Time to go Dutch on data


Back to the overview
The Netherlands used to take one of the strictest views on online privacy in Europe but a consumer backlash has forced a re-think. EU regulators currently developing a new framework for data protection should take note. Stephan Loerke explains.

On July 1st a remarkable consultation will end. Consumers and organisations from across The Netherlands will have responded to a government proposal to relax current rules on cookie consent.

It is a fascinating turnaround in a market that used to have one of the strictest approaches to online data protection. And it has happened because consumers were fed up with constantly being asked for cookie approval every time they visited a website.

The Dutch have effectively protested against heavy-handed efforts by the authorities to impose what they thought was best for their people. The result will be a much lighter-touch regime that provides control to consumers without overburdening them with requests for consent.

It all began in June 2011 when the Dutch Government incorporated article 5(3) of the European e-Privacy Directive (“the cookie law”) into the national Telecommunications Act.

The new law required explicit consent for the use of cookies – one of the strictest in the EU – and came into force on 5 June 2012, forcing websites to ask users for their specific permission before dropping and/or retrieving cookies which recorded their data or browsing behaviour. Websites also had to prove that users had approved the use of their data.

As a result consumers have been faced with a daily diet of pop-up windows asking them to tick a box in order to accept the use of cookies before they can continue surfing on any given webpage.

These so-called cookie walls – which demanded consumers give their consent before they were allowed to read the news, check the weather or book a flight or a restaurant – have became a daily part of the Dutch internet experience.

Frustration has been growing and consumer organisations claimed the law failed to find a balance between privacy protection and user-friendliness.

The issue has also become a political one with both the centre-right VVD and centre-left PvdA parties speaking out against the excessively burdensome number of pop-ups consumers were subjected to.

So eight months after it first became law, the Dutch Minister for Economic Affairs finally announced plans to change the Dutch “cookie law”..

First, he announced plans to soften the rules for analytics, which help publishers understand user behaviour and adapt content accordingly. Consent would no longer be required if analytics cookies are used only for the website's own purposes and data are not sold to or shared with third parties.

Most importantly, for those cookies that still require consent (typically, third-party cookies, or cookies which are not essential to the “operation” of a website) the new proposal replaces explicit consent with “implicit” consent. Thus if websites inform the user that continuing to browse the website constitutes consent, the website is allowed to place cookies after the user clicks a link.

The new rules should be in place later this year and effectively align the Netherlands with the light-touch “implied” consent approach that has been put in place by the UK.

The consumer backlash that has led to the adoption of a more pragmatic and less intrusive regime will be a serious blow to privacy advocates who believe “explicit” consent is the only solution to all data protection issues.

The fact that the Netherlands is now aligning its rules with the more liberal approach of the UK sets a strong precedent. Data Protection Authorities in France and Spain have also opted against an excessive interpretation of the law.

Unfortunately, this is not the end of the story. Regulators in Brussels are currently discussing how best to revise the EU Data Protection Framework, a piece of legislation written in 1995 before the internet looked anything like it does today. The issue of explicit consent for all kinds of data, irrespective of whether they are personal or not, is once again on the table.

European regulators are rightly and justifiably seeking to ensure that people's private information is not misused by the private sector – or by public authorities for that matter. Yet, too many European policy-makers seem determined to continue to ignore the evidence.

Companies do not require personal information for the purposes of advertising. They rely on “pseudonymous” consumer data based on your demographic profile and behaviour. They don't care for your name, address or religious persuasion. But if they know if you are male, 18-30 years of age and a keen sports fan, companies can deliver you ads designed to be more relevant and less haphazard (and, yes, sometimes annoying).

According to McKinsey, the use of such data could be worth 1tn Euro to the European economy - 8% of the region's gross domestic product – in a region that desperately needs an economic boost.

And, of course, advertising pays for so much of the free content and services online we often take for granted. McKinsey found that for every euro spent on an online ad, consumers get three euros' worth of services.

The precedent of the Netherlands shows how inflexible solutions can prove unworkable. But the risks of getting this wrong are far greater than a clunky user experience. Overly prescriptive rules could not only see an opportunity pass for business to help get the region on the path to economic recovery but would fundamentally threaten the quality and breadth of services available to EU consumers.

The Dutch have sent a message. Brussels should sit up and take note.

Stephan Loerke is Managing Director of the World Federation of Advertisers

Sign up to monthly WFA news