Cookie legislation: have you brought your website into line?

At the start of the previous month, I was interviewed by BNR Nieuwsradio about the new provisions on cookies in the amended Dutch Telecommunications Act (Article 11.7a). Under the new rules, websites are required to inform visitors and ask for their consent before setting or accessing a cookie or other information on their PC, laptop or mobile phone.

Following the interview, I received calls from a number of companies asking whether (and how) they should adapt their websites, and wondering what risks they would run if they do not make the necessary changes. I will now briefly answer these questions.

Do I have to adapt my website?
If you only use functional cookies, there is no need to adapt your website. Functional cookies are "harmless" cookies which make it easier to use the features on a website, such as cookies that save visitors’ settings / registration details.

However, if you provide a service online and use tracking and / or third-party cookies in order to do so, you will have to adapt your website. Tracking cookies are cookies that are used to track the Internet user. Third-party cookies are set on an Internet user’s PC by a third party, via your site - one example being a third party’s advertisement on your website.

What are the risks if I do not adapt my website?
If you don’t adapt your website, you run the risk of heavy fines. OPTA - the Netherlands’ independent post and telecommunications authority - can impose a maximum fine of 450.000 euros for each breach of the Telecommunications Act. So far, OPTA has mainly issued warnings, but it is expected to take a tougher line in 2013. 

You may also run into trouble with the Dutch Data Protection Authority (DPA). The DPA is an enforcement authority which can take tough measures if cookies are used to process Internet users’ personal data, imposing a maximum fine of  4.500 euros, an administrative enforcement order (a "last onder bestuursdwang" in Dutch, i.e. an administrative measure for the restoration of a legal situation) or periodic penalty payments.

It is therefore essential that you bring your website into line with the new legislation as soon as possible! 

What changes do I need to make to my website?
If you have established that you use tracking and / or third party cookies, you must make the following changes to your website:

› Before setting the cookie, you must inform the Internet user about the type of cookie, i.e. what its purpose is, and what information will be obtained about the Internet user via its use.

› You must request the Internet user’s consent before setting cookies. If the Internet user does not consent, you may not set the cookie.

There are various ways of requesting consent. You can, for example, compel the visitor to make a choice in a dialogue window, or you can ask for the visitor’s consent via the status bar or a warning bar, each time you want to set a cookie.

There are, however, many other options and it is advisable to consult an ICT specialist to discuss the most suitable method for you.

Conclusion
This post briefly answers the three most frequent questions about the new cookie legislation. For detailed guidance, please refer to the IAB’s recently published Cookie Compliance Guide. This guide explains at length the process you must undertake in order to satisfy the requirements of the new provisions on cookies.

Paul Visser is Attorney-at-Law at GMW Advocaten / Legal Expat Desk. For more information, please comment below or contact him directly.