The new law
- Prior to placing or reading cookies on the user’s terminal equipment, the user should have been informed and given his consent.
- The Dutch Data Protection Act covers all cookies, which can collect, combine and analyse data.
- Only cookies that are necessarily required for certain functions are exempted from the new legal regulation.
- The new legislation does not only apply to cookies, but also to any technology that stores information on the user’s terminal equipment or that accesses already stored information.
- The statute applies not only to desktop computers, but also to tablets, mobile phones, and to all other internet-enabled devices.
- The exempted cookies are those which are stored and read in order to remember the personal settings of a user, such as the preferred language, or cookies used for the processing of online orders and the execution of transactions.
- The new legislation applies to all cookies (flash-cookies, Java-script-cookies, fingerprinting) used for targeting such as behavioral targeting, retargeting and adserving, but also for analytics-cookies used by Google Analytics for example.
- The statute makes no distinction between first party or third party cookies.
Information needs to be provided in advance
The information that has to be provided prior to placing or reading a cookie needs to be clear and comprehensive. It needs to inform the user on the purpose of the cookie and on the further processing of the data that is being collected. This means the user should at least be provided with the following data:
- The name of the company placing the cookie (such as ad network providers)
- The fact that the cookie is being stored on the terminal equipment
- The purpose of the cookie as well as the ‘lifetime’ of the cookie (activity timeframe)
- If the cookie is being used to track online behaviour for targeted advertising this should also be made clear. This includes specifying with which other party the information is being shared.
- The information has to be easily accessible and understandable to the users.
In the run-up there has been a lot of debate over how the user’s consent should be obtained. The law requires that consent has to be free, specific, and informed. Unambiguous consent is not a requirement, although some parties argue that the law has to be interpreted as such. In the preamble of the ePrivacy Directive it is made clear that the browser settings may possibly be an adequate means of giving consent. The Dutch government has confirmed that the present browsers are insufficient, mainly because they are set to accept cookies by default.
In line with the European Commission, the Dutch government is in favor of a “Do-Not-Track” standard as a means of obtaining prior consent. However, the current standard, implemented in www.youronlinechoices.eu is deemed to be insufficient.
Any provider that places cookies on the user’s terminal equipment or accesses information already stored on this equipment should comply with the new rules. However, should the occasion arise, the Dutch regulatory authorities have also stressed that there can be a shared responsibility of the involved parties (advertiser, publisher, agency), in which the publisher is imposed at least some responsibility.
The new rules officially came into effect on June 1st 2012. The Dutch government has stated that it wants to await further developments of a “Do-Not-Track” standard within the European Union. For this reason it said that the new rules with respect to the consent requirement shall not be enforced before January 1st 2013. However, the responsible regulatory authority, OPTA, is an independent authority and therefore may verify if the law has been implemented and punish non-compliance, notwithstanding the government’s promises.
The consent of the user must be a clear indication of his wishes. A pop-up screen with clear and comprehensive information and a checkbox stating “I accept” seems at present the only way to comply with the new cookie rules.
The regulatory authorities have expressed that consent is not required for each individual cookie. Once the user has agreed to the cookies of a specific ad network provider, this ad network provider does not need to obtain additional consent for cookies serving the same purpose. Top priority: users should always be given the possibility to opt-out.
This statute has a significant impact on the current process. Therefore advertisers, publishes and agencies need to work together to find a solution.
Please note that at present it is still unclear how parties should comply with the consent requirement. The responsible regulatory authority OPTA has not given any guidelines, opinions or such on this subject yet. The responsible Minister has only expressed that browser functions to opt-out are currently not sufficient. Other than that he confirms there is no consensus in the EU and that therefore he cannot give any indication on how to practically obtain adequate consent.
In close collaboration with IAB Europe QUISMA will try to rapidly find a solution to this problem. Apart from being committed to the self regulation policy you will find opt-out-icons on all advertising material delivered by QUISMA, always giving the user the possibility to decide for themselves whether cookies can be placed or not.