Website operators must provide users with information regarding the purposes for which such party wishes to acquire access to the data concerned or wishes to store data, and obtain their consent before using cookies.
Cookies which aim to collect data on the use of different information society services by the user or subscriber, and to combine and analyze those data so that the concerned user or subscriber can be treated differently, are presumed to constitute a processing of personal data. According to the Dutch DPA consent is the only legal ground for processing this cookie data.
The Dutch government has decided that the current browser privacy settings are insufficient to demonstrate user consent for cookies. This is because current browsers are set to accept cookies by default.
Consent is not required if technical storage or access to data have the sole purpose of
- implementing the communication via an electronic communications network; or
- delivering the information society service requested by the subscriber or user and said storage or access to data is strictly necessary for that purpose.
The Telecommunications Act forbids cookiewalls (making the access to a website conditional to the consent regarding cookies) for services by or for government bodies.
In March 2019 the Dutch DPA issued a statement that according to their interpretation of the GDPR, a cookiewall cannot result in valid consent for any organisation.