The Dutch Cookie Framework: Two Laws, One Standard
Cookie consent in the Netherlands sits at the intersection of two legal instruments. The Telecommunicatiewet (Telecommunications Act), specifically Article 11.7a, transposes the EU ePrivacy Directive into Dutch law and governs how cookies and similar tracking technologies may be placed on a visitor's device. The GDPR then applies to any personal data collected through those cookies.
Article 11.7a has been in force since June 2012. It requires that before placing or reading data on a user's terminal equipment, a website must provide clear, comprehensive information about the purposes involved and obtain the user's consent.
The Autoriteit Persoonsgegevens (AP) - the Dutch Data Protection Authority - supervises and enforces both sets of rules. In practice, most cookie compliance failures in the Netherlands breach both the Telecommunicatiewet and the GDPR simultaneously.
What Article 11.7a of the Telecommunicatiewet Requires
The core obligation under Article 11.7a is straightforward: inform first, then ask permission. A website must tell visitors what data is being stored or accessed, explain why, and obtain consent before any non-exempt cookies are set.
Two narrow exemptions exist under Article 11.7a(3). Cookies that are strictly necessary for transmitting a communication over the network do not require consent. Cookies that are strictly necessary for providing a service the user has explicitly requested - such as PHPSESSID for session management or a shopping cart cookie - are also exempt.
Analytical cookies receive a partial exemption in the Netherlands. If your analytics cookies are used solely for counting visitors and have minimal privacy impact - meaning they do not build individual profiles or share data with third parties - you may place them without consent. A properly configured, first-party instance of privacy-focused analytics can qualify, but standard _ga or _gid cookies from Google Analytics 4 generally do not, because data is shared with Google.
AP Cookie Banner Rules: The 2025 Guidance Update
In late 2025, the AP published updated guidance on what a compliant cookie banner must look like. The requirements are specific and leave little room for interpretation.
First-Layer Information Requirements
The banner's first layer - the part visible without clicking through - must clearly state what personal data is collected through cookies and whether that data is shared with third parties. A vague statement like "this site uses cookies to improve your experience" does not satisfy this requirement. The AP expects visitors to understand, at a glance, who processes their data and for what purposes.
Equal Accept and Reject Options
If the first layer of your banner includes an "Accept all" button, it must also include a "Reject all" button at the same level. The AP had implied this before, but the 2025 guidance makes the requirement explicit. Burying the reject option behind a "Manage preferences" link is not compliant.
The AP's guidance also stresses that the site operator remains responsible for compliance even when using a third-party consent management platform. Deploying a CMP does not transfer legal responsibility.
The Dutch Cookie Wall Ban
The Netherlands has taken a firm stance on cookie walls. A cookie wall - where access to a website is blocked unless the visitor accepts all cookies - is not permitted under Dutch rules.
The AP's position is that consent obtained through a cookie wall is not freely given, because the visitor faces a take-it-or-leave-it choice. This aligns with the EDPB's guidance on consent under GDPR Article 7, which requires that consent be as easy to refuse as to give. Some EU member states allow limited cookie wall models (such as "consent or pay" approaches), but the Dutch AP does not accept this.
If your site targets Dutch visitors, you must provide full access to content regardless of whether cookies are accepted.
Enforcement: Fines and the 500-Website Warning Programme
The AP has moved from guidance to active enforcement. The Dutch government allocated dedicated funding of EUR 500,000 per year for three years specifically for cookie supervision, with a permanent annual increase of EUR 350,000 from 2027 onwards for ongoing investigations.
This funding has teeth. On 15 April 2025, the AP issued warnings to 50 organisations - including online retailers, media companies, and insurers - for misleading cookie banners or placing tracking cookies without valid consent. Those organisations were given three months to fix their banners or face formal investigations.
The AP now monitors approximately 10,000 Dutch websites per year and intends to warn 500 organisations annually for non-compliance.
Notable Fines
| Organisation | Fine | Reason |
|---|---|---|
| A.S. Watson (Kruidvat) | EUR 600,000 | Placing tracking cookies without consent on health-related pages |
| Coolblue | EUR 40,000 | Pre-checked consent boxes and tracking cookies without valid consent |
The A.S. Watson fine is particularly instructive. The AP considered the sensitivity of health-related browsing data an aggravating factor, demonstrating that the context of cookie placement matters, not just the cookie itself.
Ignoring an AP warning can lead to administrative fines of up to EUR 20 million or 4% of global annual turnover under the GDPR, whichever is higher.
How Dutch Rules Compare to Other EU Countries
The Netherlands occupies a middle ground in EU cookie enforcement - stricter than some member states, but broadly aligned with the tougher regulators. The cookie wall ban mirrors the positions of the French CNIL and the Belgian APD. The analytics exemption is more generous than France's approach, where CNIL has specific requirements for exempt analytics, but less permissive than some Eastern European regulators.
The dedicated government funding for cookie enforcement sets the Netherlands apart. While Germany's enforcement is split across sixteen state-level DPAs and can be inconsistent, the centralised Dutch model with earmarked funding signals sustained, predictable enforcement pressure.
For businesses operating across multiple EU markets, the Dutch rules sit comfortably within the stricter end of the spectrum. A banner that satisfies the AP's requirements will generally meet the standards in Spain, Italy, and most other EU member states.
Compliance Checklist for Dutch Websites
Use this checklist to verify your cookie setup meets the AP's current requirements:
No non-exempt cookies fire before consent is obtained (check with browser developer tools or a cookie audit)
First banner layer states what personal data is collected and whether it is shared
"Reject all" button is visible alongside "Accept all" on the first layer
No cookie wall blocks access to content
Analytics cookies are either consent-gated or genuinely privacy-friendly (first-party only, no profiling, no third-party data sharing)
Consent records are stored and can be demonstrated if the AP requests evidence
Functional cookies like
pll_languageorPHPSESSIDare correctly categorised as exemptThird-party scripts (such as Meta Pixel or Google Ads tags) are blocked until consent is granted
Cookie policy is written in Dutch (or the language of your audience) and references both Article 11.7a and the GDPR
Banner design avoids dark patterns - no colour tricks, no tiny reject links, no pre-ticked boxes
Frequently Asked Questions
Do I need cookie consent for a website targeting Dutch visitors?
Yes. Article 11.7a of the Telecommunicatiewet requires consent for all non-exempt cookies. Strictly necessary cookies and limited analytics cookies (with no profiling or third-party sharing) are the only exceptions.
Are cookie walls allowed in the Netherlands?
No. The AP considers cookie walls incompatible with freely given consent. You must allow visitors to access your site without accepting tracking cookies.
Can I use Google Analytics without consent in the Netherlands?
Standard Google Analytics 4 configurations share data with Google, which means they do not qualify for the analytics exemption. You would need consent, or you could switch to a privacy-focused analytics tool that operates first-party only.
What fines can the Dutch AP impose for cookie violations?
The AP can impose fines of up to EUR 20 million or 4% of global annual turnover under the GDPR. The Telecommunicatiewet also provides for separate penalties. Recent fines have ranged from EUR 40,000 to EUR 600,000.
Does the reject button need to be on the first layer of the cookie banner?
Yes. The AP's 2025 guidance states that if an "Accept all" button appears on the first layer, a "Reject all" button must appear there too, at the same prominence level.
Is the Netherlands stricter than other EU countries on cookies?
The Netherlands is among the stricter EU regulators, particularly with its cookie wall ban and dedicated enforcement funding. Its requirements are broadly comparable to France and Belgium.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
