Who: Dutch Data Protection Authority and YD Display Advertising Benelux
Where: The Netherlands
When: 13 May 2014
What happened:
On 13 May 2014 the Dutch Data Protection Authority (College Bescherming Persoonsgegevens) (CBP) published the results of an extensive three year investigation into the alleged breach of Dutch cookie legislation by YD Display Advertising Benelux (YD).
YD placed so-called ‘tracking cookies’ on the end terminal equipment of internet users. Tracking cookies follow users’ internet activities and collect information on products and information that users have viewed on various websites. The tracking cookies enable YD to provide tailored information on a ‘per-user-basis’ to its advertisers.
By way of background, Dutch cookie legislation is contained in the Dutch Telecommunications Act (Telecommunicatiewet), but cookies can also be subject to the Dutch Data Protection Act (Wet bescherming persoonsgegevens) in the event personal data is being processed. This means that both the Authority for Consumers and Markets (ACM) and the CBP are potentially responsible for enforcement.
The Dutch cookie rules require that clear and complete information on the use and purpose of cookies is provided and prior consent is obtained when a cookie is placed on a users’ computer or device.
Only a limited number of (functional) cookies are exempted from this requirement.
Presumption that tracking cookies process “personal data”
In relation to tracking cookies an even stricter regime applies (since January 2013): the cookie legislation contains a legal presumption that tracking cookies constitute the processing of personal data. This brings tracking cookies within the scope of the Dutch Data Protection Act (which contains similar obligations as the Data Protection Directive in relation to obtaining consent), unless the user of such tracking cookie can demonstrate that no personal data is being processed (which will often be very difficult!).
YD failed to obtain appropriate prior consent from users when placing (tracking) cookies (YD used an opt-out method) and also neglected to inform users on the purposes for which the cookies were used. In addition, YD was unable to prove that no personal data was being processed by its tracking cookies. As a result CBP holds the view that YD breached the Dutch cookie legislation.
Why this matters:
This is the first time, since the implementation of the cookie legislation in June 2012, that the Dutch cookie legislation has been enforced. Although both ACM and CBP have persistently referred to prior informed consent, most companies using cookies assumed that ‘implied consent’ would suffice for the use of cookies – as is the case in many other jurisdictions. The YD case provides clear confirmation that ‘implied consent’ does not suffice under the Dutch cookie legislation and while the CBP has not imposed a fine on YD yet, the report sends a clear message to all companies using (tracking) cookies that enforcement of the cookie legislation is now a top priority in the Netherlands.
The full report of the CBP is available in Dutch here.