The Autoriteit persoonsgegevens (AP) has fined Kruidvat €600,000 by July 2024. This, according to the AP, is because Kruidvat tracked its visitors through tracking cookies placed without clear consent.
Starting in 2024, the Autoriteit persoonsgegevens wants to examine more often how organizations ask permission for cookies. Do you have this properly regulated on your website? In this article, we explain what you need to know and what to watch out for.
Since the Kruidvat also sells drugstore products, among other things, this is considered sensitive information and could even be labeled invasive. The Kruidvat website had tracking cookies checked by default. To turn them off, the visitor had to go through too many steps, leading the AP to characterize this as illegally obtaining consent.
When do you get an AVG cookie penalty?
Check with your Web developer to see if your Web site sets cookies and what kind they are. Are these only functional cookies? Then there is no problem, but are there also analytical or tracking cookies? Then you need to pay attention, read below what is important.
What is a cookie?
Cookies are small text files that a website places on a visitor’s device. They allow the website owner to collect or store information about the website visit or visitor.
What is the personal data authority?
The Autoriteit persoonsgegevens (AP) is the Dutch independent regulator responsible for making sure everyone complies with privacy laws (AVG/GDPR). The AP checks websites when someone has reported a potential violation. If the AP finds that that party is indeed in violation, it receives a letter and opportunity to put things right. If no action is taken after the letter then the AP can impose a fine. The fine depends on the extent of the violation, including the number of visitors, how many and what data. The Kruidvat case involved a fine of €600,000.
What are Tracking cookies?
Tracking cookies are cookies placed by your website that can be read by other websites in order to build up a profile of the visitor. Following visitors between different websites is called tracking.
A good example is social media cookies. When you visit a website with, for example, Instagram posts on it, that website places an Instagram cookie on your computer so that Instagram can track your behavior. This means that Instagram knows that you visited that website and what you performed there, among other things.
Placing tracking cookies therefore also requires the visitor’s permission, because data about you is shared between different companies. In the case of the Kruidvat, this is extra undesirable because it may involve sensitive information such as purchasing medication or other drugstore products.
What are Analytical cookies?
The purpose of analytical cookies is to keep statistics for the website operator and should not contain privacy-sensitive personal data. If privacy-sensitive data is stored for this purpose, it must be with the clear consent of the visitor as with tracking cookies.
What are Functional cookies?
These are cookies that are necessary for a website to function. Take a web shop, for example. It may need this type of cookie to keep track of your order or shopping cart while you visit the website, otherwise it will not be possible to checkout.
Does your cookie do anything other than what we’ve described in this headline? Then the rule of thumb actually applies: If a cookie is set with a visitor’s privacy-sensitive information, or if a visitor can be tracked beyond the current website. Then permission is required from the visitor.
When is data privacy sensitive?
Data is sensitive when it is directly personal data, or when other data can be used to build a profile of a visitor and especially when it is shared between different websites. This increases the chance that a visitor can be traced back to a person and is therefore sensitive.
Responsibility privacy laws of a website
The responsibility for complying with privacy laws always lies with the company that owns the Web site. Every good web developer informs their clients about this when applicable. We do this for our clients as well.
What does a good cookie banner look like?
While it is difficult to create a general list for every website, a cookie banner will have to comply with this in basic terms:
- Privacy-sensitive cookies should not be placed until consent is given by the visitor.
- The visitor can only give consent by clicking something, accepting by visiting is insufficient.
- The button to accept should be as easily visible as the button to reject. Also, there should be no doubt about the meaning of the buttons.
- Visitors should also be able to withdraw their consent in as easy a way as it was given.
- For the cookies that require consent, it must be clearly defined how the data will be used and for what purpose. Separate consent is also required for each purpose.
Briefly, when do you get fined by the AP?
As long as your website or plugins on your website do not contain tracking or third-party cookies, you don’t need to worry about fines from the Personal Data Authority. If you do place such cookies, it is important to have a clear cookie banner, which also states how the data is processed and for what purpose.
Pay particular attention to cookies from Google Analytics, Ads and similar analytics or tracking tools and plugins your website uses.
If in doubt, contact a lawyer or for current information and regulations, visit the website of the Personal Data Authority or the Consumer and Market Authority. The Chamber of Commerce also offers more information for entrepreneurs. No rights can be derived from this document.
News source: Personal Data Authority (July, 2024)