Website Rules in the Netherlands
Dutch websites must comply with the AVG (GDPR), Telecommunicatiewet, the European Accessibility Act, and display KVK registration details. The Autoriteit Persoonsgegevens actively enforces cookie and privacy rules.
Data protection authority:
Autoriteit Persoonsgegevens
(AP)
Requirements
6
country-specific rules
Guides
9
guides available
Specific requirements for Netherlands
KVK number display
Every Dutch business must display their KVK (Kamer van Koophandel) registration number on their website, emails and invoices. Required by the Handelsregisterwet 2007.
BTW-ID (not BTW-nummer) for ZZP'ers
Since 2020, sole proprietors (eenmanszaak/ZZP) must use their BTW-identificatienummer on their website, not the old BTW-nummer which contained their BSN.
Cookie consent (Telecommunicatiewet)
The Dutch Telecommunicatiewet requires informed consent for non-essential cookies. The AP has issued warnings and fines to websites that set tracking cookies before consent.
Privacy policy (AVG)
Every website processing personal data needs an accessible privacy policy covering data collection, legal basis, data processors, retention periods and visitor rights.
EAA / Digital Accessibility (ACM)
The European Accessibility Act is enforced in the Netherlands by the ACM (Autoriteit Consument & Markt). Websites must meet WCAG 2.1 AA standards.
E-commerce: Koop op Afstand
Online sellers must comply with "Koop op Afstand" (distance selling) rules: 14-day withdrawal right, clear pricing including BTW, delivery terms before checkout.
Enforcement in Netherlands
In 2024, the Autoriteit Persoonsgegevens fined Clearview AI €30.5 million for building an illegal facial recognition database. For smaller businesses, the AP issued a €525,000 fine to a company for fingerprinting website visitors without consent, and warned hundreds of websites about cookie banners that don't meet requirements.
Official resources
Guides for Netherlands
GDPR Fines for Small Businesses: Real Cases and Amounts
Real GDPR fines for small businesses run from about 1,000 to 50,000 EUR. See published regulator decisions, what triggers enforcement and how to avoid it.
GDPR compliance checklist for Irish businesses (2026)
GDPR compliance checklist for Irish businesses. DPC enforcement, DPA 2018, ePrivacy Regs 2011, CRO disclosure, cookie consent and processor agreements.
EAA for Irish small businesses: SI 636/2023 compliance
EAA small business guide for Ireland: S.I. 636/2023, micro-enterprise exemption, CRO disclosure, WCAG 2.1 AA and CCPC expectations.
Do I Need a Cookie Banner? EU Decision Guide
Simple decision guide for EU businesses: when does your website actually need a cookie banner? Three questions to find out, with the legal basis explained.
Contact Form GDPR Requirements: Article 13 Compliance
What a GDPR-compliant contact form needs: Article 13 information, the right legal basis (legitimate interest vs precontractual), unchecked boxes, retention.
Google Analytics and GDPR: Is GA4 Legal in the EU? (2026)
Can you use Google Analytics 4 in the EU? The consent requirement, the EU-US DPF transfer mechanism, Consent Mode v2 limits and cookieless alternatives.
Data Breach Reporting Under GDPR: 72-Hour Notification
Report a personal data breach under GDPR Article 33: the 72-hour clock, when notification is required, what to file and when to tell affected individuals.
Data Processing Agreement (DPA): Article 28 GDPR Guide
When a third-party service needs a Data Processing Agreement under GDPR Article 28: required clauses, common processors and how to handle DPA refusal.
GDPR Data Retention Periods: Article 5(1)(e) Guide
How long can you keep personal data under GDPR? The Article 5(1)(e) storage limitation principle and retention periods by data category for EU businesses.
Check your website for Netherlands requirements
Our scanner checks for Netherlands-specific requirements automatically.
I understand this is a technical scan, not legal advice, and I accept the Terms.