The Personal Data Authority (AP) is going to check more often in 2024 whether websites are properly asking permission for cookies and other tracking software. This is because in practice it regularly happens that companies place a misleading cookie banner on their website in a way that is prohibited by law. In this article, we will tell you exactly what cookies are and what rules the AP sets for cookie banners.
Tracking cookies
Almost any time you visit a website, a cookie banner pops up. In it, the website asks if you agree to cookies being placed on your device. Some cookies are necessary to ensure that a website works properly from a technical point of view or to map general visitor behavior. But there are also cookies that follow visitors across the Internet to collect specific information that does not benefit the visitor himself.
Cookies that "track" users across the Internet to collect data are called Tracking Cookies. These cookies closely track your online activities. Among other things, they record your searches, websites you visit, length of stay, devices used, your IP address, location and more. Website owners then sell this information to ad networks that show personalized ads to Internet users. A lot of money is made from this every year.
'What you do on the Internet is very personal'
When using cookies, organizations must comply with the General Data Protection Regulation (AVG). For tracking cookies, specific permission must be sought from the visitor.
Aleid Wolfsen, chairman of the AP: "Tracking software or tracking cookies allow organizations to watch your Internet behavior. This is not allowed, because what you do on the Internet is very personal. An organization may only track that if you explicitly agree. And you must have the option to refuse this tracking software, without it being detrimental to you."
Parties are required by law to inform visitors about what data they collect with cookies. This allows visitors to make an informed choice about whether or not to accept cookies.
In de praktijk gaat dit nog vaak mis. De AP ziet regelmatig dat organisaties misleidende manieren bedenken om toestemming te krijgen voor het plaatsen van cookies. Denk aan vinkjes die automatisch aan staan, de weigerknop die lastig te vinden is en knoppen en URL's om cookies af te wijzen die afwijkende kleuren krijgen.
To ensure that organizations better comply with the laws and regulations on cookies, the AP is going to check more often this year whether they ask for permission to place cookies in the correct way. The regulator may then decide to launch an investigation and issue a fine. These checks are possible thanks to the extra budget released by the Ministry of the Interior to combat the misuse of cookies and online abuse. This amounts to half a million euros that the AP will receive annually from 2024 to 2026.
Rules for cookie banners
The AP highlights some important aspects of cookie banners. These are some rules of thumb that will help you set up a proper cookie banner for your Web site:
- Provide information about the purpose of a cookie
Give your website visitor information needed to make an informed choice. In any case, tell what purpose you use cookies for before anyone makes a choice. In doing so, be clear and complete about your goals. - Don't turn on checkmarks automatically
Some cookie banners use checkboxes. Make sure that your website visitor clicks (or doesn't click) certain choices and thus makes a conscious choice. So, for example, the choice boxes should not automatically be set to "consent. - Use clear text
Use clear words in your text, such as: accept, agree and decline. That way, it is clear that someone is consenting or refusing. Be sure not to use vague or controlling wording, such as "yes, accept optimal cookies" and "no, I don't want an optimal experience. - Make refusing as easy as accepting
Make sure visitors can accept and reject cookies just as easily. Put the refuse and accept buttons on the same layer. That means someone doesn't have to click through to the next page to refuse cookies, if they don't have to for accept either. In addition, don't ask for confirmation when someone wants to reject cookies. - Don't hide choices
Make sure both the accept and reject buttons are clearly visible. For example, don't make visitors scroll unnecessarily to reject cookies if they don't have to do so to accept cookies either. - Be clear about withdrawing consent
Clearly explain how the visitor can withdraw consent again before making a choice.
Retrieved from the AP's website you will find more explanations and examples of the rules of thumb.
Get the right cookies
Does your organization use cookies? If so, you can assume that you are processing personal data. Even with some functional and analytical cookies, you are processing personal data. Now that the AP is going to enforce more strictly on the correct use of cookie banners, it is therefore extra important to ensure that your cookie banner meets the correct requirements.
Wondering if your organization is in compliance with laws and regulations? Our consultants are always ready to assist you.