CBP’s first cookie law investigation: YD Display Advertising Benelux violates Dutch privacy rules and telecommunication rules
Under the Dutch Telecommunications Act (Telecommunicatiewet), cookies that are placed on, or read from, a website visitor’s computer require informed prior opt-in consent before being placed. The principle of informed prior consent does not apply to functional cookies, e.g. cookies that are used solely for facilitating the technical communication over a network or that are strictly necessary for providing a service requested by the website visitor. Cookies that are not exempt are, for example, social media plug-in cookies, third party advertising cookies and tracking cookies. If the placement of cookies also involves the processing of personal data, the Data Protection Act (Wet bescherming persoonsgegevens) additionally applies. Under the Data Protection Act, a legal basis for the processing of personal data is required, which is often found in the unambiguous consent of the visitor.
The CBP had also announced earlier this year that one of its priorities for 2014 was to focus on the profiling, tracking and tracing of internet users.
YD is an advertising agency acting as an intermediary between advertisers and websites for the placement of online advertisements. YD has its principal place of business in Amsterdam and is active in the Netherlands, Germany, Spain and France. YD promises advertisers a personalised approach to specific target groups.
The CBP found that YD places tracking cookies through websites of advertisers working together with YD, enabling YD and its network of advertisers to track the behaviour of visitors through multiple websites. With these tracking cookies, YD collects information about products or services that visitors view on these websites. YD retargets the visitors by showing personalised advertisements on other websites within its advertising network.
YD does not give visitors the opportunity to accept or decline the placement of tracking cookies, which violates the statutory consent requirements under the Data Protection Act and Telecommunications Act. Visitors are able to opt out of receiving personalised advertisements, but this is not sufficient to construe unambiguous consent. The CBP also found that the information YD provides to their visitors does not satisfy the notification requirements under the Data Protection Act.
The CBP notes that the violations would still exist even if the proposed amendment of the Telecommunications Act, currently before the Second Chamber of the Dutch parliament, were applied. The proposed amendment is aimed at easing the rules for analytics cookies. According to the CBP, the use of tracking cookies would also under the amendment require the user’s opt-in consent, due to the impact of these cookies on the privacy of the user.