Dutch Cookie Law: Telecommunicatiewet Art. 11.7a

Most people talk about "GDPR cookie consent", but in the Netherlands, cookie consent is primarily governed by a different law: Article 11.7a of the Telecommunications Act (Telecommunicatiewet). Understanding the distinction matters because the Dutch law has specific exceptions that the GDPR does not, and the enforcement authority is the AP (Autoriteit Persoonsgegevens), not the European Data Protection Board.

Not sure whether your website is compliant? Scan your website free to see which cookies load before consent is given.

Why the Telecommunications Act, Not the GDPR?

The GDPR governs the processing of personal data. Cookies are a method of accessing and storing information on a user's device. The ePrivacy Directive (2002/58/EC), implemented in the Netherlands via the Telecommunications Act, specifically covers device access, independent of whether personal data is processed.

This means:

• Even a cookie that does not process personal data (rare in practice) still requires consent under the Telecommunications Act if it is not functionally necessary
• Cookies that do process personal data must comply with both the Telecommunications Act (consent to place the cookie) and the GDPR (lawful basis for processing personal data)
• The AP enforces both laws for cookies on Dutch websites

The Core Rule: Consent Before Placement

Article 11.7a paragraph 1 of the Telecommunications Act states:

A party may only store information on or retrieve information from the terminal equipment of a user with the user's prior consent.

"Terminal equipment" means the user's device: computer, phone, tablet. "Consent" must meet the GDPR standard: freely given, specific, informed and unambiguous affirmative action.

In plain terms: you cannot place cookies on a visitor's device or retrieve stored information without their consent first. The cookie banner must appear before any non-essential scripts load.

The Three Legal Exceptions

Article 11.7a paragraph 3 lists three situations where consent is not required. The matrix below summarises each, with detail following.

Google Analytics (including GA4) does not qualify for exception 3, since it generates a unique per-visitor client ID and sends data to a third party.

Exception 1: Strictly Necessary for Communication Transmission

Cookies that are technically essential to transmit a communication over an electronic network are exempt. This covers, for example, load balancing cookies that route traffic between servers. These are rare in typical websites and very narrow in scope.

Exception 2: Strictly Necessary for a Requested Service

Cookies that are strictly necessary to provide a service explicitly requested by the user are exempt. The key word is "strictly": it must be impossible to provide the service without the cookie.

Examples that qualify:

• Session cookies that keep you logged in
• Shopping cart cookies that remember what you have added
• Language preference cookies saved at the user's explicit choice
• Cookies that store your cookie consent choice
• CSRF protection tokens for form security

Examples that do not qualify:

• Analytics cookies (you can operate the website without them)
• Preference cookies for personalisation that was not explicitly requested
• Cookies placed by embedded third-party content (YouTube, Google Maps, social media), as these come from a different service than the one the user requested

Exception 3: Privacy-Friendly Analytical Cookies

This exception was added to Dutch law via amendment 33.902 in 2015. Analytical cookies are exempt if they meet all of the following conditions:

• Used solely to obtain statistical information about the use of the service
• Do not result in individual tracking across websites (no cross-site tracking)
• Data is not shared with third parties
• The service includes a clear explanation of the cookies used and an easy way for users to object (opt-out)

The AP has clarified that this exception is designed for self-hosted, aggregated analytics solutions. It does not cover Google Analytics.

Why Google Analytics does not qualify:

• GA4 generates a unique client ID per visitor, enabling individual tracking across sessions
• The data is sent to Google's servers (a third party)
• Google may use aggregated data for its own purposes

What does qualify:

• Plausible Analytics (cookieless, no personal data, no cross-site tracking)
• Fathom (cookieless, EU infrastructure option)
• Matomo in cookieless/fully anonymised mode, self-hosted
• Simple Analytics

With a qualifying analytics tool, you do not need a cookie banner at all for the analytics component.

What This Means in Practice

How the AP Enforces Cookie Rules

The AP (Autoriteit Persoonsgegevens) is the Dutch enforcement authority for both the Telecommunications Act and the GDPR. Since April 2025, the AP structurally checks whether Dutch websites request consent for tracking cookies in the correct way.

Enforcement approach:

1. Automated monitoring: the AP continuously scans the cookie banners of 10,000 Dutch websites
2. Complaint-driven investigation (anyone can file a complaint at autoriteitpersoonsgegevens.nl)
3. Warning letters with a deadline for compliance
4. Formal investigation when warnings are ignored
5. Fines and binding corrective orders

The AP has warned more than 200 websites about their cookie banners. About three-quarters adjusted their banners after the warning. The AP then launched formal investigations into those who refused.

Fines imposed:

• Kruidvat (AS Watson): fined for placing tracking cookies without proper consent, with the penalty later reduced on appeal
• Coolblue: fined for unsolicited use of cookies

The fine amounts reflect the scale of the business. For small businesses, the AP typically starts with a warning. But the warning letter comes with a deadline for compliance, and non-compliance leads directly to formal proceedings.

Nine rules the AP enforces on cookie banners:

1. Reject must be as easy as accept (same prominence, same clicks)
2. No pre-ticked consent boxes
3. Scripts must not load before consent
4. No cookie walls (consent cannot be required to access the website)
5. Consent must be specific per category (not one blanket accept)
6. Users must be able to withdraw consent as easily as they gave it
7. The banner must clearly identify who is processing data
8. Dark patterns that manipulate users toward consent are prohibited
9. Consent records must be maintained

For the full list of requirements, see our guide on cookie banner dark patterns and cookie banner requirements for the Netherlands.

Relationship Between the Telecommunications Act and GDPR

The two laws work together. The Telecommunications Act determines whether you need consent to place a cookie. The GDPR determines whether placing that cookie constitutes lawful processing of personal data.

For tracking cookies that collect personal data (which almost all do, including IP addresses, browsing behaviour and device fingerprints), you need:

1. Consent under the Telecommunications Act before placing the cookie
2. A valid legal basis under the GDPR for processing the resulting personal data. For tracking cookies, this is also consent under Article 6(1)(a) of the GDPR

In practice these overlap: properly obtained cookie consent satisfies both requirements.

Summary

The Dutch cookie law is stricter than many businesses assume. The three exceptions are narrow. Google Analytics does not qualify for the analytics exception. Most websites with third-party scripts (analytics, social media, maps, videos) need a proper consent banner.

Not sure what cookies your website places? Scan your website free to see exactly which cookies load and whether they require consent.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.