being placed on their devices;

2)      The purposes for which cookies are used;

3)      The user’s right to access information about them; and

4)      The ability to accept or refuse the cookie.

Like most Member States, consent is not needed for strictly necessary cookies.

So does Poland really require opt-in?

During the legislative work on the amendment various approaches to valid consent form were proposed: implied, written and even signified through  a  simple “I accept” button. In the end, Article 173 (2) of the amended Telecommunication Law says that:

The subscriber or end user can express consent (…) by means of settings of a software installed on the telecommunication device they are using or through settings of the service

The two main regulator’s websites in Poland have both adopted an implied cookie consent banner approach and even the Polish Ministry of Administration and Digitization (Ministerstwo Administracji i Cyfracji)  has indicated it supports consent obtained through browser settings.  It is unclear whether this would extend to default browser settings.

What does this mean?

For businesses still building out their cookie consent strategy for the EU, this is good news: Poland was one of a couple of  ‘outlier’ states threatening to adopt strict opt-in consent for cookies.  Had it adopted strict opt-in as the standard for consent, businesses operating on a pan-EU basis would have had to implement a different consent solution for Poland than for other, more relaxed EU territories where they could instead rely on implied consent.

In the end, this hasn’t happened and the other key outlier territory, the Netherlands, also looks set to acknowledge the validity of implied consent in the very near future.  When the cookie consent rule first came into effect in Europe back in 2011, nobody knew what a robust but pragmatic cookie consent solution would look like; now, two years on, both business and regulators alike are increasingly settling on implied consent as the answer.

If Google cares about cookie consent, so should you.

Posted on April 16th, 2013 by



Over the weekend, Google made a subtle – but significant – modification to its online search service in the EU: nearly two years after Europe’s deadline for EU Member States to adopt national cookie consent laws, Google rolled out a cookie consent banner on its EU search sites.

If you’re a visitor from the US, you may have missed it: the banner shows only if you visit Google sites from within the EU. However, EU visitors will clearly see Google’s consent banner placed at the bottom of its main search page and at the top of subsequent search results. As well as informing visitors that “By using our services, you agree to our use of cookies“, the banner provides a “Learn more” link that visitors can click on to watch a video about Google’s cookie use and to see disclosures about the cookies it serves.

This development alone would be significant. But taken together with Facebook’s recent announcement it will deploy the AdChoices icon (another implied consent solution for targeted adverts) on ads served through its FBX exchange, the implications become huge for the following reasons:

* CPOs will find selling cookie consent adoption much easier now. Selling the need to implement cookie consent to the business has always been a challenge. The thinking among marketing, analytics and web operations teams has always been that cookie consent is expensive to implement, time consuming to maintain, and disruptive to the user experience and data collection practices. Other than the occasional penned letter by regulators there’s been no “real” enforcement to date and, with patchy market adoption of cookie consent, many businesses have performed a simple cost / benefit analysis and chosen inaction over compliance. But when two of the Internet’s most heavily scrutinised businesses actively engage with cookie consent, they clearly think it’s an issue worth caring about – and that means it’s an issue YOU need to care about too. The “Google does it” argument is a powerful tool to persuade the business it needs to re-think its strategy and adopt a cookie consent solution.

* Regulatory enforcement just got easier. Rightly or wrongly, a perceived challenge for regulators wanting to enforce non-compliance has been that, before taking measures against the general publisher and advertiser population, they need first to address the behaviours of the major Internet players. While never overtly acknowledged, the underlying concern has been that any business pursued for not adopting a cookie banner would cry “What about them?”, immediately presenting regulators with a challenge: do they continue to pursue that business and risk public criticism for overlooking the bigger fish, or do they pursue the bigger fish and risk getting drawn into expensive, resource-draining legal battles with them? The result to date has been regulatory stalemate, but these developments could unlock this perceived barrier. While it’s not the case that they will result in a sudden flurry of enforcement activity overnight, they are one of many factors that could start to tip the scales towards some form of meaningful enforcement in future.

* Implied consent IS the accepted market standard. When the cookie consent law was first proposed, there were huge concerns that we would be set upon by an avalanche of consent pop-up windows every time we logged online. Whizz forward a few years, and thankfully this hasn’t happened, whatever regulatory preferences may exist for cookie opt-ins. Instead, over time, we’ve seen Member States and – perhaps more importantly – the market grow more and more accepting of implied consent solutions. Adoption by major players like Facebook and Google lend significant credibility to implied consent and smaller businesses will undoubtedly turn to the approaches used by these major players when seeking their own compliance inspiration. Implied consent has become the de facto market standard and seems set to remain that way for the foreseeable future. Businesses delaying compliance adoption due to concerns about the evolution of consent requirements in the EU now have the certainty they need to act.

This post first appeared in the IAPP’s Privacy Perspectives blog, available here.

Dutch to accept implied consent for cookies?

Posted on February 26th, 2013 by



Recent developments in the Netherlands indicate that the Dutch may soon exempt first party analytics cookies from EU cookie consent requirements and allow website operators to imply their visitors’ consent for other types of cookies.

Background to Dutch rules on cookies

By way of a re-cap, European cookie consent rules (article 5(3) e-Privacy Directive) were implemented in article 11.7a of the Dutch Telecommunication Act in June of last year. These rules, overseen by the Telecommunication Authority, became effective on 5th June 2012 and require anyone who uses cookies to:

(a) obtain consent from the user on whose terminal equipment the cookies are stored, and

(b) clearly and comprehensively inform the user about the purposes of the cookie usage.

However, the Dutch cookie regulation went one step further and created a legal (refutable) presumption that the use of tracking cookies (over multiple websites) for commercial purposes constitutes processing of “personal data” under the Dutch Data Protection Act and this presumption became effective on 1st January 2013.

During the parliamentary debate, the Telecommunication Authority was urged not to enforce all rules before the 1st of January 2013 and the Telecommunication Authority accepted this grace period. As a result, most Dutch businesses have therefore only just started to make their websites compliant with the new consent rules. Since the start of the new year, Dutch residents have therefore started to see cookie pop-ups on almost every site they visit.

Recent developments

The government has concluded that there is widespread unhappiness amongst users with this practice.  The Minister for Economic Affairs (Mr. Kamp) has therefore encouraged Parliament to “soften” the effects of the cookie regulation and proposed two measures:

First-party analytics cookies

Firstly, the Minister has indicated that the Telecommunication Act will be amended. As a result of the amendment, the use of first-party analytics cookies will be allowed without consent. The duty to inform users about their use will still apply.

The Minister had previously announced in December, and reiterated in early February, that he was working with the Telecommunication and Data Protection Authority on crafting a more lenient regulatory regime for first-party analytics cookies. Initially, it therefore seemed this cooperation between the Telecommunication Authority, the Data Protection Authority and the government would result in regulatory guidelines concerning analytics cookies. Now it seems that the government will introduce legislation instead.

This proposal is expected to be submitted to Parliament mid-March.

Implied consent

Secondly, the Minister said the government is considering new regulations that would make it possible to obtain users’ “implied” consent. The Minister indicated that if a user is informed of the fact that a website uses cookies and how he can refuse those cookies, his consent can be implied if he continues to browse the website without changing his cookie settings.

If this approach is implemented, website owners would then no longer need to actively seek explicit consent for the use of cookies in the Netherlands. The approach would be in line with the position adopted by the UK Information Commissioner (ICO), who already acknowledges implied consent as a viable solution. However, implied consent was not an option previously accepted by the Telecommunication Authority: in each of the FAQs issued it stated that a user must actively supply its consent with the use of cookies. The government’s proposal is therefore a major departure from the current state of affairs.

As for the applicable timeline, this will depend on the legislative instrument used to implement this change but could potentially be a matter of weeks.

What this means now

In the meantime, these announcements by the Minister do not change the law (yet) and the Dutch Telecommunication Authority is still authorized to enforce the current cookie rules. The Minister is competent to instruct the Telecommunication Authority to suspend enforcement of the provisions but there is currently no information on whether the Minister has ordered (or will order) this.   However, taking these latest developments into account, it seems likely that the strict opt-in consent standards currently in force in the Netherlands will transition to implied consent over the coming months, bringing the Netherlands into line with much of the rest of Europe. 

With thanks to our friends Nicole Wolters Ruckert and Hester de Vries from Kennedy Van der Laan for this update.

Europe continues to embrace cookie consent

Posted on February 5th, 2013 by



We’ve just published an updated table of European cookie consent requirements (available here), which makes clear that Member State adoption of local cookie consent laws continues to spread.

Our latest update reveals that:

*  24 out of 30 EEA Member States have now adopted national cookie consent rules.

*  Since our last update, Poland, Portugal and Slovenia have adopted new local laws governing cookie consent.

*  There are ongoing regulatory developments with regard to cookie consent guidance and enforcement in Denmark, Italy, Ireland and the UK.

With cookie consent rules have now been adopted across nearly all European territories, online businesses operating without a notice and consent strategy face real exposure that they need to address and resolve promptly.  And given the recent news of the first ever group privacy claim in the UK relating to cookies, non-compliance risk is rising from “simmering” to “boiling”!