The Autoriteit Persoonsgegevens (AP) is going to check more closely this year whether cookies on websites are set up correctly. The AP sees that this still often goes wrong. Organizations still regularly use cookie banners that make it difficult to refuse cookies. The website visitor is not always properly informed about which cookies are placed. And if permission to place cookies is given, this permission is not always easy to withdraw.
First, you need to know what type of cookies you are going to set. There are different types of cookies. Functional cookies are necessary for the website to function properly technically. The website user must be informed about these cookies but permission is usually not required for them. In the case of some analytical cookies and tracking cookies, however, permission is required. With these cookies, the website visitor is identified and tracked.
In all cases, it is necessary to inform the website visitor about the use of cookies. This is often done through a cookie banner that pops up the moment the website is opened. In the banner, be clear about what type of cookie is placed and for what purpose. Also indicate clearly which cookies you are asking permission for. More specific information, for example about how long personal data is stored, may be in a second layer. For example, through a link to the cookie statement.
If consent is necessary, consent should be sought before cookies are placed. Using checkmarks or sliders is a clear way of asking permission. However, make sure the option is not pre-ticked. Giving consent should be an active action of the website visitor.
Consent should be expressed in clear language. Use words like "accept," "agree," or "decline. The AP indicates that the following wording is misleading and thereby incorrect: 'Yes, accept optimal cookies' versus 'No, I don't want an optimal experience.'
Accepting should be as easy as refusing. The buttons should be the same size and equally obvious. It should not be the case that the accept button is clearly at the top, but for the button to decline the visitor must scroll down or click through to a second layer. Also, you should be able to accept or decline with one click. Asking for additional confirmation ("Are you sure you don't want to accept?") is not allowed.
The consent issued must be easily revocable at any time. Clear information on how to withdraw consent must be provided in advance. The visitor must be able to withdraw consent without adverse consequences.
