Coolblue fined for unsolicited use of cookies
The Dutch Data Protection Authority (Dutch DPA) has imposed a fine of 40,000 euro on Coolblue for unlawful processing of personal data in 2020. At the time, the company used cookies to collect personal data from visitors of the online shop without obtaining their express consent. Coolblue automatically assumed that visitors would consent to this. That is not allowed.
Coolblue should have had express consent of visitors for collecting personal data through cookies. This means that people have to make an active choice for such data collection. That was not the case with Coolblue. In its cookie statement, the company indicated that it assumed agreement of visitors. In addition, Coolblue had pre-checked the boxes for consent for the use of cookies. This is contrary to the General Data Protection Regulation (GDPR).
Opportunity to put things in order
End 2019, the Dutch DPA started an investigation into websites, including Coolblue.nl, to check whether they meet the applicable rules with regard to cookies. The Dutch DPA checked whether those websites asked for consent in the correct manner.
Following a visit to Coolblue.nl, the Dutch DPA sent Coolblue a letter in November 2019, because the company did not have its policy in this area in order. In April and May 2020, the Dutch DPA found that Coolblue's way of working still failed to meet the rules. The Dutch DPA then started an investigation. By June 2020, Coolblue had adjusted its way of working.
Dutch DPA checks for cookies more often
Many people are annoyed about websites that use cookies without consent, or misleading cookie banners that make it very difficult for visitors to say ‘no’. Since 2024, the Dutch DPA has been conducting extra checks to see if websites correctly ask for consent for placing cookies.
Rules of thumb for clear cookie banners
In additional to extra enforcement of the rules, the Dutch DPA provides more information on cookie banners. To help organisations comply with the law, the Dutch DPA drew up a number of rules of thumb, with clear examples of how it should and should not be done.
Informative campaign
Finally, the Dutch DPA has started a ‘cookie campaign’. With the campaign, the Dutch DPA calls on organisations to take a closer look at their cookie policy. The Dutch DPA also wants to use the campaign to make people aware of the impact of cookies on their privacy. The website of the Dutch DPA contains a lot of information about cookies and what measures people can take to protect their privacy against cookies.
