Rb. Amsterdam - C/13/761516 / KG ZA 24-1034

Rb. Amsterdam - C/13/761516 / KG ZA 24-1034

Court:	Rb. Amsterdam (Netherlands)
Jurisdiction:	Netherlands
Relevant Law:	Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 55 Brussels I Article 611(a)(3) Wetboek van Burgerlijke Rechtsvordering
Decided:	05.02.2025
Published:
Parties:	LinkedIn Microsoft Corporation Xandr Microsoft IE
National Case Number/Name:	C/13/761516 / KG ZA 24-1034
European Case Law Identifier:	ECLI:NL:RBAMS:2025:700
Appeal from:
Appeal to:	Unknown
Original Language(s):	Dutch
Original Source:	Rechtbank Amsterdam (in Dutch)
Initial Contributor:	elu

The court confirmed that LinkedIn IE, Microsoft IE, Microsoft Corporation, and Xandr Inc violated an injunction by unlawfully placing cookies on a data subject's devices. However, Xandr and Microsoft Corporation were exempted from a €25,000 penalty due to delays in serving the judgment.

English Summary

Facts

In the judgement of 7 June 2024, the judge in the preliminary proceedings ordered the LinkedIn IE, Microsoft IE, Microsoft Corporation, and Xandr Inc to cease the placing of cookies on the data subject’s devices. This judgement imposed a fine of €500 on each defendant.

If they did not comply with the cease and desist order, the defendants would have to pay €1,000 for each day of the violation, until maximum of €25,000.

After this judgement, the data subject tasked an expert to investigate whether the defendants complied with the judgement. On 15 January 2025, this expert stated that on 22 July 2024 and 1 August 2024, the defendants placed cookies on the data subject’s computer without their consent.

Consequently, the data subject on 17 October 2025 served a notice of forfeiture of €25,000, i.e a notice stating that the judgement was not respected, on each of the defendants for violating the injunction to cease the placing cookies on the data subject’s computer.

The defendants appealed the notice of forfeiture before the District Court of Amsterdam (hereinafter: the Court), where the Court ruled the following.

Holding

Preliminary remarks

Concerning the jurisdiction applicable to the case at hand and the competence of the court, the Court acknowledges that all the controllers are not domiciled in the Netherlands.

However, as per Article 7(2) Brussels I (for the EU-based defendants, namely LinkedIn IE and Microsoft IE), and under Article 6 Brussels I (for the US-based defendants, namely Microsoft Corporation and Xandr Inc), all defendants can be tried by the Dutch court. As per Article 4 Rome II, Dutch law is applicable to the case at hand.

On the Merits

The Court found that the controllers could reasonably expect that not only the cookies explicitly mentioned in the decision had to be removed. Instead, all third party cookies to which the applicant did not consent had to be removed. The Court found that the controllers did not take the necessary steps to avoid that the cookies are read or placed without data subject’s consent.

Three major reasons were listed by the Court:

1. Cookies are placed on third party websites

The purposes claimed by the defendants are inconsistent with the cookies set. More specifically, the cookies set are entirely unrelated to the defendants' services. The Court considered that the plausible purpose of such cookies are profiling and advertising purposes.

Thus, the use of these cookies on third-party sites cannot be reconciled as lawful as they do not have a purpose directly related to the operation or functionality of the specific website.

2. Cookies have unnecessarily long expiration dates

All cookies in question have a 12 and 6-months expiration date, which the Court deems excessive. The Court considers that 30 days would be a sufficient term to recognise users and store consent preferences. Each time these users visit LinkedIn, these cookies could be reset, so that no long-lasting identifiers are required.

Thus, the extended lifespans of those cookies are neither necessary or proportionate and thus the controllers violated Article 5(1)(b) GDPR and Article 5(1)(c) GDPR.

3. Cookies are read and set through network calls to LinkedIn’s ad server

The Court highlighted that the setting up of these cookies was performed through network calls to the controllers’ advertising server.

In this context, the Court bears no doubt that the injunction ordered by preliminary injunction court was violated.

Fine

The Court considered that the judgement was not served on Xandr up until 22 July or 1 August 2024. Therefore, Xandr should not face penalties. The same reasoning applied to Microsoft Corporation.

The judgment was served on LinkedIn IE and Microsoft IE on 19 July 2024, on Microsoft Corporation on 14 August 2024, and on Xandr on 26 September 2024. Therefore, the data subject found that cookies were in place on their computer before the judgment was served to Xandr and Microsoft Corporation. The Court found that Xandr and Microsoft Corporation did not fail to comply with the injunction and did not forfeit periodic payments. Accordingly, the payment injunctions were lifted.

The Court ordered LinkedIn IE and Microsoft IE to pay the penalty fine of €25,000 each. Additionally, it required them to bear the costs of the proceedings, estimated at €1,616, to be increased for attorney's fees and the costs of serving the judgment.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Authority Amsterdam Court
Date of decision 05-02-2025
Date of publication 10-02-2025
Case number C/13/761516 / KG ZA 24-1034
Areas of law Civil procedural law
Special features First instance - single-member, for interim measures,Order for costs of proceedings
Content Indication Did LinkedIn et al. forfeit penalty payments to a private individual by failing without
to continue placing cookies on his computer that require the individual's consent? The
court had ordered them to stop doing so. LinkedIn et al. demand the lifting of the
attachment and cessation of execution. That claim is dismissed for two of the
plaintiffs. In seriousness, there can be no question that they failed to comply with the
injunction. The reason that the foreclosure was lifted for the other two plaintiffs is
that the judgment was not served on them (in the U.S.) until after the dates on which
the investigation into compliance with the judgment was conducted.
Findings Rechtspraak.nl Enriched judgment
Excerpt
judgment
AMSTERDAM COURT
Private law department, preliminary injunction judge civil
Case number / role number: C/13/761516 / KG ZA 24-1034 VVV/EvB
Summary judgment of Feb. 5, 2025.
in the matter of
1. the company under foreign law
LINKEDIN IRELAND UNLIMITED COMPANY,
based in Dublin, Ireland,
2. the legal person under foreign law
MICROSOFT IRELAND OPERATIONS LIMITED,
based in Dublin, Ireland,
3. the company under foreign law
MICROSOFT CORPORATION,
based in Redmond, Washington, United States of America,
4. the company under foreign law
XANDR INC.,
located at Redmond, Washington, United States of America, plaintiffs by writ of
summons dated December 24, 2024, defendants by counterclaim,
lawyers Mr. C. Jeloschek and Mr. S.A.K. d'Azevedo of Amsterdam,
at
[defendant] ,
residing at [domicile] ,
defendant in the action,
plaintiff in the counterclaim,
Advocates M.H.L. Hemmer and R.A.M.D. Smit of Rotterdam.
The parties will hereinafter be referred to as LinkedIn et al. and [defendant]. Separately, plaintiffs will also be referred to as
LinkedIn, MIOL, Microsoft Corporation and Xandr.
1 The procedure
At the hearing on January 22, 2025, LinkedIn et al. presented the claims as described in the subpoena. [defendant] filed a defense
and counterclaim. LinkedIn et al. contested the counterclaim. Both parties submitted exhibits and used pleading notes, which
were added to the file.
Present at the oral proceedings on the side of LinkedIn were [name 1] (of Microsoft and Xandr), [name 2] (legal counsel) and
[name 3] (legal counsel), all via digital link, assisted by L. Mitzman (English interpreter), with Mr. Jeloschek and Mr. D'Azevedo.
[defendant] was present with Mr. Hemmer and Mr. Smit.
Judgment was set for today.
2 The facts
2.1. In a judgment dated June 7, 2024, the judge in preliminary relief proceedings of this court ordered LinkedIn c.s., at the
request of [defendant], to cease and desist from placing or reading, on [defendant's] computer and/or devices, tracking
cookies or other cookies for which consent is required. Attached to the pronounced injunction is a penalty for each of
(then) defendants of € 500.00 per violation of the injunction, or - at the option of [defendant] - € 1,000.00 for each day (or
part thereof) on which the defendant in question fails to comply with the injunction and/or acts in violation thereof, until a
maximum of in total € 25,000.00 (in words: twenty-five thousand euro) per defendant has been reached. The judgment
includes the following considerations:
"(...)
5.10.1. Defendants acknowledge that most of the Cookies at issue here, namely Microsoft's
and Xandr's MUID, MSPTC, UUID, XANDR-PANID and anj Cookies, are placed for the
purpose of capturing personal data, which can be used to build profiles that can be read
for the purpose of
for advertising purposes. For the time being, also in view of the explanation of [defendant] and
the report brought into the proceedings by him, it is sufficiently plausible that with the
placement of such cookies personal data are being
3 Analyzing the User's network traffic
In three browsing sessions, on July 22, 2024 and August 1, 2024, the User used his Chrome browser to visit 163 websites, visiting the
homepages of each of these websites in turn. The User did not click on any cookie banner buttons, nor perform any other interaction
that could be interpreted as giving consent for the setting or reading of third-party cookies on his computer. As previously, before
conducting the browsing, the User set the Chrome browser to record all network traffic using the Developer Tools available within the
. This created 'HAR' files, which record all network traffic occurring while using the . This file includes all data related to cookies being
set or read while the User browses.
(...)
When the User browsed these sites, Microsoft set and read cookies on the User's computer
without any form of consent from the User. Microsoft did so from the following domains, which it owns: adnxs.com , bing.com ,
clarity.ms and linkedin.com . A summary of the network calls and cookie activity is given in Appendix 2. Each of the websites
visited either (1) had a cookie banner that offered the User the choice of accepting all cookies, rejecting cookies or changing
settings to manage cookies, or (2) had no cookie banner.
(...)"
2.4. On October 17, 2024, [defendant] served notice of forfeiture of € 25,000.00 on each of the plaintiffs for violating the injunction
issued by the injunction court on July 22 and August 1, 2024 (LinkedIn 183 violations, MIOL 198 violations, Microsoft Corporation
253 violations and Xandr 110 violations).
2.5. Subsequently, [defendant] has filed foreclosure orders. Currently, there is an attachment under DPG Media B.V. against
LinkedIn, MIOL and Xandr and under Microsoft B.V. against MIOL and Microsoft Corporation.
3 The dispute in convention
3.1. LinkedIn et al. claim, brief:
1. Primarily order [defendant] to lift the attachments;
In the alternative, order [defendant] to limit the attachments to the amount of forfeited penalties established by this judgment;
both primary and subsidiary: under penalty of forfeiture of penalties;
2. Order [defendant] to suspend and keep suspended the execution of the enjoined penalty payments, under penalty of
penalty;
3. order [defendant] to pay the litigation, post-judgment and attachment costs.
3.2. Underlying their claims, LinkedIn et al. argue, in brief, that Xandr and Microsoft Corporation could not have forfeited
penalties because the judgment was not served on them, at least not before July 22 or August 1, 2024. They further argue
that the judgment does not allow [defendant] to enforce until it has been decided whether, and if so up to what amount,
LinkedIn et al. have forfeited penalties because they are domiciled abroad. According to LinkedIn et al, [defendant] did not
provide convincing evidence that they failed to comply with the injunction; [defendant] interpreted the judgment too
broadly and the expert report contains numerous flaws. Enforcement of the penalty payments is further disproportionate
because [defendant] was offered to block the placement and reading of cookies on his hardware through his IP address.
3.3. [defendant] raises a defense.
3.4. The parties' contentions, to the extent , are in more detail below.
4 The counterclaim
4.1. [defendant] claims the amount of the forfeited penalties to be set at € 100,000.00, with each of the plaintiffs having
forfeited € 25,000.00, or at least another amount to be determined by the preliminary injunction court, with joint and
several order of the plaintiffs to pay the costs of the proceedings and the after-the-fact costs, plus interest.
4.2. LinkedIn et al. put forward a defense.
4.3. The parties' contentions, to the extent , are below.
5 The assessment in convention
The formalities
5.1. LinkedIn et al. are all domiciled abroad. Because it concerns what LinkedIn et al. consider to be the unlawful enforcement of a
Dutch judgment in the Netherlands, the Dutch court has jurisdiction to take cognizance of the case (under Article 7(2) Brussels I-
bis for LinkedIn and MIOL and under Article 6 opening words and e Rv for Microsoft Corporation and Xandr). For the same
reasons, Dutch law is applicable Article 4 of Rome II.
5.2. In an enforcement dispute such as this one, which involves whether penalties have been forfeited because an order for
compliance (injunction, prohibition) has not been made, or has not been made sufficiently
the court does not have the task independently reassessing the legal relationship decided by the court (on the merits), but
must confine itself to testing the acts performed in execution of the condemning judgment against the content of the
condemnation, as this must be determined by interpretation. In doing so, the court must take the purpose and purport of the
judgment as a guideline in the sense that the judgment does not extend beyond the achievement of its intended purpose.
5.3. The first question for consideration is whether, and if so when, the judgment was served. Indeed, a penalty payment cannot
be forfeited before the judgment establishing it has been served on the condemned person (Article 611a paragraph 3 Rv).
5.4. In the subpoena and in the first term at the hearing, LinkedIn et al. argued that the judgment was not served on Xandr, at
least not before July 22 or August 1, 2024, so for that reason it could not have forfeited penalties. At the end of the second
term, they added that the same reasoning also applies to Microsoft Corporation.
5.5. The documents submitted show that the judgment was served on LinkedIn and MIOL on July 19, 2024, on Microsoft
Corporation on August 14, 2024, and on Xandr (finally, after previous unsuccessful attempts, only) on September 26, 2024.
Thus, the judgment was served on the latter two only after July 22 and August 1, 2024, the dates on which [defendant]
verified compliance with the judgment. That Xandr (after Sept. 26, 2024) and Microsoft Corporation (after Aug. 14, 2024) did
not comply with the injunction issued by the preliminary injunction court is nowhere evident. Accordingly, they have not
forfeited any periodic penalty payments. Accordingly, the injunctions against them will be lifted and [defendant] will be
prohibited from re-enforcing the June 7, 2024 judgment against them based on violations of the judgment on July 22 or
August 1, 2024.
5.6. The next question to be answered is whether Article 55 Brussels I bis precludes enforcement of the judgment against
LinkedIn and MIOL. According to LinkedIn et al. this is the case because those two companies are both incorporated in
Ireland, making enforcement an international matter that falls within the scope of the recast EEX Regulation.
5.7. Article 55 Brussels I-bis provides that judgments delivered in a Member State which contain an order to pay a periodic penalty
payment are enforceable in the Member State in which enforcement is sought only when the amount has been finally determined
by the court of origin. However, [defendant] is not (yet) enforcing the judgment in Ireland. This article therefore lacks application.
The contents
5.8. The parties interpret the injunction handed down by the preliminary injunction court differently. According to LinkedIn et
al. only the cookies mentioned by name in the ruling may no longer be placed. Those are the cookies MUID,
MSPTC, UUID, XANDR-PANID, anj, CLID and li_sugr. That explanation is incorrect because it is too limited. The injunction was given
for tracking cookies or other cookies requiring consent, as [defendant] had also claimed. The cookies mentioned by name in the
judgment are merely examples thereof. LinkedIn et al.'s narrower interpretation also does not make sense, as it could still
continue to act in violation of the AVG and Telecommunications Act. That is obviously not its intention.
5.9. We now turn to the key question: Have LinkedIn and MIOL violated the expressed commandment?
5.10. LinkedIn et al. claim that they have taken steps to prevent cookies from being read or placed without [defendant's]
consent, but no explanation at all has been given as to when and how that would have happened. They should have been
expected to do so. But even in other respects, LinkedIn et al.'s arguments are thin on the ground.
5.11. Expert Stoter's report states that he examined the 'HAR' (HTTP archive) files created by [defendant] on July 22 and August
1, 2024. LinkedIn did not dispute that an Internet user can create HAR files, which record all network traffic during the use
session, including data
about cookies. On that basis, LinkedIn et al.'s contentions (i) that Stoter did not conduct its own investigation but only
validated [defendant's] own findings, and (ii) that [defendant] did not use a clean browser on July 22 and August 1, 2024, do
not stand up.
5.12. The arguments of LinkedIn et al. that they conducted their own investigation into the alleged violations and found (i) that
the cookies mentioned by [defendant] had not been placed and read, and (ii) that none of the websites mentioned in the
report are currently in violation of the cookie rules, do not stand up. Not only was that investigation not conducted by an
independent third party, but that investigation is dated August 20, 2024 and thus post-dates the July 22 and August 1, 2024
browser sessions relied upon by [defendant].
5.13. The argument that [defendant] and the expert are doing "cherry picking" because there are also many websites in the
Excel file (created from the HAR files) where no cookies were detected is hard to take seriously. After all, the fact that things
sometimes go right does not eliminate the times when things go wrong.
5.14. Stoter found the following cookies in his examination of the HAR files: MUID, MSPTC, CLID, the bcookie and the li_gc
cookie. That the first three are tracking cookies has already been ruled in the June 7, 2024 judgment. That of the bcookie at
that time it was not plausible that it was a cookie requiring consent does not mean that that cookie is forever exempt from
the injunction. Based on Stoter's report it has now become plausible that the bcookie is also a tracking cookie, in view of its
characteristics. Stoter included the following in his report about this:
"(...)
LinkedIn states that the cookie and li_gc cookies are functional cookies and therefore do not require consent to be stored
and accessed on users' devices. The bcookie's role is stated as being to assist LinkedIn in recognising its members' browsers
on its platform, and is therefore an aid to preventing fraudulent use of its platform. The li_gc's role is not related to security
but is stated as being to provide a persistent record of guests' consent to non-essential cookies, with "guests" presumably
meaning visitors to the linkedin.com domain.
There are a number of factors that raise doubt as to these claims. The way that these cookies are configured, they enable
LinkedIn to conduct tracking. The principal three factors that are inconsistent with the stated purposes are:
(1) these cookies are being placed on third party websites, and (2) the cookies have unnecessarily long expirations, and (3)
that they are read and set through network calls to LinkedIn's ad server.
Placement on third party websites
Perhaps the most striking inconsistency with the stated purposes of these cookies is that both the bcookie and li_gc cookies are
being set and read across a vast range of third-party websites that are entirely unrelated to the LinkedIn platform. Such behavior
aligns more closely with practices associated with tracking consumers across websites for profiling and advertising purposes,
rather than the purposes claimed by LinkedIn.
If the bcookie is intended to enable LinkedIn to recognize its members and detect abuse "on the ," this use may be understandable
on the LinkedIn platform but it is difficult to justify why this cookie is also being set and read on third-party websites that are not
part of the LinkedIn . Not only is the cookie being set for all visitors to these websites-many of whom are not LinkedIn members-
but it is also being read by LinkedIn whenever users visit these unrelated websites. This enables much broader use than abuse
detection.
Similarly, if the li_gc cookie's purpose is to "store consent of guests regarding the use of cookies for non-essential
purposes," it is equally challenging to understand why this cookie is being set and read on third-party websites. This cookie
is being deployed for all visitors to these websites, not just LinkedIn "guests," representing a significant overreach beyond
its stated purpose. Furthermore, it is unclear why LinkedIn would need to set and read a consent-management cookie on
websites that LinkedIn neither owns nor controls, suggesting a lack of transparency and potential misuse.
Finally, the use of these cookies on third-party sites cannot be reconciled as lawful under the guise of functional cookies. For
cookies to be considered functional, they must serve a purpose directly related to the operation or functionality of the specific
website where they are deployed. In this case, the setting and reading of these cookies are being carried out on websites where
they serve no discernible function, making it difficult to identify a lawful basis for such activity under European or Dutch law.
These practices appear to contravene legal requirements for transparency, necessity, and proportionality.
Long expiries
Both the bcookie and li_gc cookies are set with unusually long expiries-12 months and six
months, respectively-raising significant questions about whether such durations are necessary for their stated purposes.
For the majority of LinkedIn users who access the platform regularly, a 6- or 12-month expiry is excessive. A 30-day
expiry would likely suffice to recognize returning users and store consent preferences, while still allowing for normal periods
of inactivity. Each time users visit LinkedIn, these cookies could be reset, providing an entirely adequate means of
recognizing users and managing consent without requiring such long-lasting identifiers.
For fraud prevention, a 12-month expiry for the bcookie is particularly questionable. Industry norms for fraud detection
cookies typically involve short lifespans of days or weeks, as fraud risks are most acute during or immediately following a
session. A shorter expiry would reduce privacy risks by limiting the potential for persistent tracking across time and third-
party sites while still serving LinkedIn's stated purpose. Given that most users interact with LinkedIn regularly, re-setting the
cookies during these interactions would achieve the necessary functionality without relying on an extended lifespan.
The long expiry periods of these cookies-especially when they are set and read across third-party sites-strongly suggest, and
at least enable, a purpose beyond what has been stated. Expiries of 6 to 12 months are highly advantageous for tracking and
audience building, as they enable persistent identification of users across multiple sessions and websites over extended
periods. This would allow LinkedIn to correlate a user's activity on third-party sites with their LinkedIn profile, build detailed
behavioral profiles, and track advertising effectiveness. Such prolonged tracking ensures continuity even if users clear their
cookies infrequently, facilitating long-term audience segmentation, retargeting, and data collection.
In conclusion, the extended lifespans of the bcookie and li_gc are neither necessary nor
proportionate to their stated purposes. These practices contravene the principles of data
minimization and proportionality under GDPR, as they retain data for far longer than required for their intended use and create
undue risks to user privacy.
Connecting to an ad server
It is noteworthy that the setting and reading of these cookies is performed through network calls to px.ads. linkedin.com ,
which LinkedIn has acknowledged as their advertising server. While it may be intuitive for the li_gc cookie to interact with an
ad server if its purpose is related to managing consent for advertising, it is surprising that a security-focused cookie such as
the bcookie would be set and read via an ad server rather than through LinkedIn's dedicated security infrastructure.
Apparently, the bcookie is related to the advertising activities of LinkedIn.
(...)
5.15. With respect to the bcookie, LinkedIn et al. have raised virtually nothing against this solid substantiation. The assertion put
forward at the hearing that these passages are merely about "factors that raise doubt" - which terms do indeed appear in
neat English at the beginning - does not mean that this entire passage merely gives rise to meaningless doubts, because the
total does contain firm and understandable conclusions. It is therefore assumed that the placement or reading of bcookies is
also covered by the injunction pronounced on June 7, 2024, given their characteristics and behavior.
5.16. With respect to the li_gc cookie, LinkedIn et al. have argued in opposition to Stoter's report only that li_gc is used to record
whether a website visitor has given permission for cookies to be placed and read. That is insufficient to disprove that it is a
cookie that may only be placed with the user's consent, and also insufficient to rule that the opinion of an expert to be
appointed by the court is necessary before [defendant] may execute the penalties. In seriousness, it cannot be doubted that
the injunction ordered by the preliminary injunction court was violated.
5.17. That leaves the question of how often LinkedIn and MIOL violated the judgment. They have several objections to the
Excel summary submitted by [defendant] of all the violations he claims to have committed. That summary, they say,
contains numerous duplications and unjustified counts.
5.18. [defendant] has a multiple of 50 violations per plaintiff, so there must be quite a few errors in the Excel file for the number of
violations to be reduced below 50 per plaintiff.
5.19. [defendant] disputes the existence of double counting. According to him, the "double counting" is partly explained by the
fact that it does happen that when visiting a website, several cookies are placed simultaneously. And for the remainder,
according to him, the violations are due to the repeated reading of the placed cookie. LinkedIn et al. did not explain that and
why he sees this as wrong. The fact that the Excel statement lists a different page each time for the various violations (see
the "page" column in that statement) seems to provide support for [defendant's] contentions . In the absence of dispute, it is
assumed that the Excel file was created by automatic conversion of the HAR files and thus contains an exact representation
of [defendant's] browsing traffic. In conclusion, therefore, in seriousness, it cannot be doubted that LinkedIn and MIOL have
both violated the injunction imposed by the court in preliminary relief proceedings at least fifty times and forfeited the
maximum amount of penalties. There is therefore no ground for lifting the attachments levied against them and suspending
enforcement of the judgment against them.
5.20L.inkedIn and MIOL shall be ordered to pay [defendant's] costs as the prevailing unsuccessful party. [defendant] is the
unsuccessful party in relation to Microsoft Corporation and Xandr, but the costs of those two are set at nil because their
participation in the summary proceedings did not result in additional court fees or attorney fees for LinkedIn and MIOL. The
costs on [defendant's] side are assessed at:
- court fee € 331.00
- attorney's salary 1,107.00
- follow-up costs 178.00
Total€ 1,616.00
If this judgment is served, the costs listed at the end of 7.3 of the decision will be added.
6 The counterclaim assessment
6.1. Based on what has been considered in the Convention, it is sufficiently established that LinkedIn and MIOL have
both forfeited the maximum amount of penalties.
6.2. The collection of the periodic penalty payments is not disproportionate. [defendant] did not have to accept LinkedIn et al.'s
offer to block cookies through his IP address. That offer is the world upside , because the legislature chose an opt-in system
rather than an opt-out system.
6.3. According to LinkedIn et al. there is a disproportion between the penalty payments requested and the economic
importance of [defendant's] claim. However, [defendant's] claim was not economic, but principled: he wants to protect his
privacy. Moreover, penalty payments are intended as an incentive to comply, and the economic interest of LinkedIn et al. in
using tracking cookies is great. In neither respect are the periodic penalty payments imposed excessive.
6.4. All in all, there is sufficient ground to find that LinkedIn and MIOL forfeited € 25,000.00 in penalty payments each (i.e., a total
of € 50,000.00) for violating the June 7, 2024 judgment on July 22 and/or August 1, 2024.
6.5. As the unsuccessful party, Linkedin and MIOL are ordered to pay the costs. Because of the connection with the claim, the
costs on the part of [defendant] are estimated at nil.
7 The decision
The preliminary injunction judge
in convention
7.1. levies on the foreclosure judgments against Xandr and Microsoft Corporation,
7.2. orders [defendant] to cease and desist the enforcement of penalties allegedly forfeited by Xandr and Microsoft
Corporation for violations of the judgment on July 22, 2024 and August 1, 2024,
7.3. Order LinkedIn and MIOL to pay the costs of the proceedings, estimated to date at € 1,616.00 on the part of [defendant], to
be increased - if this judgment is served - by € 92.00 for attorney's fees and the costs of serving the judgment,
7.4. Declares this judgment enforceable to this extent,
7.5. orders [defendant] to pay the legal costs of Microsoft Corporation and Xandr, assessed to date at nil,
7.6. the more or less claimed,
counterclaim
7.7. sets the amount of penalties already forfeited at a total of € 50,000.00 (for LinkedIn and MIOL each € 25,000.00),
7.8. Declares this judgment enforceable to this extent,
7.9. Order LinkedIn and MIOL to pay the costs of the proceedings, assessed at nil to date on the part of [defendant],
7.10. the more or less claimed.
This judgment was rendered by Mr. T.H. van Voorst Vader, interim relief judge, assisted by Mr. E. van Bennekom, registrar, and
publicly pronounced on February 5, 2025.1

Instantie
Rechtbank Amsterdam
Datum uitspraak
05-02-2025
Datum publicatie
10-02-2025
Zaaknummer
C/13/761516 / KG ZA 24-1034
Rechtsgebieden
Burgerlijk procesrecht
Bijzondere kenmerken
Eerste aanleg - enkelvoudig,Kort geding,Proceskostenveroordeling
Inhoudsindicatie

Hebben LinkedIn c.s. dwangsommen aan een particulier verbeurd door zonder diens toestemming cookies op zijn computer te blijven plaatsen waarvoor toestemming van de particulier vereis is? De rechter had hen geboden daarmee te stoppen. LinkedIn c.s. vorderen opheffing van het executoriale beslag en staking van de executie. Die vordering wordt voor twee van de eisende partijen afgewezen. In ernst kan niet worden betwijfeld dat zij het verboed niet hebben nageleefd. De reden dat het executoriaal beslag is opgeheven voor de twee andere eiseressen, is dat het vonnis pas aan hen is betekend (in de VS) ná de data waarop het onderzoek naar naleving van het vonnis is uitgevoerd.
Vindplaatsen
Rechtspraak.nl
Verrijkte uitspraak
Uitspraak

vonnis
RECHTBANK AMSTERDAM

Afdeling privaatrecht, voorzieningenrechter civiel

zaaknummer / rolnummer: C/13/761516 / KG ZA 24-1034 VVV/EvB

Vonnis in kort geding van 5 februari 2025

in de zaak van

1. de vennootschap naar buitenlands recht

LINKEDIN IRELAND UNLIMITED COMPANY,

gevestigd te Dublin, Ierland,

2. de rechtspersoon naar buitenlands recht

MICROSOFT IRELAND OPERATIONS LIMITED,

gevestigd te Dublin, Ierland,

3. de vennootschap naar buitenlands recht

MICROSOFT CORPORATION,

gevestigd te Redmond, Washington, Verenigde Staten van Amerika,

4. de vennootschap naar buitenlands recht

XANDR INC.,

gevestigd te Redmond, Washington, Verenigde Staten van Amerika,

eiseressen in conventie bij dagvaarding van 24 december 2024,

verweersters in reconventie,

advocaten mr. C. Jeloschek en mr. S.A.K. d’Azevedo te Amsterdam,

tegen

[gedaagde] ,

wonende te [woonplaats] ,

gedaagde in conventie,

eiser in reconventie,

advocaten mr. M.H.L. Hemmer en mr. R.A.M.D. Smit te Rotterdam.

Partijen zullen hierna LinkedIn c.s. en [gedaagde] worden genoemd. Afzonderlijk zullen eiseressen ook wel LinkedIn, MIOL, Microsoft Corporation en Xandr worden genoemd.
1 De procedure

Op de zitting van 22 januari 2025 hebben LinkedIn c.s. de vorderingen zoals omschreven in de dagvaarding toegelicht. [gedaagde] heeft verweer gevoerd en een eis in reconventie ingediend. LinkedIn c.s. hebben de tegenvordering bestreden. Beide partijen hebben producties ingediend en gebruik gemaakt van pleitaantekeningen, die aan het dossier zijn toegevoegd.

Bij de mondelinge behandeling waren aan de zijde van LinkedIn aanwezig [naam 1] (van Microsoft en Xandr), [naam 2] (legal counsel) en [naam 3] (legal counsel), allen via een digitale verbinding, bijgestaan door L. Mitzman (tolk Engels), met mr. Jeloschek en mr. D’Azevedo. [gedaagde] was aanwezig met mr. Hemmer en mr. Smit.
Vonnis is bepaald op vandaag.
2 De feiten
2.1.

Bij vonnis van 7 juni 2024 heeft de voorzieningenrechter van deze rechtbank LinkedIn c.s. op vordering van [gedaagde] geboden het plaatsen dan wel uitlezen, op de computer en/of apparaten van [gedaagde] , van tracking cookies of andere cookies waarvoor toestemming vereist is, te staken en gestaakt te houden. Aan het uitgesproken gebod is een dwangsom verbonden voor ieder van (toen) gedaagden van € 500,00 per overtreding van het gebod, dan wel – naar keuze van [gedaagde] – € 1.000,00 voor iedere dag (of een gedeelte daarvan) waarop de betreffende gedaagde in gebreke blijft aan het gebod te voldoen en/of daarmee in strijd handelt, tot een maximum van in totaal € 25.000,00 (zegge: vijfentwintigduizend euro) per gedaagde is bereikt. In het vonnis staan onder meer de volgende overwegingen:

“(…)
5.10.1.

Gedaagden erkennen dat het merendeel van de hier in het geding zijnde

Cookies, namelijk de MUID, MSPTC, UUID, XANDR-PANID en anj cookies van

Microsoft en Xandr, geplaatst worden voor het vastleggen van persoonsgegevens,

waarmee profielen kunnen worden opgebouwd die kunnen worden uitgelezen ten

behoeve van advertentiedoeleinden. Voorshands is, mede gelet op de toelichting van

[gedaagde] en het door hem in het geding gebrachte rapport, voldoende

aannemelijk dat met het plaatsen van dergelijke cookies persoonsgegevens worden

verwerkt, in dit concrete geval die van [gedaagde] . (…)
5.10.2.

Ten aanzien van de CLID cookie heeft Microsoft betwist dat deze als een

tracking cookie kan worden gekwalificeerd. Echter gelet op haar eigen beschrijving

van de werking daarvan:

[a] free behavioral analysis tool that helps you understand how customers interact with your website. By integrating Universal Event Tracking (UET) with Clarity, you can use a single UET tag tor behavioral insights such as heatmaps and session playbacks, conversion tracking, automated bidding, and audience targeting.

(...)

Do you want to know more about who is visiting your website and what they do on it? 1f so, you will love Clarity’s new feature: Visitor Profiles.

treft deze betwisting geen doel. Ook de CLID-cookie heeft tot doel het in kaart

brengen van (individuele) bezoekers en hun surfgedrag en kan dus wel degelijk als

tracking cookie worden aangemerkt, waarmee persoonsgegevens worden verwerkt.
5.10.3

Ook met betrekking tot de LinkedIn cookies hebben gedaagden betwist dat

deze als tracking cookies kunnen worden aangemerkt. De bcookie wordt volgens

hen niet ingezet voor het identificeren van Linkedln leden en niet voor online

advertentiedoeleinden, maar voor het voorkomen van frauduleus verkeer. Het is

daarmee volgens gedaagden een functionele cookie zoals ook toegelicht door [naam 4]

in een verklaring van 17 mei 2024. [gedaagde] heeft onvoldoende gesteld om aan te

nemen dat dit anders is. De li_sugr cookie daarentegen is bedoeld om vast te stellen of de websitebezoeker Linkedln lid is. Gedaagden hebben uiteengezet dat de reden

daarvoor is dat de cookiegegevens verkregen via de Insight tag in de EU enkel

worden gebruikt voor gepersonaliseerde advertenties als de websitebezoeker een

LinkedIn lid is en daarvoor voorafgaande toestemming heeft gegeven. Met de

li_sugr worden aldus wel gegevens vastgelegd van de websitebezoeker ten behoeve

van advertentiedoeleinden. Daarmee worden dus persoonsgegevens van [gedaagde]

verwerkt. (…)”
2.2.

De betekening van het vonnis aan LinkedIn c.s. is op 16 juli 2024 in gang gezet door (verzending ter) betekening van de grossen aan de ontvangende instantie in Ierland (voor LinkedIn en MIOL) en het parket van de ambtenaar van het openbaar ministerie (voor Microsoft Corporation en Xandr), en verzending van de grossen per koerier.
2.3.

In de procedure die heeft geleid tot het vonnis van 7 juni 2024, had [gedaagde] zijn vordering onderbouwd met een deskundigenrapport van Mark Stoter. In opdracht van [gedaagde] heeft deze deskundige, nadat het vonnis was gewezen, onderzocht of LinkedIn c.s. het vonnis naleven. Op 15 januari 2025 heeft Stoter een rapport uitgebracht waarin hij concludeert dat LinkedIn c.s. op de twee onderzochte data, 22 juli en 1 augustus 2024, (tracking) cookies heeft geplaatst op de computer van [gedaagde] zonder diens toestemming. In het rapport staat onder meer het volgende:

“(…)
In this report, I examine the User’s ( [gedaagde] , vzr.) subsequent experience when, on 22 July 2024 and 1 August 2024, he visited a number of websites in the same fashion, using the Chrome browser on his home computer and recording the network traﬃc of the web browsing session.
Again, I have been provided with ‘HAR’ (HTTP archive) ﬁles, which capture the network traﬃc recorded during these browsing sessions. HAR ﬁles are ﬁles created by a user’s browser when they visit websites and contain all the details of the network calls and responses including cookie data. It is a text based ‘JSON’ ﬁle that is easily readable. HAR ﬁles can be recorded on any browser session and downloaded by the user. They can also be uploaded to the browser to view the interactions in situ. For more details on HAR ﬁles see https://www.keysight.com/blogs/en/tech/nwvs/2022/05/27/a-comprehensive-guide-on-har-ﬁles

I have been asked to:

- 1. Analyze these ﬁles to show evidence that domains owned by Microsoft Group

and/or companies within the Microsoft Group, continued to store and/or access cookies on

the User’s computer without consent.

- 2. To review the relevant privacy statements of the Microsoft Group entities, and their

various pleadings, and to assess the purpose of the cookies being set on the User’s device.
3 Analyzing the User’s network traﬃc

In three browsing sessions, on 22 July 2024 and 1 August 2024, the User used his Chrome browser to visit 163 websites, visiting the homepages of each of these websites in turn. The User did not click on any cookie banner buttons, nor perform any other interaction that could be interpreted as giving consent for the setting or reading of third-party cookies on his computer. As previously, before conducting the browsing, the User set the Chrome browser to record all network traﬃc using the Developer Tools available within the browser. This created ‘HAR’ ﬁles, which record all network traﬃc occurring while using the browser. This ﬁle includes all data related to cookies being set or read while the User browses.

(…)

When the User browsed these sites, Microsoft set and read cookies on the User’s computer

without any form of consent from the User. Microsoft did so from the following domains, which it owns: adnxs.com , bing.com , clarity.ms and linkedin.com . A summary of the network calls and cookie activity is given in Appendix 2. Each of the websites visited either (1) had a cookie banner that offered the User the choice of accepting all cookies, rejecting cookies or changing settings to manage cookies, or (2) had no cookie banner.

(…)”
2.4.

Op 17 oktober 2024 heeft [gedaagde] aan elk van eiseressen de verbeurte van € 25.000,00 aangezegd wegens het overtreden van het door de voorzieningenrechter uitgesproken gebod op 22 juli en 1 augustus 2024 (LinkedIn 183 overtredingen, MIOL 198 overtredingen, Microsoft Corporation 253 overtredingen en Xandr 110 overtredingen).
2.5.

Vervolgens heeft [gedaagde] executoriaal beslag gelegd. Op dit moment ligt er beslag onder DPG Media B.V. ten laste van LinkedIn, MIOL en Xandr en onder Microsoft B.V. ten laste van MIOL en Microsoft Corporation.
3 Het geschil in conventie
3.1.

LinkedIn c.s. vorderen, kort gezegd:

1. primair [gedaagde] te bevelen de beslagen op te heffen;

subsidiair [gedaagde] te bevelen de beslagen te beperken tot het bij dit vonnis vastgestelde bedrag aan verbeurde dwangsommen;

zowel primair als subsidiair: op straffe van verbeurte van dwangsommen;

2. [gedaagde] te bevelen de executie van de aangezegde dwangsommen te schorsen en geschorst te houden, op straffe van een dwangsom;

3. [gedaagde] te veroordelen in de proceskosten, de nakosten en de beslagkosten.
3.2.

Aan hun vorderingen leggen LinkedIn c.s. ten grondslag, kort gezegd, dat Xandr en Microsoft Corporation geen dwangsommen kunnen hebben verbeurd omdat het vonnis niet aan haar is betekend, in ieder geval niet vóór 22 juli of 1 augustus 2024. Verder stellen zij dat [gedaagde] volgens het vonnis nog niet mag tenuitvoerleggen voordat is beslist of, en zo ja tot welk bedrag LinkedIn c.s. dwangsommen hebben verbeurd, omdat zij in het buitenland zijn gevestigd. Volgens LinkedIn c.s. heeft [gedaagde] geen overtuigend bewijs geleverd dat zij het gebod niet hebben nageleefd; [gedaagde] interpreteert het vonnis te ruim en het deskundigenrapport bevat tal van gebreken. Tenuitvoerlegging van de dwangsommen is verder disproportioneel, omdat [gedaagde] is aangeboden het plaatsen en uitlezen van cookies op zijn hardware te blokkeren via zijn IP-adres.
3.3.

[gedaagde] voert verweer.
3.4.

Op de stellingen van partijen, voor zover van belang, wordt hierna nader ingegaan.
4 De vordering in reconventie
4.1.

[gedaagde] vordert het bedrag van de verbeurde dwangsommen vast te stellen op € 100,000,00, waarbij elk van eiseressen € 25.000,00 heeft verbeurd, althans een ander door de voorzieningenrechter te bepalen bedrag, met hoofdelijke veroordeling van eiseressen in de proceskosten en de nakosten, te vermeerderen met rente.
4.2.

LinkedIn c.s. voeren verweer.
4.3.

Op de stellingen van partijen, voor zover van belang, wordt hierna ingegaan.
5 De beoordeling in conventie
De formaliteiten
5.1.

LinkedIn c.s. zijn allemaal in het buitenland gevestigd. Omdat het gaat om de volgens LinkedIn c.s. onrechtmatige uitvoering van een Nederlands vonnis in Nederland, is de Nederlandse rechter bevoegd om kennis te nemen van de zaak (op grond van artikel 7 lid 2 Brussel I-bis voor LinkedIn en MIOL en op grond van artikel 6 aanhef en onder e Rv voor Microsoft Corporation en Xandr). Om dezelfde redenen is Nederlands recht van toepassing op grond van artikel 4 van Rome II.
5.2.

In een executiegeschil als dit, waarbij het erom gaat of dwangsommen zijn verbeurd omdat een bevel tot nakoming (gebod, verbod) niet of niet voldoende is

nageleefd, heeft de rechter niet tot taak de door de (bodem)rechter besliste rechtsverhouding zelfstandig opnieuw te beoordelen, maar dient hij zich ertoe te beperken de ter uitvoering van het veroordelend vonnis verrichte handelingen te toetsen aan de inhoud van de veroordeling, zoals deze door uitleg moet worden vastgesteld. Daarbij dient de rechter het doel en de strekking van de veroordeling tot richtsnoer te nemen in die zin dat de veroordeling niet verder strekt dan tot het bereiken van het daarmee beoogde doel.
5.3.

De eerste vraag die ter beoordeling voorligt, is of en zo ja wanneer het vonnis betekend is. Een dwangsom kan namelijk niet worden verbeurd voordat de uitspraak waarbij zij is vastgesteld is betekend aan de veroordeelde (artikel 611a lid 3 Rv).
5.4.

In de dagvaarding en in de eerste termijn op zitting hebben LinkedIn c.s. gesteld dat het vonnis niet, althans niet vóór 22 juli of 1 augustus 2024 aan Xandr is betekend, zodat zij om die reden geen dwangsommen kan hebben verbeurd. Aan het slot van de tweede termijn hebben zij daaraan toegevoegd dat dezelfde redenering ook opgaat voor Microsoft Corporation.
5.5.

Uit de overgelegde stukken blijkt dat het vonnis aan LinkedIn en MIOL is betekend op 19 juli 2024, aan Microsoft Corporation op 14 augustus 2024 en aan Xandr (uiteindelijk, na eerdere mislukte pogingen, pas) op 26 september 2024. Het vonnis is aan deze laatste twee dus pas betekend ná 22 juli en 1 augustus 2024, de data waarop [gedaagde] heeft gecontroleerd of het vonnis werd nageleefd. Dat Xandr (na 26 september 2024) en Microsoft Corporation (na 14 augustus 2024) het gebod van de voorzieningenrechter niet hebben opgevolgd, blijkt nergens uit. Zij hebben dan ook geen dwangsommen verbeurd. De ten laste van hen gelegde beslagen zullen dan ook worden opgeheven en het zal [gedaagde] worden verboden het vonnis van 7 juni 2024 opnieuw tegen hen ten uitvoer te leggen op basis van overtredingen van het vonnis op 22 juli of 1 augustus 2024.
5.6.

De volgende vraag die moet worden beantwoord, is of artikel 55 Brussel I-bis in de weg staat aan tenuitvoerlegging van het vonnis tegen LinkedIn en MIOL. Volgens LinkedIn c.s. is dat het geval, omdat die twee vennootschappen allebei in Ierland gevestigd zijn en de tenuitvoerlegging daarmee een internationale aangelegenheid is die onder het bereik van de herschikte EEX-verordening valt.
5.7.

Artikel 55 Brussel I-bis bepaalt dat in een lidstaat gegeven beslissingen die een veroordeling tot betaling van een dwangsom inhouden, in de aangezochte lidstaat slechts ten uitvoer kunnen worden gelegd wanneer het bedrag ervan door het gerecht van herkomst definitief is bepaald. [gedaagde] legt het vonnis echter (nog) niet ten uitvoer in Ierland. Dit artikel mist dan ook toepassing.

De inhoud
5.8.

Partijen interpreteren het door de voorzieningenrechter uitgesproken gebod verschillend. Volgens LinkedIn c.s. mogen alleen de cookies die met naam genoemd zijn in het vonnis, niet meer worden geplaatst. Dat zijn de cookies MUID,

MSPTC, UUID, XANDR-PANID, anj, CLID en li_sugr. Die uitleg is onjuist, want te beperkt. Het gebod is gegeven voor tracking cookies of andere cookies waarvoor toestemming vereist is, zoals [gedaagde] ook had gevorderd. De in het vonnis met naam genoemde cookies zijn slechts voorbeelden daarvan. De engere uitleg van LinkedIn c.s. is ook niet logisch, omdat zij dan nog steeds in strijd met de AVG en Telecommunicatiewet zou kunnen blijven handelen. Dat is uiteraard niet de bedoeling.
5.9.

Dan zijn we nu toe aan de hamvraag: Hebben LinkedIn en MIOL het uitgesproken gebod geschonden?
5.10.

LinkedIn c.s. stellen dat zij stappen hebben ondernomen om te voorkomen dat cookies zonder toestemming van [gedaagde] worden uitgelezen of geplaatst, maar een toelichting op het moment en de wijze waarop dat zou zijn gebeurd, is in het geheel niet gegeven. Dat had wel van hen mogen worden verwacht. Maar ook voor het overige is de argumentatie van LinkedIn c.s. mager te noemen.
5.11.

In het rapport van deskundige Stoter staat dat hij de door [gedaagde] op 22 juli en 1 augustus 2024 gemaakte ‘HAR’ (HTTP archive) files heeft onderzocht. LinkedIn heeft niet betwist dat een gebruiker van internet HAR files kan aanmaken, waarmee al het netwerkverkeer gedurende de gebruikssessie wordt vastgelegd, met inbegrip van data over cookies. Daarvan uitgaand, gaan de stellingen van LinkedIn c.s. (i) dat Stoter geen eigen onderzoek heeft verricht maar alleen de eigen bevindingen van [gedaagde] heeft gevalideerd, en (ii) dat [gedaagde] geen schone browser heeft gebruikt op 22 juli en 1 augustus 2024, niet op.
5.12.

De argumenten van LinkedIn c.s. dat zij zelf onderzoek hebben uitgevoerd naar de vermeende overtredingen en hebben geconstateerd (i) dat de door [gedaagde] genoemde cookies niet waren geplaatst en uitgelezen, en (ii) dat bij geen van de in het rapport genoemde websites op dit moment sprake is van overtreding van de cookieregels, gaan niet op. Niet alleen is dat onderzoek niet uitgevoerd door een onafhankelijke derde, maar dat onderzoek dateert ook van 20 augustus 2024 en dus van ná de browsersessies van 22 juli en 1 augustus 2024 waarop [gedaagde] zich beroept.
5.13.

Het argument dat [gedaagde] en de deskundige doen aan “cherry picking” omdat er ook veel websites in het Excelbestand (dat van de HAR files is gemaakt) staan waar geen cookies waren geconstateerd, is moeilijk serieus te nemen. Dat het soms goed gaat, neemt de keren dat het fout gaat immers niet weg.
5.14.

Stoter heeft bij zijn onderzoek van de HAR files de volgende cookies aangetroffen: MUID, MSPTC, CLID, de bcookie en de li_gc cookie. Dat de eerste drie tracking cookies zijn, is al geoordeeld in het vonnis van 7 juni 2024. Dat van de bcookie op dat moment niet aannemelijk was dat het een cookie was waarvoor toestemming vereist was, betekent niet dat die cookie voor altijd uitgezonderd is van het gebod. Op grond van het rapport van Stoter is nu wel aannemelijk geworden dat ook de bcookie een tracking cookie is, gelet op de karakteristieken ervan. Stoter heeft daarover het volgende in zijn rapport opgenomen:

“(…)

LinkedIn states that the cookie and li_gc cookies are functional cookies and therefore do not require consent to be stored and accessed on users’ devices. The bcookie’s role is stated as being to assist LinkedIn in recognising its members’ browsers on its platform, and is therefore an aid to preventing fraudulent use of its platform. The li_gc’s role is not related to security but is stated as being to provide a persistent record of guests’ consent to non-essential cookies, with “guests” presumably meaning visitors to the linkedin.com domain.

There are a number of factors that raise doubt as to these claims. The way that these cookies are conﬁgured, they enable LinkedIn to conduct tracking. The principal three factors that are inconsistent with the stated purposes are: (1) these cookies are being placed on third party websites, and (2) the cookies have unnecessarily long expirations, and (3) that they are read and set through network calls to LinkedIn’s ad server.

Placement on third party websites

Perhaps the most striking inconsistency with the stated purposes of these cookies is that both the bcookie and li_gc cookies are being set and read across a vast range of third-party websites that are entirely unrelated to the LinkedIn platform. Such behaviour aligns more closely with practices associated with tracking consumers across websites for proﬁling and advertising purposes, rather than the purposes claimed by LinkedIn.

If the bcookie is intended to enable LinkedIn to recognize its members and detect abuse “on the platform,” this use may be understandable on the LinkedIn platform but it is diﬃcult to justify why this cookie is also being set and read on third-party websites that are not part of the LinkedIn platform. Not only is the cookie being set for all visitors to these websites—many of whom are not LinkedIn members—but it is also being read by LinkedIn whenever users visit these unrelated websites. This enables much broader use than abuse detection.

Similarly, if the li_gc cookie’s purpose is to “store consent of guests regarding the use of cookies for non-essential purposes,” it is equally challenging to understand why this cookie is being set and read on third-party websites. This cookie is being deployed for all visitors to these websites, not just LinkedIn "guests," representing a signiﬁcant overreach beyond its stated purpose. Furthermore, it is unclear why LinkedIn would need to set and read a consent-management cookie on websites that LinkedIn neither owns nor controls, suggesting a lack of transparency and potential misuse.

Finally, the use of these cookies on third-party sites cannot be reconciled as lawful under the guise of functional cookies. For cookies to be considered functional, they must serve a purpose directly related to the operation or functionality of the speciﬁc website where they are deployed. In this case, the setting and reading of these cookies are being carried out on websites where they serve no discernible function, making it diﬃcult to identify a lawful basis for such activity under European or Dutch law. These practices appear to contravene legal requirements for transparency, necessity, and proportionality.

Long expiries

Both the bcookie and li_gc cookies are set with unusually long expiries—12 months and six

months, respectively—raising signiﬁcant questions about whether such durations are necessary for their stated purposes.

For the majority of LinkedIn users who access the platform regularly, a 6- or 12-month expiry is excessive. A 30-day expiry would likely suﬃce to recognize returning users and store consent preferences, while still allowing for normal periods of inactivity. Each time users visit LinkedIn, these cookies could be reset, providing an entirely adequate means of recognizing users and managing consent without requiring such long-lasting identiﬁers.

For fraud prevention, a 12-month expiry for the bcookie is particularly questionable. Industry norms for fraud detection cookies typically involve short lifespans of days or weeks, as fraud risks are most acute during or immediately following a session. A shorter expiry would reduce privacy risks by limiting the potential for persistent tracking across time and third-party sites while still serving LinkedIn’s stated purpose. Given that most users interact with LinkedIn regularly, re-setting the cookies during these interactions would achieve the necessary functionality without relying on an extended lifespan.

The long expiry periods of these cookies—especially when they are set and read across third-party sites—strongly suggest, and at least enable, a purpose beyond what has been stated. Expiries of 6 to 12 months are highly advantageous for tracking and audience building, as they enable persistent identiﬁcation of users across multiple sessions and websites over extended periods. This would allow LinkedIn to correlate a user’s activity on third-party sites with their LinkedIn proﬁle, build detailed behavioural proﬁles, and track advertising effectiveness. Such prolonged tracking ensures continuity even if users clear their cookies infrequently, facilitating long-term audience segmentation, retargeting, and data collection.

In conclusion, the extended lifespans of the bcookie and li_gc are neither necessary nor

proportionate to their stated purposes. These practices contravene the principles of data

minimization and proportionality under GDPR, as they retain data for far longer than required for their intended use and create undue risks to user privacy.

Connecting to an ad server

It is noteworthy that the setting and reading of these cookies is performed through network calls to px.ads. linkedin.com , which LinkedIn has acknowledged as their advertising server. While it may be intuitive for the li_gc cookie to interact with an ad server if its purpose is related to managing consent for advertising, it is surprising that a security-focused cookie such as the bcookie would be set and read via an ad server rather than through LinkedIn’s dedicated security infrastructure. Apparently, the bcookie is related to the advertising activities of LinkedIn.

(…)
5.15.

Tegen deze stevige onderbouwing hebben LinkedIn c.s. ten aanzien van de bcookie vrijwel niets ingebracht. De ter zitting naar voren gebrachte stelling dat het in deze passages slechts gaat om “factors that raise doubt” – welke termen inderdaad in keurig Engels aan het begin voorkomen – brengt niet mee dat deze gehele passage slechts aanleiding geeft tot betekenisloze twijfels, omdat het totaal wel stellige en begrijpelijke conclusies bevat. Er wordt dan ook van uitgegaan dat ook het plaatsen of uitlezen van bcookies onder het op 7 juni 2024 uitgesproken gebod valt, gelet op de karakteristieken en het gedrag van de bcookies.
5.16.

Ten aanzien van de li_gc cookie hebben LinkedIn c.s. tegenover het rapport van Stoter slechts ingebracht dat li_gc wordt gebruikt om op te slaan of een websitebezoeker toestemming heeft verleend voor het mogen plaatsen en uitlezen van cookies. Dat is onvoldoende om te ontkrachten dat het om een cookie gaat die alleen met toestemming van de gebruiker mag worden geplaatst, en ook onvoldoende om te oordelen dat het oordeel van een door de rechtbank aan te wijzen deskundige nodig is voordat [gedaagde] de dwangsommen mag executeren. In ernst kan niet worden betwijfeld dat het door de voorzieningenrechter uitgesproken gebod overtreden is.
5.17.

Dan resteert de vraag hoe vaak LinkedIn en MIOL het vonnis hebben overtreden. Zij hebben meerdere bezwaren tegen het door [gedaagde] overgelegde Excel-overzicht van alle volgens hem begane overtredingen. Dat overzicht bevat volgens hen talloze doublures en onterechte tellingen.
5.18.

[gedaagde] heeft een veelvoud van 50 overtredingen per eiseres aangevoerd, zodat er flink wat fouten in het Excel-bestand moeten zitten wil het aantal overtredingen tot onder de 50 per eiseres kunnen worden teruggebracht.
5.19.

[gedaagde] betwist dat sprake is van dubbeltellingen. Voor een deel worden de “dubbeltellingen” volgens hem verklaard doordat het wel voorkomt dat bij een bezoek aan een website meerdere cookies tegelijk worden geplaatst. En voor het overige gaat het volgens hem om schendingen door het telkens opnieuw uitlezen van de geplaatste cookie. LinkedIn c.s. hebben niet uitgelegd dat en waarom hij dit verkeerd ziet. Het feit dat in het Excel-overzicht bij de verschillende schendingen telkens een andere pagina wordt vermeld (zie de kolom “page” in dat overzicht) lijkt steun te bieden aan de stellingen van [gedaagde] . Bij gebrek aan betwisting wordt ervan uitgegaan dat het Excel-bestand tot stand is gekomen door automatische omzetting van de HAR-files en dus een exacte weergave bevat van het browse-verkeer van [gedaagde] . De slotsom is dan ook dat in ernst niet kan worden betwijfeld dat LinkedIn en MIOL het door de voorzieningenrechter opgelegde verbod allebei minimaal vijftig keer hebben overtreden en het maximum aan dwangsommen hebben verbeurd. Voor opheffing van de ten laste van hen gelegde beslagen en schorsing van de tenuitvoerlegging van het vonnis tegen hen bestaat dan ook geen grond.
5.20.

LinkedIn en MIOL zullen als de overwegend in het ongelijk gestelde partij worden veroordeeld in de proceskosten van [gedaagde] . [gedaagde] is de in het ongelijk gestelde partij in relatie tot Microsoft Corporation en Xandr, maar de kosten van die twee worden op nihil gesteld omdat hun deelname aan het kort geding niet heeft geleid tot extra griffierecht of advocaatkosten voor LinkedIn en MIOL. De kosten aan de zijde van [gedaagde] worden begroot op:

- griffierecht € 331,00

- salaris advocaat 1.107,00

- nakosten 178,00

Totaal € 1.616,00

Als dit vonnis wordt betekend, komen hier nog de kosten bij die worden genoemd aan het slot van 7.3 van de beslissing.
6 De beoordeling in reconventie
6.1.

Op grond van hetgeen in conventie is overwogen, staat genoegzaam vast dat LinkedIn en MIOL allebei het maximum aan dwangsommen hebben verbeurd.
6.2.

Het incasseren van de dwangsommen is niet disproportioneel. [gedaagde] hoefde niet akkoord te gaan met het aanbod van LinkedIn c.s. om cookies via zijn IP-adres te blokkeren. Dat aanbod is de wereld op zijn kop, omdat de wetgever heeft gekozen voor een opt-in systeem in plaats van een opt-out systeem.
6.3.

Volgens LinkedIn c.s. is er sprake van een wanverhouding tussen de gevraagde dwangsommen en het economisch belang van de vordering van [gedaagde] . De vordering van [gedaagde] was echter niet economisch, maar principieel van aard: hij wil zijn privacy beschermen. Bovendien zijn dwangsommen bedoeld als prikkel tot nakoming, en het economische belang van LinkedIn c.s. bij het gebruik van tracking cookies is groot. In geen van beide opzichten zijn de opgelegde dwangsommen te hoog.
6.4.

Er is al met al voldoende grond om vast te stellen dat LinkedIn en MIOL elk € 25.000,00 aan dwangsommen hebben verbeurd (in totaal dus € 50.000,00) wegens overtreding van het vonnis van 7 juni 2024 op 22 juli en/of 1 augustus 2024.
6.5.

Linkedin en MIOL worden als de in het ongelijk gestelde partij in de proceskosten veroordeeld. Wegens samenhang met de conventie worden de kosten aan de zijde van [gedaagde] begroot op nihil.
7 De beslissing

De voorzieningenrechter

in conventie
7.1.

heft op de ten laste van Xandr en Microsoft Corporation gelegde executoriale beslagen,
7.2.

beveelt [gedaagde] de executie van dwangsommen die Xandr en Microsoft Corporation zouden hebben verbeurd door overtredingen van het vonnis op 22 juli 2024 en 1 augustus 2024, te staken en gestaakt te houden,
7.3.

veroordeelt LinkedIn en MIOL in de proceskosten, aan de zijde van [gedaagde] tot op heden begroot op € 1.616,00, te vermeerderen – als dit vonnis wordt betekend – met van € 92,00 aan salaris advocaat en de explootkosten van betekening van de uitspraak,
7.4.

verklaart dit vonnis tot zover uitvoerbaar bij voorraad,
7.5.

veroordeelt [gedaagde] in de proceskosten van Microsoft Corporation en Xandr, tot op heden begroot op nihil,
7.6.

wijst het meer of anders gevorderde af,

in reconventie
7.7.

stelt het bedrag aan reeds verbeurde dwangsommen vast op in totaal € 50.000,00 (voor LinkedIn en MIOL elk € 25.000,00),
7.8.

verklaart dit vonnis tot zover uitvoerbaar bij voorraad,
7.9.

veroordeelt LinkedIn en MIOL in de proceskosten, aan de zijde van [gedaagde] tot op heden begroot op nihil,
7.10.

wijst het meer of anders gevorderde af.

Dit vonnis is gewezen door mr. T.H. van Voorst Vader, voorzieningenrechter, bijgestaan door mr. E. van Bennekom, griffier, en in het openbaar uitgesproken op 5 februari 2025.1