Who: Dutch Data Protection Authority and Netherlands Public Broadcasting
Where: The Netherlands
When: 8 July 2014
What happened:
Less than two months after the YD case, the Dutch Data Protection Authority (College Bescherming Persoonsgegevens) (CBP) has released another statement on an alleged breach of the Dutch cookie legislation. The Netherlands Public Broadcasting (NPO) is the centre point of attention this time.
In short, the Dutch cookie legislation, which is included in the Dutch Telecommunications Act (Telecommunicatiewet), requires clear and complete information on the use and purpose of cookies and prior consent should be obtained when a cookie is placed on a user’s computer or device. The consent requirement is the same requirement that is laid down in the Dutch Data Protection Act (Wet bescherming persoonsgegevens) (WBP) which is based on the Data Protection Directive 95/46/EC. In addition, the cookie legislation contains a legal presumption that tracking cookies constitute processing of personal data. This brings tracking cookies within the scope of the WBP and enables CBP to enforce the cookie legislation.
In this recent case, CBP determined that NPO placed analytical tracking cookies on the end user equipment of the visitors of the NPO websites (while the NPO websites were still loading). These so-called ‘tracking cookies’ enable NPO to analyse the surfing habits of its visitors. CBP ruled that NPO did not obtain unambiguous consent from the website users and provided inconsistent, incomplete and in some cases factually incorrect information on the use of cookies on its websites resulting in a breach of the Dutch cookie legislation.
In addition, CBP went as far as to state that information about browsing habits are sensitive data that can paint a distinct picture of an individual’s behaviour and interests. According to CBP, internet users have the right to know the scope of and purposes for which the personal data is collected. This is even stricter than the position CBP took in the YD case. The rationale behind this strict approach may be found in the fact that NPO websites are government-owned and NPO should therefore set the right example to the public.
Again, similar to the YD case, CBP has not (yet) imposed fines. CBP did announce that it will review NPO’s compliance with the cookie legislation over the coming months and then decide whether penalties or other sanctions are appropriate. In a response to the report NPO stated that it will not amend its cookie policy. In the same statement NPO lacked CBP’s old-fashioned and conservative approach to the cookies legislation. This will undoubtedly be continued.
Why this matters:
This is the second time in quick succession that CBP has published a statement on the breach of the Dutch cookie legislation. Based on these two recent cases, it seems that the enforcement of the cookie legislation is predominantly aimed at ‘tracking cookies’ and ‘naming and shaming’ appears to be the main sanction. Although penalties have yet to be imposed, this case sends another warning to all companies using (tracking) cookies that failure to comply with the Dutch cookie legislation may lead to (serious) reputational damage.