On June 22 2011, the Dutch parliament adopted ten out of eleven amendments to the Telecommunication Act in order to implement revised European privacy, electronic communications and telecom directives. Only the amendment on internet access as a universal service was rejected. With these measures, the Netherlands will most probably become one of the first countries in the world to enshrine the concept of network neutrality into national law by banning its mobile telephone operators from blocking its customers or charging consumers extra for using internet-based communications services as Skype.
Another important amendment, which was adopted due to the revision of the Privacy and Electronic Communications Directive by means of Directive 2009/136/EC (the 2009 Directive) concerns the rules for the setting of cookies. Cookies are information files from websites, which are consulted and stored by the web browser on the user’s computer. The information in these files can be used by the same website on the next visit of the user to that particular website. Once the Dutch Telecommunications Act is amended, it will prescribe that privacy law applies to the use of all cookies and that most cookies may only be placed with ‘the unambiguous consent’ of the consumer. The amended telecoms legislation has not yet entered into force though, as it is first up to the Senate to approve the proposed legislation.
THE CURRENT SITUATION ON THE SETTING OF COOKIES
Since 2002, the setting of cookies has been regulated by Directive 2002/58/EC on privacy and electronic communications (the 2002 Directive). Pursuant to the 2002 Directive, the storing of cookies is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information, and that an opt-out option is offered to the internet user.
However, the Dutch rules on cookies implementing the 2002 Directive clearly stipulate that the requisite provision of information needs to take place prior to the setting of the cookie. This is different from the 2002 Directive. For this reason it can be argued that, when it comes to Dutch-based internet users, it is required that, at the first visit to a website, information must be shown, for example by using a pop-up or a lead-in page, before any cookie can be set. From a practical view, this is such an obstruction that almost all websites do no more than provide information on cookies in their online privacy statements. As this practice has not caused problems or encouraged complaints, and is generally acceptable, it seems to be tolerated (ie by the Dutch Telecoms Authority).
PENDING LEGISLATION
With the 2009 Directive, new rules have been set for the use of cookies. Pursuant to the 2009 Directive, the storing of cookies is only allowed on condition that the subscriber or user concerned has given their consent, having again been provided with clear and comprehensive information in accordance with Directive 95/46/EC (about the purposes of the processing). This should not prevent technical storage of or access to information on terminal equipment of a subscriber or user for carrying out the communication transmission over a communications network though. Neither should it prevent a provider of an information social service, to provide the service, if explicitly requested by the subscriber or user.
Further, the 2009 Directive also clearly states that:
‘Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.’
To implement the 2009 Directive, the regime on cookies in the Netherlands has been revised by the Dutch parliament in such a way that websites will need to include an ‘unambiguous’ consent in the setting of ‘third-party’ and ‘tracking’ cookies. This excludes the option provided by the 2009 Directive prescribing that consent can be given through browser settings. The same requirement of unambiguous consent applies should a provider want to place cookies for online behavioural advertising purposes. This, of course, will have major effects on online advertising companies with a focus on Dutch customers.
When it comes to ‘first-party’ cookies, used for the purpose of recognising a specific browser/computer combination, if one was to return to the same site, only the consent (as opposed to the unambiguous consent of internet users) will be needed. Consent through browser settings will be considered sufficient in this regard. The parliamentary documents also clarified that the relevant obligations lie with the party responsible for setting the cookies and the rules on cookies also apply to less traditional automatic gathering tools such as flash cookies, javascripts and spyware.
SUMMARY
The current Dutch legislation on cookies clearly stipulates that the necessary provision of information needs to take place ‘prior’ to the setting of the cookie. This means that, at the first visit to a website, information must be shown, for example by using a pop-up or a lead-in page, before any cookie can be set. From a practical viewpoint, this is such an obstruction that currently almost all websites simply provide information on cookies in their online privacy statements. This means that the exact wording of the Dutch rules on cookies is not currently (entirely) in line with the 2002 Directive, but this practice is and seems to be tolerated.
The legislative proposal that has been adopted by the Dutch parliament, implementing the 2009 Directive regarding the setting of first-party cookies prescribes that only the consent of internet users is needed, as opposed to third-party and tracking cookies where the ‘unambiguous’ consent of internet users is necessary. As the measure will probably pass a pro forma review in the Dutch Senate without hitches, it is likely that the proposed policy on the setting of cookies will become new legislation in the Netherlands and will be something to take into consideration.