| For anyone wondering what the Dutch DPA (called the Autoriteit Persoonsgegevens, or Authority personal data) itself says about cookies (and user tracking in general really): https://www.autoriteitpersoonsgegevens.nl/themas/internet-sl... (It's in dutch, translate at your own liberty, I'll give my own below + the stuff the authority for consumers and the market demands, which is linked from their page.) Basically of the three cookie types, functional cookies require no consent whatsoever. A cookie to set up a user session (the page uses a shopping cart in a webshop as an example and the details mention things like saved passwords and language choices) is totally fine. The AP still recommends informing the users, but it's not required. Analytical cookies are permissible insofar that they aren't used to profile the user. You're not required to ask for permission as long as they don't contain any uniquely identifying information. You are required to inform the visitor that you are placing these cookies though. The final category are tracking cookies. These fall under the full scope of the GDPR; you must ask for consent before placing them, you must tell people how you are collecting their data (cookies, scripts or beacons are listed as examples) and you need to tell people what you do with them. Pre-checking consent forms in general is expressly forbidden (on the same logic that you can't pre-check people into signing up for physical spam mail or paid subscriptions) and consent must be clearly stated, not hidden in some terms of services page or privacy statement. Those are all requirements on top of the rights the GDPR (in Dutch called the AVG) grants consumers, although obviously most of this overlaps with the GDPR already. |