Who: Dutch Data Protection Authority and Netherlands Public Broadcasting
Where: The Netherlands
When: 8 July 2014
Less than two months after the YD case, the Dutch Data Protection Authority (College Bescherming Persoonsgegevens) (CBP) has released another statement on an alleged breach of the Dutch cookie legislation. The Netherlands Public Broadcasting (NPO) is the centre point of attention this time.
In short, the Dutch cookie legislation, which is included in the Dutch Telecommunications Act (Telecommunicatiewet), requires clear and complete information on the use and purpose of cookies and prior consent should be obtained when a cookie is placed on a user’s computer or device. The consent requirement is the same requirement that is laid down in the Dutch Data Protection Act (Wet bescherming persoonsgegevens) (WBP) which is based on the Data Protection Directive 95/46/EC. In addition, the cookie legislation contains a legal presumption that tracking cookies constitute processing of personal data. This brings tracking cookies within the scope of the WBP and enables CBP to enforce the cookie legislation.
In addition, CBP went as far as to state that information about browsing habits are sensitive data that can paint a distinct picture of an individual’s behaviour and interests. According to CBP, internet users have the right to know the scope of and purposes for which the personal data is collected. This is even stricter than the position CBP took in the YD case. The rationale behind this strict approach may be found in the fact that NPO websites are government-owned and NPO should therefore set the right example to the public.
Why this matters:
This is the second time in quick succession that CBP has published a statement on the breach of the Dutch cookie legislation. Based on these two recent cases, it seems that the enforcement of the cookie legislation is predominantly aimed at ‘tracking cookies’ and ‘naming and shaming’ appears to be the main sanction. Although penalties have yet to be imposed, this case sends another warning to all companies using (tracking) cookies that failure to comply with the Dutch cookie legislation may lead to (serious) reputational damage.