Little shocked that this came so early for cookies, but considering all the data protection issues that has come up of the last year I’m not.
On May 13, 2014, the Dutch Data Protection Authority published the findings of its investigation into the compliance of an online advertising agency YD Display Advertising Benelux B.V. (YD) with the Dutch cookie rules. The DPA found that YD violated the Dutch Telecommunications Act and the Dutch Data Protection Act by using personal data of Internet users for behavioral targeting without first obtaining their prior unambiguous consent. This is a first that the DPA is conducting an investigation into compliance with recent cookie directives and regulations that came out in 2009. A formal hearing is still needed, but after that the DPA will consider enforcement measures.
The Dutch cookie rules currently requires:
- Clear and unambiguous information about the purposes for which cookies or similar technologies are used.
- Cookies may only be placed or accessed after obtaining the prior unambiguous consent of the user.
- Consent cannot be obtained via browser settings or by means of a vague reference to general terms and conditions, privacy, and/or permission statements.
- If user is given the option to consent, but does not take any action, this cannot be deemed as valid consent (i.e., implied consent is not sufficient).
With regard to cookies used to analyze online behavior, the Dutch legislature introduced a legal presumption that such tracking cookies process personal data. As a result, the data protection act is presumed applicable to tracking cookies.
YD places tracking cookies through websites of advertisers working together with YD, enabling YD and its network of advertisers to track the behavior of visitors through multiple websites. With these tracking cookies, YD collects information about products or services that visitors view on these websites. YD retargets the visitors by showing personalized advertisements on other websites within its advertising network. YD is an advertising agency acting as an intermediary between advertisers and websites for the placement of online advertisements. YD did not give visitors the opportunity to accept or decline the placement of tracking cookies, which violates the statutory consent requirements under the Data Protection Act and Telecommunications Act. Visitors are able to opt out of receiving personalized advertisements, but this does not satisfy “unambiguous consent”
When was the last time you reviewed your tracking and cookie technologies and policies? Should be annually at this point along with your privacy practices and policies.