Taming the cookie monster with Dutch law – A tale of regulatory failure

Profiling the online behaviour of Internet users has become a defining feature of the Internet. Individual surfing behaviour is tracked by many enterprises for statistical purposes, but also for behavioural advertising and other personalisation services. Profiling implies the processing of personal data often facilitated by cookies and other markers placed on the terminal equipment of Internet users. The European rules for the regulation of cookies and similar technologies were modified in 2009 requiring prior consent of the user, in order to guarantee that the user has some control over the processing of their information. In 2013 the Netherlands introduced probably the strictest implementation of the European rules concerning the installation of cookies. However, in practice the new legal requirements resulted in neglect of the obligations regarding user information on the one hand and in the widespread deployment of annoying banners, popup screens and ‘cookie walls’ on the other. Not only the advertising industry, but also web publishers and even ordinary Internet users opposed the regulation. Furthermore, the regulation, certainly initially, did not lead to increased user control. These and other factors support the conclusion that the Dutch cookie regulation is a case of regulatory failure. This paper discusses the practices that were deployed in the Netherlands and assesses them based on a multi-site study that examined the practices of 100 Dutch websites with regard to the installation of cookies. It further reflects on the response of the Dutch regulator, who –under the pressure of industry and consumers outcry- amended the relevant provisions of the Dutch Telecommunications Act in 2014.