Coolblue was fined €40,000 by the Dutch DPA for unlawfully processing personal data via cookies, by failing to obtain explicit consent.
The Dutch Data Protection Authority (AP) recently imposed a €40,000 fine on Coolblue for unlawfully processing personal data via cookies in 2020. The violation stemmed from Coolblue’s failure to obtain explicit consent from its website visitors before collecting their data. Instead, the company assumed visitors automatically agreed to data collection and used pre-checked boxes to indicate consent, which directly violated the General Data Protection Regulation (GDPR). Under the GDPR, businesses are required to ensure users actively provide consent for cookies that process personal data by taking clear actions, such as clicking a button or checkbox. Simply assuming consent or using pre-selected boxes is not compliant.
Coolblue was fined for cookie policy violations after a 2019 investigation which uncovered the company’s non-compliance, despite eventual policy updates in June 2020.
The issue with Coolblue’s cookie practices came to light during a broader investigation by the AP in 2019, which assessed whether websites were following cookie regulations. In November 2019, the AP issued a warning to Coolblue, flagging its non-compliance. However, in April and May 2020, the AP found that Coolblue’s practices had not been updated, prompting a formal investigation. While Coolblue eventually adjusted its cookie policies by June 2020, the violations earlier that year still led to the fine.
The Dutch Data Protection Authority’s guidelines for GDPR cookie compliance include clear banners, no pre-checked boxes, obtaining consent before processing, and making declining as easy as accepting, with a €40,000 fine against Coolblue highlighting the importance of adherence.
The AP has outlined key guidelines to ensure compliance with GDPR. These include presenting clear and user-friendly cookie banners, avoiding the use of pre-checked consent boxes, ensuring no personal data is processed before obtaining consent, and making it just as easy to decline cookies as it is to accept them. As part of its “cookie campaign,” the AP also encourages businesses to revisit their cookie policies and raises awareness about the privacy implications of cookies for individuals.
The Dutch Data Protection Authority (AP) conducted a public campaign in December to raise awareness of privacy risks from cookies, emphasizing privacy as a fundamental right and warning against automatically accepting them.
Cookies are essential for modern websites, as they enhance user experiences and enable personalized content. However, cookies that track user behavior also pose privacy risks if misused. To address these issues, the AP launched a two-week public campaign in December, titled “How are you profiled?” to highlight the privacy risks associated with cookies. The campaign, featured on radio, websites, cinemas, and city streets, emphasized that privacy is a fundamental right and warns against mindlessly accepting cookies, which can lead to organizations collecting and sharing personal data, such as interests, health, and political preferences, often with hundreds of other entities or even advertisers. The AP urges organizations to adopt better cookie policies and provides resources on its website to assist with compliance. Additionally, the campaign aims to educate individuals on the impact of cookies and offers tips for protecting their privacy.
Organizations should regularly review policies, enduring that they use only necessary cookies, obtain clear consent via banners, and prioritize data security.
A good cookie policy is essential for building trust with your website or app visitors, safeguarding their privacy, and ensuring compliance with regulations to avoid fines. To this end, entities should observe the requirements of the GDPR and the ePrivacy Directive with its national implementation laws, together with any guidance provided by the relevant supervisory authority in this area. Organizations should regularly review their cookie policies, only use cookies that are necessary, and minimize data collection to reduce privacy risks. If cookies pose high privacy risks, a Data Protection Impact Assessment (DPIA) is required. Consent must be obtained properly through clear cookie banners, allowing users to easily refuse cookies without negative consequences. Organizations should explain the purpose of their cookies, identify third-party data sharing, and clarify retention periods in plain language. For guidance, professional advice can help ensure your cookie policy meets legal and ethical standards.
Under the GDPR, cookie walls that force users to accept tracking for website access are strictly prohibited.
Under the GDPR, cookie walls are generally prohibited because they do not allow visitors to provide valid consent for tracking cookies. A cookie wall requires users to accept tracking cookies to access a website or app, denying them a reasonable alternative or free choice. Valid consent requires a clear option to refuse tracking cookies without negative consequences, such as being denied access. Consent must be obtained before cookies are placed, typically through a pop-up or banner offering a straightforward choice between “yes” and “no.” This rule applies not only to cookies but also to similar technologies like JavaScript, Flash cookies, and web beacons.
Clear cookie banners are essential for GDPR compliance and user data control, requiring transparent explanations of data collection for explicit, freely given, specific, and unambiguous consent that is easily granted or refused.
Clear and honest cookie banners are essential to comply with GDPR regulations and to ensure that website visitors maintain control over their personal data. These banners should transparently explain how cookies collect and process data, allowing users to make informed choices. Organizations must avoid misleading practices, such as pre-checked boxes, hidden options, or extra clicks to refuse cookies. Consent must be explicit, free, specific, and unambiguous, with equal ease for acceptance and refusal. The AP emphasizes proper implementation and regularly monitors compliance, particularly for tracking cookies that process personal data. To create a compliant cookie banner, organizations should provide clear information about the purpose of cookies, ensure choices are visible on one layer, and explain how users can withdraw consent. Non-functional or tracking cookies require explicit consent, while functional and limited analytical cookies may not but still need clear communication. By adhering to these principles, organizations will foster user trust and avoid legal risks.
