CoolBlue fine

At the end of last year, the Dutch Data Protection Authority (AP) imposed a fine of €40,000 on CoolBlue for unlawfully processing personal data via cookies on its website in 2020.

CoolBlue should have asked its visitors for explicit consent to collect personal data via cookies. CoolBlue did not do so, but simply assumed that visitors agreed: the boxes for consent to the use of cookies were pre-ticked. This is in violation of the General Data Protection Regulation (GDPR).

Since 2019, the AP has been stepping up its monitoring of the use of cookies on websites to check whether the rules applicable to cookies are being complied with. In doing so, the AP also looks at the way in which websites request consent for the use of cookies. After visiting coolblue.nl, the AP concluded that the company’s policy in this area was not in order and sent CoolBlue a letter about this in November 2019. It was not until June 2020 that CoolBlue appeared to have changed its working methods.

CoolBlue was not the only one to get it wrong. In the summer of 2024, the AP imposed a fine of €600,000 on Kruidvat’s parent company AS Watson for using tracking cookies without the consent of website visitors. The high amount of the fine was also due to the fact that, according to the AP, sensitive personal data was collected via the tracking cookies and that this processing had affected a large number of people. It was therefore a violation of the privacy of a great many people.

The above makes it clear that it is crucial for companies to take another critical look at their cookie policy.

What exactly are cookies?

Cookies are small (text) files that a website or app owner places on the user’s device (e.g., phone, computer, tablet, etc.) when that user visits the website or uses the app. Cookies are not visible to website visitors or app users because they are located in the ‘background’. A distinction can be made between different types of cookies, including functional cookies, analytical cookies, and other cookies (including tracking cookies).

Collecting personal data

Cookies enable the owner of a website or app to collect and store information about the user themselves or their visit. Personal data is often processed in this way, but not all cookies process personal data. Roughly speaking, a distinction can be made between cookies that have little or no impact on the privacy of visitors and cookies that do. For example, there are cookies that ensure that a website or app functions properly (technically), that products can be stored in a digital shopping cart, and that login details are remembered and do not have to be re-entered each time. These cookies have little or no impact on a person’s privacy. Tracking cookies generally have a much greater impact on privacy. These cookies are stored on the user’s device for a longer period of time and can accurately track a person’s surfing behavior across multiple (unrelated) websites over time. In this way, the person who placed the cookies can find out how a visitor behaves on the site, which advertisements and products they find interesting, which website they visit next, and so on. This allows detailed profiles of website visitors to be built up over a longer period of time.

Privacy impact: not to be underestimated!

Although cookies may seem harmless at first glance and are often “invisible,” their impact on user privacy can be quite significant, especially in the case of profiling as described above.

As mentioned, cookies can be used to collect many different types of (personal) data about a person. For example, information can be obtained about a person’s location, purchasing behavior, internet searches, interests, political preferences, personality traits, family situation, and so on. This information is very attractive to companies: thanks to the use of tracking cookies and the detailed profiles that can be created of users, more targeted advertising or customized content can be offered. It may sound harmless: targeted advertising, what could be wrong with that? But it is important to realize that a lot of personal data is collected for this purpose, often without people realizing it.

The impact of (some) cookies on the privacy of website visitors/app users should therefore not be underestimated. This applies first and foremost to the website visitors themselves, who must critically assess which cookies they do or do not accept and what data they are willing to disclose each time they visit a website. But this also applies to the companies behind the websites and apps. They must critically ask themselves why they want certain personal data from visitors and users and what they are going to do with it. In view of the principle of data minimization, personal data is not “nice to have.” For every piece of personal data it wants to process, a company must critically ask itself whether the personal data is actually necessary for the intended data processing and is therefore a “must have.” If a piece of personal data is not a “must have,” then a company would be better off refraining from processing it.

Provision of information

The rules governing the provision of information about cookies can (for the time being) be found in the Telecommunications Act and – where cookies that process personal data are concerned – in the GDPR. Companies must clearly inform website visitors and app users about the cookies they use and how and why personal data is collected with them. They must do this via a cookie banner. The information in the cookie banner must be clear and transparent. If cookies are used that require the consent of the website visitor/app user, this consent must also comply with the provisions of the GDPR. Visitors and users must be able to make an informed choice as to whether or not they wish to give consent for certain cookies and the associated data processing.

Strengthened supervision of cookie use by the AP

The AP supervises cookie banners and regularly investigates them. It has further intensified its investigations since 2024 thanks to additional funding: for the years 2024 to 2026, the AP will receive an additional half a million euros annually specifically for the extra supervision of cookies and online tracking.

The most recent fine imposed on CoolBlue is an example of this. It is therefore all the more important that companies take a close look at their cookie policy in order to avoid unpleasant surprises such as a possible fine from the AP. After all, prevention is better than cure!

Need help with cookies?

Does your company have questions about the lawful use of cookies and/or providing your customers with the correct information about them? If so, please contact our colleague Kim Deckers by email at k.deckers@paulussen.nl or by phone at 043 321 6640.

She will be happy to assist you.

Nieuws Overzicht