In 6 stappen voldoen aan de AVG

Dutch DPA: mass violation of GDPR

The Dutch DPA, Autoriteit Persoonsgegevens (AP), has checked almost 175 dutch websites (webshops, gouverment and media) on compliance of setting cookies in accordance of GDPR regulations. Almost half of the websites using tracking cookies doesn't comply with (prior) consent regulations and almost all of the webshops are violating the regulations.  We will explain in 6 steps how you can use cookies and comply with GDPR regulations.

1. Get user consent before setting any kind of cookies other than the strictly necessary.

Before setting any kind of cookie other than the strictly necessary on the visitors device you need the visitors consent (prior consent). You need to categorize all your cookies, label them and make sure they are not loaded before consent has been given. You can automate this process by using automatic cookie-control

2. Make sure checkboxes are not pre-checked

Cookie categories that don’t handle personal data may be pre-checked, whereas those that do, must be actively opted into by the user to be compliant. Necessary cookies cannot be unchecked, because they are whitelisted and are necessary for the website to function properly.

On tuesday 1 October 2019 the Court of Justice of the EU stated in the planet49 ruling:

Pre-ticked boxes do not constitute valid consent

The initial action in the Planet49 case was brought by a German consumer rights group on the basis that the consent obtained through the use of pre-ticked boxes did not meet German legal requirements.
The case was first considered by the German competent court of lower instance (Landgericht) which ruled that the mechanisms used to obtain the participant’s consent did not satisfy the requirements of German law. Planet49 then appealed to the German Higher Regional Court (Oberlandesgericht), that held that the Federation’s plea for an injunction was unfounded as the participants would realise that they could simply deselect the tick in the Checkbox. However, the German Federal Court of Justice (Bundesgerichtshof) had doubts about the validity of the consent and the information provided by Planet49, so it decided to ask the CJEU for a preliminary ruling.

Unsurprisingly, the CJEU reiterated that for the consent to be valid it requires an unambiguous indication of the individual’s wishes by either a statement or a clear affirmative action. Therefore, the pre-ticked box used by Planet49 did not meet the standards required for valid consent (under both the General Data Protection Regulation and the ePrivacy Directive) as there was no active action taken by the participant.

An example of a correct implementation of a consent-banner: no pre-checked checkboxes

An example of a correct implementation of a consent-banner: no pre-checked checkboxes

3. Your website must be accessible during the consent choices (aka NO cookiewall)

In essence, a cookie wall is a particular kind of cookie consent banner that might look like the benign ones you normally see on the Internet, only a cookie wall leaves no option for the user to select or de-select certain categories of cookies, like marketing cookies that typically harbor myriads of private data trackers from ad tech companies.

Cookie walls work by denying entrance to a website for users unless they give full consent to all cookies.

Er zijn meerdere bedrijven die een cookiewall gebruiken. Dit is de cookiewall van de Volkskrant (oktober 2019)

Many companies are using cookie walls, even though they are not allowed according to various DPA's. This example shows the Volkskrant (october 2019) cookiewall, a Dutch newspaper.

4. Make sure the given consent can be easily changed or withdrawn.

The user has access to their state of consent on the website and can at any time change their mind about the consent and choose to withdraw it. In other words: make sure it is just as easy to give the consent as it is to withdraw it. 

On our website you can change- or withdraw your consent at any time by clicking the link.

On our website you can change- or withdraw your consent at any time by clicking the link.

5. Register given consent

GDPR states you have to register all consent your visitors have given you to set tracking cookies on their devices. According to the EDPB (European Data Protection Board) website owners are allowed to do this in any way they please as long as they register and maintain this log (and can use this in case of an audit).

Please make sure your log contains the following:

    • Who? E.g. by logging the IP-address .
    • When? By logging date and time.
    • What? By logging the consent given (and for which category of cookies)
Het log systeem van Cookiebot mét de mogelijkheid het log te downloaden.

The Cookiebot consent-logging system with the ability to download the logfile. 

6. Inform your visitors about the cookies set by your website

Make sure to inform your website visitors about all cookies set by your site by publishing a cookie-policy. This information about the cookies should be accurate and specific, and should be presented in a clear and plain language, all requirements of the GDPR. List the cookies with origin, duration and purpose descriptions.

Categorize (necessary, preferences, statistics and marketing)  your cookies and provide them with a purpose description.


Name, provider, purpose, expiry and type. The Cookiebot declaration shows all information you need to privde according to the GDPR

Once a month Cookiebot will perform an automated cookie audit by scanning your website for cookies and generate a cookie declaration with descriptions on every cookie found on your website. The declaration is available to your website users as part of the consent dialog's details pane and as a separate cookie report.
The cookie report can be published in full on any of your subpages, e.g. as part of your privacy policy. The declaration also shows the user's current consent state and offers the user the statutory option of changing or withdrawing a consent.