Coolblue fined €40,000 for unlawful data collection via cookies

Dutch privacy regulator Autoriteit Persoonsgegevens (AP) has fined Coolblue 40,000 euros for unlawfully processing personal data through cookies in 2020. The company collected data from webshop visitors without obtaining explicit consent, violating the General Data Protection Regulation (GDPR).

The AP investigation revealed that Coolblue assumed visitors consented to the collection of their personal data simply by using the website. Visitors were not given the opportunity to actively opt in, and the company pre-ticked boxes for cookie permissions, which is prohibited under GDPR.

The AP began examining multiple websites, including Coolblue.nl, in late 2019 to assess compliance with cookie regulations. After visiting Coolblue.nl, the regulator sent the company a warning letter in November 2019, noting deficiencies in its cookie policies.

In April and May 2020, the AP confirmed that Coolblue’s practices still failed to meet legal standards. This prompted a formal investigation, during which Coolblue adjusted its procedures. By June 2020, the company had implemented changes to comply with the regulations.

The AP has ramped up efforts to monitor cookie compliance since 2024, responding to public frustration over websites using cookies without consent or employing misleading cookie banners. The regulator has emphasized that visitors must be given a straightforward way to refuse cookies without undue difficulty.

To help organizations comply, the AP has issued guidelines with clear examples of acceptable and unacceptable cookie banner practices.

The AP has also launched a cookie awareness campaign to encourage businesses to review their cookie policies and educate the public on the privacy implications of cookies. The campaign highlights measures individuals can take to protect their data.