Dutch DPA intensifies cookie enforcement – key takeaways

Legal framework: cookie consent 

The rules governing cookies in the Netherlands stem from the EU ePrivacy Directive, implemented in the Dutch Telecommunications Act (Tw). Under these provisions, organisations must obtain prior informed consent before placing non-essential cookies, such as those used for tracking, profiling, or behavioural advertising. If these cookies process personal data, as is commonly the case with tracking or profiling cookies, the General Data Protection Regulation (GDPR) applies in parallel. In such cases, consent must be freely given, specific, informed, and unambiguous. 

Cookie enforcement gains momentum in the Netherlands 

Until recently, cookie enforcement in the Netherlands had been limited. The DPA and the Authority for Consumers and Markets (ACM) shared responsibility for supervising compliance, with unclear division of responsibilities and limited resources. That is now changing. The Dutch government allocated €500,000 per year for three years to the DPA for enhanced supervision of tracking technologies and misleading cookie banners. This funding will be followed by a permanent annual increase of €350,000 for investigations from 2027 onwards. As a result, the DPA now monitors around 10,000 Dutch websites annually and intends to warn 500 organisations per year for non-compliance. 

Common violations identified by the DPA 

The recent warnings issued highlight the following cookie practices the DPA considers especially misleading: 

• Cookies placed before consent. Tracking cookies must not be installed on a user’s device before they have actively given consent.
• Pre-checked consent boxes. Consent must result from a deliberate action. Pre-ticked boxes or default settings are not valid. 
• Hidden ‘refuse’ options. Designs that require additional clicks or hide the option to refuse cookies undermine the principle of valid consent. 

Earlier this month, the DPA also concluded five investigations into cookie banners on Dutch websites initiated in 2024. While these websites strictly requested consent, their implementation failed to meet legal requirements, highlighting that superficial compliance is insufficient. 

Recent fines

The current wave of warnings follows two enforcement actions in 2024: 

• A.S. Watson (parent company to Dutch drugstore Kruidvat) was fined €600,000 for placing tracking cookies without consent on webpages related to personal health. The DPA emphasised the sensitivity of the content and the fact that tracking occurred before consent had been obtained. 
• Coolblue was fined €40,000 for placing tracking cookies and collecting personal data without valid consent. Despite earlier warnings, the company continued to assume consent by default and used pre-checked boxes. 

The Coolblue fine, in particular, highlights the DPA’s growing enforcement maturity. It was the first time the DPA carried a cookie-related case through the entire administrative process, from investigation to the imposition of a fine. This shows that the DPA has now fully equipped its internal organisation to handle such proceedings, suggesting that future enforcement actions may follow more swiftly and systematically. 

A shift in dedicated regulatory authority

In a letter dated 26 March 2025, the DPA proposed to the Minister of Economic Affairs that it become the sole competent authority for enforcement of cookie laws, replacing the ACM. The proposal was coordinated with the ACM and is intended to streamline supervision, enhance legal clarity, and support better cooperation with foreign regulators. A legislative amendment to the Tw is required to formalise this change. Preparations for this amendment are already underway. If adopted, the DPA would assume exclusive competence over cookie enforcement, which is expected to result in enhanced and more efficient cookie law enforcement in the Netherlands. 

Authored by Joke Bodewitz and July Baltus.