Section 11.7a Dutch Telecommunications Act (“DTA”), which entered into effect on 5 June 2012, is the new provision governing the use of cookies in the Netherlands. It requires that users are given clear and comprehensive information in accordance with the Data Protection Act about the purposes for which information is to be accessed or stored on their terminal equipment, and that users provide consent to the access to or storage of that information.
These rules do not apply to all cookies. Pursuant to Section 11.7a (3) DTA, there are two exceptions:
- Where the information is required in order to transmit a communication at the request of the user; and
- The storage of data or access to information is strictly required for a service requested by users: in online shopping, for example. The rules apply to both first and third party cookies.
Further, a cookie used for website analytics does not fall under the exception of Section 11.7a (3) DTA and thus always requires consent.
The rules refer to cookies and similar techniques. Therefore, it covers more than the placement of cookies; it covers all technology that stores or accesses information about a user. The DTA will not apply only if there is no storage of information or access to information.
Consent cannot be obtained by referring to general terms and conditions or privacy statements. The information notice must make clear to users the purpose and duration of information storage by the cookies. To comply with Section 11.7 obligations, consent must be adequate and the information must be easy to find and easy to understand. What is appropriate will depend on the target audience for the website.
There are further rules to cookie consent. For instance, implied consent is not considered as valid consent. Access to a website may be denied, if a user withholds consent and the website cannot function properly in this case.