In the Netherlands, the Autoriteit Persoonsgegevens (AP) is the authority responsible for enforcing the GDPR and regulations relating to cookies. While the core principles of the regulation apply across Europe, every national authority has its own focus areas. And since April this year, the AP has stepped up its efforts, sending out multiple warning letters to numerous website owners and giving them three months to get their compliance in order. In this new edition of Compliance Check-Up, we break down what the Dutch regulator expects from your cookie banner and how to make yours not only compliant but exemplary.
Same European Rules, Different Local Readings
The General Data Protection Regulation (GDPR), which determines, in particular, the validity requirements for consent, applies uniformly across the EU, but its day-to-day enforcement often varies. Each national Data Protection Authority interprets and prioritizes different aspects of compliance.
In France, for instance, the CNIL recently made headlines with its sanction against Shein, highlighting three essential rules for cookie compliance:
- The purposes for which cookies are used must be clearly stated;
- Users must be informed about the identity of partners using trackers on the website,
- And when users refuse consent, that refusal must actually take effect — meaning no trackers should activate until consent is given.
These three principles perfectly capture the GDPR’s philosophy about consent, i.e, consent must be freely given, specific, informed, and unambiguous.
In the Netherlands, the AP supervises the application of the local legislation implementing the e-Privacy Directive (Article 5(3) of Directive 2002/58/EC) and places particular emphasis on transparency, especially regarding who collects data and for what purpose. Users must know which categories of data are being shared, why, and with how many partners.
That focus has directly inspired the design of Axeptio’s cookie banner now live on the CookieCode website.
What the Dutch Regulator Expects from a Compliant Cookie Banner
The AP’s recommendations are built around nine key principles, most of them rooted in the GDPR and the ePrivacy Directive:
- Provide clear information about the processing of personal data and its purposes: users must understand why their data is collected and how it will be used.
- Do not use pre-ticked boxes. Consent must be an active, deliberate choice.
- Use plain and simple language. Avoid legalese, technical jargon, or ambiguous wording.
- Display all consent options on the first step of the CMP. Users shouldn’t have to dig through multiple screens to find the “reject” button.
- Do not hide options. All choices must be equally visible and accessible.
- Avoid unnecessary clicks to refuse consent. Refusing should be just as easy as accepting.
- Do not use inconspicuous links in the text.
- Be clear about the possibility to withdraw consent at any time. Users should know they can easily change their mind.
- Do not confuse consent with legitimate interest. These are distinct legal bases and must never be mixed within the same category of trackers.
Together, these nine rules define the baseline for a compliant cookie banner. But if your audience includes Dutch users, a few local nuances deserve special attention.
Three Essential Guidelines for Making Your Cookie Banner GDPR-Compliant in the Netherlands
1. First-screen transparency over third parties and purposes
The AP expects users to see on the very first screen of the CMP how many third-party partners are involved and the categories of purposes attached to them.
With Axeptio for Brands, this requirement is easy to implement: for each purpose, the banner can surface the associated vendor list directly in the first screen, using links and, giving users a clear, didactic view of how data may be shared.
Crucially, the partner count must be stated in the banner. You can use the customizable text to spell it out, as in the example below.
2. Link to a Dedicated Cookie Statement
The AP also values the presence of a direct link to your “cookie statement” — a document dedicated specifically to cookies and trackers.
Unlike your privacy policy (which covers all personal data processing), this page should focus on the cookies themselves: their purposes, lifespans, and third parties involved.
The Axeptio's banner implemented on CookieCode's website provides a great example: concise text on the banner, paired with a clear link to the full cookie policy. The AP has praised this combination of transparency and user experience.
3. Use the Right Wording for Buttons and Choices
A linguistic nuance that matters: the AP expects the main acceptance button to read “Accepteren”, not “Oké!” or any vague alternative.
For the AP, the wording of action buttons directly affects how clearly users understand their choices, and therefore, the validity of their consent.
Final Check-Up: Is Your Cookie Banner Ready for the Netherlands?
During discussions with the Dutch Data Protection Authority, representatives indicated that the banner displayed on the CookieCode website, designed with Axeptio for Brands, was in line with their recommendations.
- Before you go live on the Dutch market, double-check the essentials:
- The consent “Accept” button says “Accepteren”
- The number of partners and purposes is clearly visible
- A direct link to the cookie statement appears on the first screen
- Refusal is as easy as acceptance
- Users can reopen the banner anytime to adjust their preferences
Having trouble adapting your cookie banner to Dutch compliance standards?
