The Dutch DPA (Autoriteit Persoonsgegevens) is of the opinion that websites should remain accessible to everyone, even if visitors refuse tracking cookies.

The DPA comes to this conclusion on the basis of the General Data Protection Regulation (GDPR). A cookie wall is not permitted. The DPA has sent a letter to the organisations about which it has received the most complaints. In the letter it announces that it will intensify the supervision of the use of ‘cookies’ and ‘cookie walls’ in the coming period.

On the other hand, however, the Consumer & Market Authority (ACM) states: “We have recently taken action against the 100 most popular websites in the Netherlands. In doing so, we have tackled a large number of the most serious violations. The industry now knows which rules apply to cookies. We continue to keep an eye on these businesses and take action against entrepreneurs who violate the rules. For example, if they use cookies or other techniques that pose a high risk to privacy”.

Who is dealing with cookies: DPA or ACM?

The ‘cookie’ rules are laid down in the Telecommunications Act. This was chosen at the time, because placing ‘cookies’ on personal devices can follow people’s communication behaviour or even analyse the content of their communication messages. The government has the duty to protect the confidentiality of electronic communications and thus the privacy of people and legal entities (organisations).

On the basis of the Telecommunications Act, the Consumer & Market Authority (ACM) deals with the placing of cookies. The DPA is responsible for the enforcement of the GDPR. The GDPR contains rules for the protection of personal data. However, as soon as the lawful placing of cookies leads to data being derived from all kinds of devices that can be traced back to the person using the device or to other persons whose data are stored on that device, the authority of the DPA comes into effect.

One consent is not the other

In concrete terms, this means that organisations that track people using cookies permitted by ACM must ensure that they also meet the requirements set by the GDPR for the processing of personal data. They may only process the data on the basis of, for example, an underlying agreement, ad hoc consent or a legitimate interest that outweighs the interest of the person followed. It is therefore not the case that tracking cookies may only be used if a user of an online service or app has given permission to do so.

Giving permission as a condition to pass through a ‘cookie wall’ is a permission to place cookies. It is up to the ACM to decide whether or not websites are allowed to demand this. This consent is not the same consent as the consent required for the processing of personal data.

As soon as permitted cookies are used to process personal data of a user, the organisation that uses the cookies will have to comply with the requirements set by the GDPR for the processing of personal data. The AP supervises this.

Time to change things?

The key question remains: why would you want to follow people who haven’t asked for it and might not want it? In order to map out their behaviour so that you are able to approach them with offers that suit their supposed interests?

This can be done in a way that is more nifty and sustainable: by using the Qiy Trust Network, a common basis is created in which people themselves decide to establish reliable and relevant 1-on-1 connections with online service providers.

This way, a two-way communication channel is created between the related parties. These communication channels can be used to deliver relevant content and offers to user (despite the fact that they remain anonymous). The anonymous user shares profile data, interests and preferences with online service providers, but no personal data.