In April 2025, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens or AP) began a systemic crackdown on “misleading” cookie consent mechanisms.
Websites implementing unlawful cookie banners were warned that they risked regulatory action. The majority of websites that received such a warning have now achieved compliance, but many failed to do so.
Last month, the regulator announced that it was launching enforcement action against website operators who failed to act. Here’s an overview of the AP’s campaign and its next steps for non-compliant organizations.
Results of the campaign
The AP issued warnings to over 200 websites regarding their cookie banners. According to the regulator, approximately three-quarters of these organizations have since adjusted their banners to meet legal requirements.
Monique Verdier, Vice-Chair of the AP, stated that the warning approach has been effective. However, the regulator is now moving from guidance to enforcement for the remaining non-compliant entities.
Verdier said that any organizations failing to adjust their websites after a warning can expect an investigation or a fine.
Background to the crackdown
The AP began checking whether websites were requesting consent correctly in April 2025.
At that time, the regulator sent warning letters to an initial group of 50 organizations, including webshops, media companies, and insurers. These organizations were given three months to adjust their practices or stop “intrusively following” visitors.
The AP’s monitoring strategy involves:
- Automated scanning to constantly scan the cookie banners of 10,000 websites.
- Giving targeted warnings to warn 500 organizations annually based on these scans.
- Conducting investigations and issuing fines against companies failing to heed warnings.
Common compliance failures
Throughout its investigation, the AP identified several common manipulative design techniques (or “dark patterns”) used by organizations to manipulate user consent. These included:
- Hiding the “reject” option on the second layer of the cookie banner, requiring users to click through to find it.
- Using pre-ticked boxes.
- Placing tracking cookies before the user has given consent.
- Placing cookies even after the user has clicked “reject”.
The AP’s enforcement history
The AP has already imposed significant fines on organizations that violate tracking rules, including:
- nl, an online pharmacy, received €600,000 fine in 2024. The regulator found that the website placed tracking cookies immediately upon a user’s arrival, before they had interacted with the cookie banner.
- Coolblue, an electronics retailer, received a €40,000 fine last December after allegedly ignoring the regulator’s warnings over its cookie banner.
What this means for businesses
The AP’s latest update signals the end of the grace period for organizations that have already received warnings.
Consent is required to set cookies, pixels, and other trackers, except where necessary to provide a service requested by the user or to ensure your website functions correctly. Any cookies used for marketing or analytics purposes will generally require freely-given, specific, informed consent.
Organizations operating in the Netherlands should review how they have implemented their consent management platforms to ensure they do not employ the misleading designs identified by the AP. With the regulator now taking enforcement steps, the risk of fines for non-compliance has increased significantly
