The Dutch data protection authority has recently published its fining policy for violations of GDPR and the Dutch law implementing GDPR. When it comes to cookies, the Dutch DPA’s conclusion is that it is not compliant with GDPR for website pop-ups to block users from access to the site unless they consent to the use of tracking cookies.
Websites that only give visitors access to their site if they agree to place so-called ‘tracking cookies’ or other similar ways of tracking and recording behaviour through software or other digital methods do not comply with GDPR, according to the DPA.
“The digital tracking and recording of surfing behaviour on the Internet via tracking software or other digital methods is one of the largest processing of personal data, because almost everyone is active on the Internet. To protect privacy, it is therefore important that parties request permission from website visitors in a good way, ”says Aleid Wolfsen, chairman of the Dutch DPA.
“In this way people can make conscious and correct use of their right to the protection of personal data. If a website asks for permission for tracking cookies and if it is refused access to the website or service is not possible, people give up their personal data under pressure and that is unlawful. ”
If an individual cannot decide not to give permission without facing any consequences then it is not real free choice.
Letters have been sent out to businesses who had the most complaints against them and the Dutch DPA will intensify its monitoring to see whether the standard is being applied correctly in the interest of protecting privacy.
Furthermore, a guidanceregarding cookie walls has been published by the Dutch DPA.
Pursuant to GDPR Recital 32, “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data”. According to the Dutch DPA, the freely given requirement would not be met by a cookie wall, as it means that the user has no choice but to consent in order to access the website. In this case consent would be an imposition instead of an alternative. The Dutch DPA suggests websites should offer meaningful options for users to access a website without consenting to tracking cookies, such as a on the basis of a payment for access model.