The legal restrictions for the use of cookies can be found in Art.11.7a of the Telecommunications Act. Website operators must provide users with information and obtain their consent before storing  information or gaining access to information stored in the terminal equipment of a subscriber or user. In 2015 an alteration was made to the cookie requirement stating that consent and prior information are not required for cookies with a limited effect on user privacy, for example analytics cookies to measure website visits on an aggregated level. In the explanatory memorandum to the proposal, it is also explained that consent for cookies can be expressed by any affirmative action of the website visitor if the visitor was provided with sufficient information to make an informed decision. 

Website operators must provide users with information regarding the purposes for which such party wishes to acquire access to the data concerned or wishes to store data, and obtain their consent before using cookies.

Cookies which aim to collect data on the use of different information society services by the user or subscriber, and to combine and analyze those data so that the concerned user or subscriber can be treated differently, are presumed to constitute a processing of personal data. According to the Dutch DPA consent is the only legal ground for processing this cookie data.

The Dutch government has decided that the current browser privacy settings are insufficient to demonstrate user consent for cookies. This is because current browsers are set to accept cookies by default.

Consent is not required if technical storage or access to data have the sole purpose of

  • implementing the communication via an electronic communications network; or
  • delivering the information society service requested by the subscriber or user and said storage or access to data is strictly necessary for that purpose.

The Telecommunications Act forbids cookiewalls (making the access to a website conditional to the consent regarding cookies) for services by or for government bodies.

In March 2019 the Dutch DPA issued a statement that according to their interpretation of the GDPR, a cookiewall cannot result in valid consent for any organisation.