Hundreds of Dutch sites tracking consumers without permission: report

Over 1,300 Dutch websites follow consumers' surfing behavior without their permission - so-called tracking cookies are placed even if the site visitor ignores the cookie pop-up, NOS reports based on its own research. "This shows that many websites may violate the law. In the short term we are going to start an investigation into the compliance with privacy rules by websites", a spokesperson for the Dutch data protection authority AP said to the broadcaster.

In the Netherlands it is forbidden to place tracking cookies on someone's computer or phone without permission. But in practice this happens very often, the broadcaster found. NOS researched around 10 thousand websites for this study. The broadcaster had its research computer visit each site 10 times, saving all the cookies that were placed. NOS then manually separated the tracking cookies from cookies that are allowed to be placed without permission, like functional- or analytical cookies. The broadcaster found that 3,237 websites place cookies without express permission, and in 1,341 cases it involved tracking cookies.

Tracking cookies are often used by advertising companies to find out what you are interested in, so that they can show you personalized ads. This is allowed under Dutch privacy laws, but only if the user gave permission.

NOS found that hundreds of Dutch websites - ranging from large websites of shops and media, to websites for schools, healthcare institutions and health insurers - place tracking cookies without explicit consent. Some websites placed dozens or even hundreds of tracking cookies at the first visit.

The website of regional broadcaster RTV Rijnmond is the biggest culprit of placing tracking cookies at the first visit. The site placed more than a thousand tracking cookies. According to RTV Rijnmond, this was a mistake that has now been corrected. Parra.nu and Girlscene, popular sites among young people, also placed hundreds of tracking cookies without permission. Parra.nu told NOS that it is working on solving the problem. Girlscene was unable to respond. Center Parcs and Marktplaats placed dozens of tracking cookies.

Some websites use a more gray area - not placing tracking cookies at the first visit, but when you continue surfing the site. The idea is that if you continue to use the site, you apparently agree to tracking cookies. A judge will have to decide whether that is legal, ICT lawyer Arnoud Engelfriet said to NOS. "But it is very likely that this is not permitted."

Nu.nl, Libelle, Startpagina and Linda, among others, use this method. "With our cookie notification we offer visitors the opportunity to inform themselves and indicate personal preferences", a spokesperson for Sanoma, publisher of NU.nl and Startpagina, said to NOS. If visitors ignore the notification, Sanoma sees it as permission.

The Netherlands implemented its current cookie regulations in 2013, so the fact that so many websites still don't comply is striking. The data protection authority is critical. "These rules are now six years old, you can then expect that they are known by now", a spokesperson said to NOS.

"The privacy impact of one website following you is still small", David Korteweg of privacy organization Bits of Freedom said to the broadcaster. "But your surfing behavior on thousands of websites can be combined into a profile and ultimately say a lot about you as a person."

Industry organization for data and marketing DDMA told NOS that it is difficult to comply with the cookie law, because a website is constantly changing and many sites are dependent on external parties, who can all place cookies. "In the Netherlands you can only place advertising cookies after permission, but in practice it is unfortunately not always that simple."