The Personal Data Authority (AP) has imposed a fine of 600,000 euros on the company behind drugstore Kruidvat. The reason for the fine is that the company tracked visitors to Kruidvat.nl with tracking cookies, without their knowledge or consent. The company thus collected and used sensitive personal data of millions of website visitors against the rules.
The company behind Kruidvat, AS Watson (Health & Beauty Continental Europe) B.V., collected data from website visitors, allowing it to create personal profiles of these people. In addition to location data of visitors, this included which pages they visited, which products they added to the shopping cart and purchased, and which recommendations they clicked on.
This is very sensitive information, due to the specific nature of drugstore products. Such as pregnancy tests, contraceptives or medication for a variety of ailments. That sensitive information, coupled with the location (which is potentially traceable through the IP address) of the unique visitor, can draw a very specific and invasive profile of the people who visit Kruidvat.nl.
Aleid Wolfsen, chairman of the AP: 'Tracking cookies or tracking software allow organizations to watch your Internet behavior. This is not allowed without permission and without letting your customers know. Because what you do on the Internet is very personal. An organization may only track that if you explicitly agree. And you must have the option to refuse this tracking software, without it being detrimental to you.'
Kruidvat.nl should have sought permission from visitors before placing tracking cookies on their computers. The privacy law AVG sets a number of requirements for valid consent. Those requirements are that consent must have been freely given, for a specific processing of personal data, based on sufficient information and that there must be no doubt that consent has been given.
In the cookie banner on Kruidvat.nl, the boxes to agree to the placement of tracking software were checked by default. This is not allowed. Visitors who still wanted to refuse the cookies had to go through many steps to get this done. The AP found that personal data of Kruidvat.nl website visitors had been processed unlawfully.
In late 2019, the AP launched an investigation into several websites, including Kruidvat.nl. The AP tested whether these websites complied with the requirements for placing (tracking) cookies. In doing so, the AP checked whether permission for tracking cookies was sought from website visitors and, if so, exactly how this was done.
Kruidvat.nl was found to be non-compliant, whereupon the AP sent the company a letter. In April 2020, the AP found that Kruidvat.nl was still not in compliance. The AP then began to investigate this website further. By October 2020, this violation had ended.
There is growing social irritation about cookies and cookie notifications, ranging from annoying and misleading banners to concerns about surreptitious tracking of Internet users. The AP will check more frequently in 2024 whether websites are properly requesting permission for tracking cookies or other tracking software.
It is important that people keep a grip on their personal data when visiting websites. With clear information about the use of cookies, they can make an informed choice whether to give consent or not. Organizations should therefore provide a cookie banner that meets the legal requirements.
AS Watson (Health & Beauty Continental Europe) B.V. objected to the fine decision.