TrustYourWebsite
GDPR & Privacy

Cookie Banner Requirements in the Netherlands (2026)

Steven | TrustYourWebsite · 6 April 2026 · Last updated: May 2026

The AP (Autoriteit Persoonsgegevens) has been enforcing cookie banner rules since 2024. It now has a dedicated annual enforcement budget. In April 2025 the AP warned more than 200 organisations about misleading banners. About three-quarters fixed their banners after the warning round. The rest face formal investigations. More than half of monitored Dutch websites still break the rules.

This guide covers exactly what a compliant Dutch cookie banner must look like. It explains what makes a banner non-compliant. It also lists what the AP has fined businesses for. You can run a free Dutch cookie banner check on your site in two minutes before you read on.

The legal framework

Cookie consent in the Netherlands comes from two sources.

  1. Telecommunicatiewet, Article 11.7a. Requires consent before placing non-essential cookies on a visitor's device.
  2. GDPR, Article 6(1)(a) and Article 7. Defines what valid consent looks like.

Both apply at the same time. A cookie banner must satisfy the Telecommunicatiewet's consent requirement. It must also satisfy the GDPR's validity standards.

The 9 AP rules at a glance

The AP published these requirements as binding guidance. Use this table as your scan checklist.

#RuleWhat the AP requiresCommon mistakeQuick fix
1No cookies before consentTracking scripts must wait until the visitor choosesGTM fires analytics on page loadBlock tags by default in GTM consent mode
2Reject as easy as acceptSame clicks and same visual prominenceBig green Accept, small grey Reject linkMake both primary buttons of equal size
3No pre-ticked boxesNon-functional categories unticked by defaultAnalytics box already tickedDefault all non-essential toggles to off
4No cookie wallsSite must work without acceptingContent blocked behind AcceptAllow browsing with functional cookies only
5Specific per categoryUsers can pick analytics, ads, personalisation separatelySingle Accept-all-or-nothing toggleAdd per-category controls
6Freely givenNo pressure, no dark patternsFalse urgency or confusing wordingUse neutral copy and clear options
7InformedIdentify who places cookies and why"Our advertising partners" without namesList third parties or link to a full list
8Easy withdrawalSame number of clicks as giving consentBuried in 1,500 words of privacy policyAdd a footer link to a preference centre
9Consent recordedStore timestamp, version, categoriesNo proof of consent collectedLog consent in a separate datastore

The next sections walk through each rule with Dutch enforcement context.

Rule 1: No cookies before consent

Tracking scripts must not load until after the visitor has made a choice. The banner must appear before any analytics script runs. The same applies to advertising or social media scripts. Loading scripts while the banner is still visible breaks this rule. A GTM container that fires third-party tags on page load is non-compliant. Capture consent first.

Rule 2: Reject must be as easy as accept

The reject option must look as prominent as accept. It must take the same number of clicks. The AP specifically calls out these patterns.

  • A large green "Accept all" button paired with a small grey "Manage preferences" text link
  • Single-click "Accept all" paired with multi-click rejection that asks the user to deselect each category
  • A banner with only an Accept button and a settings link buried in the UI

Both accept and reject must be primary buttons. Both must be equally visible.

Rule 3: No pre-ticked boxes

When the banner shows consent options by category, non-functional categories must be unticked by default. That covers analytics, advertising and personalisation. The visitor must actively opt in. They cannot be forced to opt out.

Kruidvat was fined specifically for pre-ticked boxes. Coolblue was fined for automatically accepting cookies when a user clicked "continue".

Rule 4: No cookie walls

You may not require visitors to accept cookies to access your website. The same applies to paywalls that offer a choice of "accept cookies or pay". The AP treats this as a cookie wall if the accept-cookies option is the default. It also applies if the subscription price is set artificially high.

The EDPB Guidelines 05/2020 on consent under GDPR confirm that cookie walls do not produce freely given consent. The AP has enforced this position since March 2019.

Rule 5: Consent must be specific per category

A single "I accept all cookies" option is fine. Users must also be able to accept or reject by category. The standard categories are analytics, advertising and personalisation. You cannot bundle all non-functional cookies into one all-or-nothing choice.

Rule 6: Consent must be freely given

Consent is not valid if it comes from pressure or manipulative design (dark patterns). See our guide on cookie banner dark patterns for the full EDPB taxonomy.

Rule 7: Consent must be informed

The banner must clearly identify who is placing cookies. It must also state the purpose. Listing "advertising partners" without naming them is not enough. The banner or a linked page must give the visitor enough information to make an informed choice.

Rule 8: Withdrawal must be as easy as giving consent

Users must be able to withdraw consent at any time. A preference centre or settings link must be accessible from every page. It cannot live only inside the initial banner. The withdrawal mechanism must take the same number of clicks as the original consent action.

Rule 9: Consent must be recorded

You must be able to demonstrate that consent was given. You must also show when it was given and for what. Store a consent record with three fields. Timestamp. Version of the banner shown. Categories accepted. Do not link the consent record to a persistent profile built before consent. That profile would itself be a cookie placed without consent.

The four GDPR Article 7 consent conditions

GDPR Article 7 sets four conditions that consent must meet. The diagram below shows each condition with a Dutch context example.

<svg viewBox="0 0 600 320" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="Four GDPR Article 7 consent conditions with Dutch examples" style={{ maxWidth: '100%', height: 'auto' }}> <rect x="0" y="0" width="600" height="320" fill="#ffffff" /> <rect x="10" y="10" width="285" height="145" fill="#f1f5f9" stroke="#0f172a" strokeWidth="1.5" rx="8" /> <text x="25" y="38" fontFamily="system-ui, sans-serif" fontSize="16" fontWeight="700" fill="#0f172a">1. Freely given</text> <text x="25" y="62" fontFamily="system-ui, sans-serif" fontSize="13" fill="#334155">No cookie walls, no nudge buttons,</text> <text x="25" y="80" fontFamily="system-ui, sans-serif" fontSize="13" fill="#334155">no penalty for refusing.</text> <text x="25" y="110" fontFamily="system-ui, sans-serif" fontSize="12" fontStyle="italic" fill="#475569">Dutch example: Bol.com cannot block</text> <text x="25" y="128" fontFamily="system-ui, sans-serif" fontSize="12" fontStyle="italic" fill="#475569">browsing until you accept tracking.</text> <rect x="305" y="10" width="285" height="145" fill="#f1f5f9" stroke="#0f172a" strokeWidth="1.5" rx="8" /> <text x="320" y="38" fontFamily="system-ui, sans-serif" fontSize="16" fontWeight="700" fill="#0f172a">2. Specific</text> <text x="320" y="62" fontFamily="system-ui, sans-serif" fontSize="13" fill="#334155">Separate choice per purpose.</text> <text x="320" y="80" fontFamily="system-ui, sans-serif" fontSize="13" fill="#334155">No bundled all-or-nothing.</text> <text x="320" y="110" fontFamily="system-ui, sans-serif" fontSize="12" fontStyle="italic" fill="#475569">Dutch example: NS.nl must split</text> <text x="320" y="128" fontFamily="system-ui, sans-serif" fontSize="12" fontStyle="italic" fill="#475569">analytics from marketing toggles.</text> <rect x="10" y="165" width="285" height="145" fill="#f1f5f9" stroke="#0f172a" strokeWidth="1.5" rx="8" /> <text x="25" y="193" fontFamily="system-ui, sans-serif" fontSize="16" fontWeight="700" fill="#0f172a">3. Informed</text> <text x="25" y="217" fontFamily="system-ui, sans-serif" fontSize="13" fill="#334155">Who places cookies, what for,</text> <text x="25" y="235" fontFamily="system-ui, sans-serif" fontSize="13" fill="#334155">and how long they stay.</text> <text x="25" y="265" fontFamily="system-ui, sans-serif" fontSize="12" fontStyle="italic" fill="#475569">Dutch example: name Meta and Google</text> <text x="25" y="283" fontFamily="system-ui, sans-serif" fontSize="12" fontStyle="italic" fill="#475569">if their pixels fire after Accept.</text> <rect x="305" y="165" width="285" height="145" fill="#f1f5f9" stroke="#0f172a" strokeWidth="1.5" rx="8" /> <text x="320" y="193" fontFamily="system-ui, sans-serif" fontSize="16" fontWeight="700" fill="#0f172a">4. Unambiguous</text> <text x="320" y="217" fontFamily="system-ui, sans-serif" fontSize="13" fill="#334155">Clear active action. Silence,</text> <text x="320" y="235" fontFamily="system-ui, sans-serif" fontSize="13" fill="#334155">pre-ticked boxes, scrolling: not consent.</text> <text x="320" y="265" fontFamily="system-ui, sans-serif" fontSize="12" fontStyle="italic" fill="#475569">Dutch example: a "continue browsing</text> <text x="320" y="283" fontFamily="system-ui, sans-serif" fontSize="12" fontStyle="italic" fill="#475569">to accept" banner is invalid.</text> </svg>

The AP uses these four conditions to score banners in its enforcement reviews. A banner that fails any one of them produces invalid consent.

What gets businesses fined

The AP's fine decisions show the most common violations.

Kruidvat (AS Watson). Initial €600,000 (reduced to €50,000 on appeal).

  • Pre-ticked consent checkboxes
  • Tracking cookies loaded before consent was obtained
  • The reject path required significantly more interaction than accept

See the AP's decision on the AS Watson fine for the full reasoning.

Coolblue. €40,000.

  • Pre-ticked consent boxes
  • Clicking "continue" on the banner automatically accepted cookies
  • No genuine equal choice between accept and reject

The AP published its Coolblue fine notice in English.

Worked example: a Dutch webshop banner

Imagine a small Dutch webshop running on Shopify with a Google Tag Manager container. The owner installed a free banner plugin two years ago. Here is what an AP-style audit might find. Here is what the fix looks like.

Before the fix.

  • Banner shows on first page load. Behind it, GTM fires Google Analytics and the Meta Pixel.
  • Accept button is bright orange. Reject sits as a small grey "Manage" text link.
  • Inside Manage, three toggles for analytics, advertising and personalisation are pre-ticked.
  • The privacy page lists "trusted partners" without naming Meta or Google.
  • No preference centre is reachable from the footer once the banner closes.

This banner fails rules 1, 2, 3, 7 and 8. Five of nine. Consent collected through it is invalid under GDPR Article 7.

After the fix.

  • GTM is set to consent mode v2. All non-essential tags are blocked by default.
  • The banner shows Accept and Reject as two equal primary buttons. Both close the banner in one click.
  • A third "Customise" button opens per-category toggles. All toggles start in the off position.
  • The Customise page names Meta and Google as recipients of pixel data.
  • A "Cookie settings" link sits in the footer of every page. Clicking it reopens the preference centre.

The webshop now passes the AP's nine rules. Consent collected through the new banner satisfies GDPR Article 7.

Consent Mode and Google Analytics

Google's Consent Mode v2 adjusts what Google Analytics and Google Ads collect. The adjustment depends on consent status. Consent Mode is not a substitute for a compliant banner.

With Consent Mode active:

  • If the visitor accepts, full tracking proceeds.
  • If the visitor rejects, Google uses modelled data to fill the gaps.

Even with Consent Mode v2, Google still receives some signals when consent is rejected. Whether that meets the Telecommunicatiewet's consent requirement is debated. The safer reading is simple. Consent Mode reduces data collection on rejection. The banner itself must still meet every AP rule. Consent Mode does not fix a non-compliant banner.

Technical checklist

Use this to audit your current setup.

Before any banner interaction.

  • No analytics scripts have loaded
  • No advertising pixels have loaded (Facebook, Google Ads)
  • No social media embeds have loaded
  • No heatmap tools or session recording tools have loaded

Banner design.

  • Reject is a primary button. It is equal in size to Accept
  • No pre-ticked checkboxes for non-functional categories
  • All non-essential categories are unticked by default
  • No cookie wall. The site is accessible without accepting

Banner content.

  • Identifies your organisation as the data controller
  • Lists cookie categories and purposes
  • Links to your privacy policy
  • Links to a full cookie list

After consent.

  • Scripts only load for categories the user accepted
  • Consent choice is saved across visits
  • Consent record stored (timestamp, version, categories)

Ongoing.

  • Users can reach a preference centre to change their choice
  • The preference centre is reachable from every page (footer link)
  • Withdrawing consent stops ongoing tracking immediately

Recommended cookie management platforms

These platforms are commonly used for Dutch market compliance.

  • CookieYes. Dutch-law aware. Customisable layouts.
  • Usercentrics. Enterprise-grade. Used by larger Dutch organisations.
  • Iubenda. Multi-jurisdiction support.
  • Cookiebot (Usercentrics). Automated cookie scanning plus banner management.
  • Complianz. WordPress plugin popular in the Netherlands.
  • CookieFirst. Dutch company built specifically for Dutch and EU compliance.

The platform is only as good as its configuration. Even a reputable CMP can be set up non-compliantly. The most common mistake is giving Reject less visual weight than Accept.

Self-implementation considerations

If you are managing consent without a third-party CMP, you need four things.

  1. Tags and scripts blocked server-side or via a tag manager until consent is captured
  2. Consent state persisted across pages and sessions
  3. Consent revocable, with revocation immediately stopping scripts from loading
  4. Consent record stored in a way that does not itself require consent

Most implementations use a tag manager. Google Tag Manager with consent mode is one option. A privacy-focused alternative is another. Combine the tag manager with a banner that signals consent state.

Checking your banner

To verify your banner works correctly, follow these steps.

  1. Open your website in an incognito window
  2. Before clicking anything, open developer tools. Move to the Network tab
  3. Look for requests to google-analytics.com, facebook.com or other tracking domains
  4. If any appear before you interact with the banner, your banner is non-compliant

For automated testing, our open-source @trustyourwebsite/cookie-consent-validator checks whether your banner actually stops tracking after rejection.

Does the Cookiewet still apply after the GDPR?

This question comes up often. The short answer is yes.

The original "Cookiewet" was folded into Article 11.7a of the Telecommunicatiewet. It is the Dutch implementation of Article 5(3) of the ePrivacy Directive (2002/58/EC). The GDPR does not replace it. The two laws work together. Article 11.7a decides when consent is required for placing cookies. The GDPR decides what valid consent looks like. Both must be satisfied at the same time.

The ePrivacy Regulation has been proposed as an EU replacement for the directive. It is not yet in force in 2026. Until then, Article 11.7a of the Telecommunicatiewet remains the operative Dutch rule for cookies.

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

Website Guides

GDPR Fines Netherlands: Real AP Cases | TrustYourWebsite

GDPR fines in the Netherlands: real cases and amounts from the Dutch DPA (AP), including Uber, Booking.com, TikTok and Kruidvat.

Cookie Banner Required in NL: What the AP Enforces in 2026

A cookie banner is required in the Netherlands once your site sets non-functional cookies. What the AP enforces in 2026 and how to test compliance.

Website Trust Check: Free GDPR & Security Scan in 60 Seconds

Check your website free for GDPR violations, cookie issues, security and accessibility. Results in 60 seconds, no account required.

Dutch Privacy Policy: 10-Step GDPR Guide

Privacy policy requirements for Dutch websites: 10 steps under the GDPR, what each section must contain, common AP findings, scanner check.

Dutch Privacy Policy: 14 GDPR Required Elements

Under GDPR Articles 13 and 14, Dutch sites collecting personal data need a privacy policy. 14 mandatory elements and what the AP checks.