AP (The Netherlands) - Coolblue: Difference between revisions

AP - Coolblue
Authority:	AP (The Netherlands)
Jurisdiction:	Netherlands
Relevant Law:	Article 5(1) GDPR Article 6(1) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:	16.10.2019
Decided:	23.12.2024
Published:
Fine:	40,000 EUR
Parties:	n/a
National Case Number/Name:	Coolblue
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Dutch
Original Source:	AP (in NL)
Initial Contributor:	ao

The DPA fined an online shop €40,000 for assuming data subjects consent to tracking through the continued interaction with its website.

English Summary

Facts

The Dutch DPA (Autoriteit Persoonsgegevens – AP) investigated the controller, a company called "Coolblue" which runs an online shop, in October and November 2019. Specifically the AP looked at whether the controller’s website and the connected tracking complied with the GDPR.

The AP found that the cookie banner implemented by the controller simply informed visitors on the fact that if they continue to interact with the website, their consent to tracking is assumed. The controller had also placed a link in the cookie banner, which lead to an information page on the placed cookies.

The AP sent a letter to the controller on the 29 November 2019 ordering it to take step to adjust its cookie banner. On the 28 April 2020 the AP again checked the website and found that the controller had made no adjustments. The controller did not comply with the adjustment order until the 17 June 2020.

Holding

The AP concluded in its investigative report of the 10 February 2022 that the controller was processing data without a legal basis. It therefore concluded that the controller violated the principle of lawfulness as data subjects were stripped of control over their data. The controller was held to have violated both Article 5(1) GDPR and Article 6 GDPR.

The AP held that due to uncertainties around the permissible period for adjustment of the cookie banner, the violation had begun on the 28 April 2020 and ended when the controller made the adjustments on the 17 June 2020.

The AP noted that the website was visited by a substantial number of data subjects and that the controller unlawfully processed data over a period of seven weeks. The AP considered the duration of the infringement short and therefore classified this as a mitigating factor. The AP found further mitigating factors: It found it mitigating that the controller had not processed any sensitive data and that the proceedings before the AP had taken a long time. The AP also listed as a mitigating factor, that there had been some ambiguity around the time period allowed for the controller to rectify their data processing.

Due to the mitigating factors, the AP set the fine at €40,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Coolblue should have had explicit permission from visitors to collect personal data via cookies. This means that people must actively choose to do so. This was not the case at Coolblue. In the cookie statement, the company indicated that it assumed that visitors agreed. In addition, Coolblue had pre-checked the boxes for permission to use cookies. This is in violation of the General Data Protection Regulation (GDPR). Opportunity to put things in order At the end of 2019, the AP started an investigation into websites, including Coolblue.nl, to test whether they complied with the rules that apply to cookies. The AP examined whether those websites requested permission correctly. After a visit to Coolblue.nl, the AP sent Coolblue a letter in November 2019, because the company did not have its policy in this area in order. In April and May 2020, the AP found that Coolblue's working methods were still not in order. The AP then started an investigation. In June 2020 it turned out that Coolblue had already adjusted its working methods. AP checks cookies more oftenMany people are annoyed by websites that use cookies without permission, or misleading cookie banners that make it very difficult for visitors to say 'no'. Since 2024, the AP has been checking extra whether websites ask permission for cookies in the correct manner.Rules of thumb for clear cookie bannersIn addition to extra enforcement of the rules, the AP provides more information about cookie banners. To help organizations comply with the law, the AP has drawn up a number of rules of thumb, with clear examples of what should and should not be done.Information campaignFinally, the AP has started a 'cookie campaign'. With this campaign, the AP calls on organizations to examine their cookie policy. The AP also wants to use this campaign to make people aware of the impact that cookies have on their privacy. The AP website contains a lot of information about cookies and the measures people can take to protect their privacy against cookies.