the Dutch DPA
Close menu

Tracking cookies

Tracking cookies make it possible to track the internet behaviour of website visitors across different websites with the aim of targeting that individual specifically, for example by showing personalised ads or offers. Tracking cookies enable an organisation to draw up profiles of people (profiling). Tracking cookies involve the processing of personal data.

On this page

Complying with the GDPR with tracking cookies

Do you use tracking cookies for processing personal data of the visitors of your website? Then you must comply with the rules from the General Data Protection Regulation (GDPR).

The most important requirements are that you:

  • have a legal basis for the data processing;
  • inform visitors in a timely and proper manner about the processing of personal data and the purpose of processing;
  • Secure (personal) data properly.

In order to obtain legally valid consent for placing tracking cookies, you must first inform your website visitors about:

  • the (types) of personal data that you collect and process by means of cookies;
  • the purposes of the data processing;
  • the recipients and how many recipients there are (or the categories of recipients) to whom you provide the data;
  • the withdrawal of consent;
  • all other information that is necessary to provide your visitors with a true reflection of the data processing.

The collection and processing of personal data

Provide information about the types of personal data that you collect and process using tracking cookies. This should in any case include:

  • web pages visited;
  • IP addresses;
  • cookie content;
  • referrer URL;
  • any other data that you collect, such as data about the peripherals used and settings of the software on the device.

Purposes of the data processing

Let your visitors know for what purpose you collect and process their personal data. For example:

  • displaying targeted advertisements (or having these displayed);
  • the use of social media, website statistics;
  • compiling interest profiles;
  • displaying recommendations, market analysis, target group analysis;
  • improving the navigation on your website.

Note: a general purpose such as 'improving the services' is not specific enough.

How many recipients (or categories of recipients)

State information about the number and types of recipients to whom you provide personal data. State the names of advertising networks, any social media and other parties that place tracking cookies through your website. Also state the names of the cookies and information about the purpose of the processing.

Withdrawal of consent

Explain to your visitors how they can withdraw their consent. This must be done prior to the visitor making the choice whether or not to accept tracking cookies.

Any other information that is required

Inform visitors about the retention period for each separate cookie. Check the service life of the tracking cookies that are placed through your website. Then assess whether the retention period is necessary for the purpose.

A retention period of six months or more will often be too long. This is also because the period is extended by another six months every time your website, or another website that places this cookie, is visited.

Social media buttons and videos

Do you want to include only a few social media buttons on your website, to enable your visitors to share content? And do you not use any other tracking cookies? Then you can, for example, work with non-active social media buttons.

In that case, visitors will have to click consciously on these 'grey' buttons to give consent. By clicking the button, the users determine whether they want to activate the functionality of that button. And with it, whether they want to make use of the social media plug-in cookies. In this case too, you have to tell the visitors what they give consent for.

Also, embedding videos is often still possible without the video player placing cookies when receiving visitors to your website. Some video platforms offer the option to embed a privacy-friendly version of the video.

Legal basis: consent

The GDPR contains a number of possible legal bases for processing personal data. Do you process personal data using tracking cookies? Then you must be able to rely on a specific legal basis, namely unambiguous consent.

Asking for consent

This means that you must ask your website visitors for consent for placing tracking cookies. And that the visitors must have a clear choice to give or refuse such consent.

Under the GDPR, consent is only valid if it is given freely, specifically, and in a well-informed and unambiguous manner.

This means that:

  • the visitors to your website must also be able to refuse consent (otherwise it is not a free choice);
  • it must be clear for what exactly you ask consent;
  • your visitors must be provided with sufficient information about what personal data are being processed and what happens with their personal data when they give consent;
  • you visitors must actually give consent by an affirmative action.
  • your visitors must be informed about how to withdraw their consent.

You may not place cookies before the visitor has given consent or after the visitor has refused to give consent.

We have drawn up rules of thumb for creating a clear cookie banner.

No valid consent

There is no valid consent in the following examples:

  • A cookie wall where your visitors, if they refuse cookies, are denied access to your website or cannot use the website normally.
  • Omission of an act by your visitors. You cannot derive consent from such omission. For example, if visitors have not chosen through their browser to refuse tracking cookies. If you only refer to your privacy policy, this is also insufficient.
  • Assuming that your visitors have given consent when they continue to use your site - by continuing to scroll or swipe - after an information banner has been displayed ("By continuing to use this website, you agree to the placing of tracking cookies"). These are not affirmative actions from which unambiguous consent is apparent.
  • Default settings whereby all cookie categories are automatically ticked at a deeper layer of the cookie banner.

Note: you must be able to demonstrate that visitors have actually given consent for placing cookies.

Anonymising tracking cookies

Even if you do not have a name and address of your website visitors yourself, you will nevertheless often process their personal data using tracking cookies. When tracking cookies are placed and read, other data are always collected, such as IP addresses, data about websites visited at an earlier time, and sometimes data that enable unique identification of the peripheral on the Internet.

Indirectly traceable

These data are personal data, individually or combined with each other. Even if you, as a website owner, cannot link them to a name or an address yourself. The definition of personal data are not only about data that you can use yourself for identifying someone, but also about data that can be used by someone else for identifying someone. This is what we call indirect traceability.

Apart from this, the purpose of tracking cookies is actually to track the behaviour of a specific individual on the Internet. And based on this Internet behaviour, to treat this individual differently.

That you (or the advertising network that places tracking cookies through your website) do not know the name of the website visitor does not alter the fact that you (or the advertising network) can combine information about the surfing behaviour of one specific individual. And can approach this individual in a targeted manner through advertisements.

Still personal data

The anonynimisation of personal data are a form of personal data processing. When collecting these data you will have to ask for consent based on adequate information that you provide to the visitor, even if you do not anonymise the data immediately.

Truly irreversible anonymisation is not easy, by the way. In practice, this is often pseudonymisation. This may be a good measure for, for example, reducing security risks. But pseudonyms (encrypted data) also remain personal data, because they still can be traced back to individuals.

See for more information: Opinion of the European Article 29 Working Party on Anonymisation Techniques.

Cookie wall

Under the GDPR, using a cookie wall is not permitted in most cases. This is because you cannot obtain valid consent from your visitors or users for placing tracking cookies when using a cookie wall without offering a reasonable alternative.

No real choice

When using a cookie wall, people who want to visit a website or use an app are asked to accept (tracking) cookies before they are given access to the website. If they do not give consent, access will be denied. If you do not offer a reasonable alternative at the first layer of the website, visitors have no real or free choice.

They are free to refuse tracking cookies, of course, but this is not possible without adverse consequences. Because refusing tracking cookies means that they will not be given access to the website. That is why cookie walls are prohibited under the GDPR.

Note: This explanation on cookie walls is not just about placing cookies. Not only cookies fall under this description, but also comparable techniques for which consent must be asked. These are techniques such as Javascripts, Flash cookies, fingerprinting, HTML5-local storage and/or web beacons (tracking pixels).

Back to subject Cookies

Also view

Where to find?

Article 6, paragraph 1, of the GDPR

Back to subject Cookies
This page was last edited on
.