In 2012, the Dutch Senate amended the Telecommunications Act with new rules dictating the appropriate use of cookies on websites and mobile apps.
But the new rules require that opt-in consent must be obtained prior to any cookies that are not strictly necessary for the essential functioning of the website or mobile app being stored on a device of a Dutch user.
Cookies are very small text-based files that get stored on a user's PC after the user visits to web sites that are using cookies.
These files are commonly used and play a role in telling a website how to interact with that particular browser during future visits to the website.
Cookies can enhance user experience on a website by allowing to bypass a login screen (the remember me next time functionality), personal preferences, and other data so that each time a user visits the same website, that information doesn't have to continually be re-entered.
Recently, Netherlands' strict general opt-in consent requirement was lifted and exceptions were changed.
Now, if a website or mobile app uses cookies solely for authentication of a user or a device, the business can choose to not show a notification to the user that these cookies are in use, and it doesn't have to require consent prior to placing these non-invasive cookies on the user's PC or device.
The mention of using cookies should still be included in the Privacy Policy for the web site or mobile app, regardless of the requirements of actual notifications.
A web site or mobile app that use cookies that have an impact on the privacy of a user must still provide users with thorough and clear information that cookies are in use.
A link should be provided to a page with detailed information about what cookies are placed on their devices and what the purpose is for each cookie.
This notice can be given through a variety of methods.
Linking to the "Cookies Policy"
Facebook links to its Cookie Policy on the sign-up page and makes it clear that by continuing to register and create an account, the presented Cookie Policy is being accepted and the use of cookies is being consented to.
This is a good example for a business that requires users to have an account to participate on the web site and/or mobile app: provide notice and obtain consent for using cookies.
Footer information pop-ups
Many web sites display a pop-up with a link to their Cookies Policy to users during their first visit to the web site.
This is another good example to let users know that by proceeding further into the web site (visiting another page and so on), cookies will be used.
Debenhams tells users that by continuing on the web site after the first visit, consent is given for the use of cookies.
While this is more of a passive consent, it still gives users the option to quickly find out more information about this by clicking on the linked Cookies Policy.
A user can then always opt to change its browser's settings to not allow cookies if something in the presented Cookies Policy is questionable, or exit the web site.
Header information pop-ups
Similar to the footer pop-up method is the header pop-up.
This is more prominently noticed by users than the footer pop-ups because we tend to view the top of the web site first.
Good Food uses a header pop-up where the user has to actively close the notification box to have it removed from its view.
This is another good example of notification because it means that you can infer consent if the user closes the window and continues to remain on your website.
Large banners - active acceptance
The larger your "Cookie Policy" notification is, the better.
This ensures that users of your website or mobile app won't miss your message.
The example below from Thomas Cook has included the word "Accept" in the button used to exit the cookies notification box.
This is a good example to obtain consent from users that they are OK with cookies being placed on their devices.
Even if you aren't required under the Netherlands amended the law to give notice to your users that cookies are used on your website or mobile app, it's a good idea to include information about cookies in your Privacy Policy just to be clear as to what cookies you are using and why.
The example below from Park Grand London Hyde Park shows the Cookies section of its Privacy Policy page:
Their cookies section tells users what cookies are, what they are used for, and gives tips on how to change settings by going to "internet options" in a browser.
This example from the Park Grand London Hyde Park's Privacy Policy presents a good way on how to inform your users of exactly what your web site or mobile app does when it comes to cookies.
The Cookie Policy used by Indeed is very thorough at disclosing exactly what cookies are used for, including the use of marketing cookies that "allow us to display Indeed promotional material to you on other sites you visit across the Internet."
This kind of behavior by use of cookies is also known as retargeting or remarketing.
The structure of Indeed's Privacy Policy page and its Cookie Policy page is a good template for breaking down how cookies are used on your web site, even if they are only used for authentication purposes.
Disclosing this in your current agreement or through a separate Cookies Policy to your users will help inform them and make it clear that cookies are not being used by your web site or mobile app for any other purposes other than what you include here.
Even if your website or mobile app doesn't use cookies at all, it's still best practice to mention this. It's also a good idea to have a Privacy Policy even if you don't collect any personal data.
Here's an example of a short and simple statement from the Privacy Policy of Integral Ad Science:
Integral Ad Science didn't forget to inform its users about cookies, but cookies aren't used by this web site.
With the new laws loosening notification requirements for some non-intrusive cookie usage, remember that you should always provide information about cookies in your Privacy Policy and should be as informative as possible with your users about this.
If the cookies placed on your web site or mobile app function beyond just authenticating a user, you must provide detailed information and actual notice to a user that cookies will be placed in order to comply with the EU Cookies law.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.