New enforcement sweep on cookie banners, conducted by Netherlands privacy regulator, shows both EU and US companies that the need to prioritize website tracking hygiene and transparency. 

In Europe

Netherlands privacy regulator,, AP, issued warnings to 200 websites about their cookie banners.  Three-quarters of them adjusted their misleading cookie banners. The AP has initiated investigations against the rest. 

In the Netherlands the AP published a guide for compliant cookie use. Per the guide, the rules of thumb are:

  • Provide information about the processing of personal data and the purpose of the processing – you may want to use layers, but the first layer has to say that you are sharing information with third parties (this is also the case in the US per FTC enforcement). 
  • Do not automatically check boxes – In the US, the boxes generally may be checked, unless you are dealing with sensitive information. 
  • Use clear text
  • Place different choices on one layer
  • Don’t hide certain choices 
  • Don’t make someone click extra – In the US too, the California regulators have enforced against making the opt out process require more clicks than the opt in.  
  • Do not use an inconspicuous link in the text – Opting out or rejecting should be just as obvious as opting in. California has enforced against asymmetrical choices. 
  • Make withdrawing consent as easy as giving consent
  • Do not confuse consent with legitimate interest

In the US: 

The risk profile in connection with the placement of tracking cookies is quite complicated, coming from various directions like: The State privacy laws, special state privacy laws on sensitive data, consumer protection laws, HIPAA, data breach requirements, traditional torts (like invasion of privacy) and wiretapping laws. 

  • Under the State privacy laws: You cannot deploy “sale” cookies without providing an option to opt out. If your cookies collect sensitive data, in most states, that would require an opt-in. In some states, like Washington, and soon New York, it would require a separate authorization, which make be difficult to implement. 
  • HIPAA: Also addresses the collection of data through cookies, if it can be considered “PHI”. This applies to authenticated users (“behind the log-in”), but, in some cases, cam also apply to unauthenticated users. 
  • Data breach notification laws: May be implicated if you share, through third party trackers, information that is breach reportable. This has already happened to an electronic health record provider in the US, and to a bank in Europe . 
  • Consumer protection laws: Sharing information trough trackers can be deemed an unfair or deceptive act or practice. This has been decided by the FTC and the New York Attorney General has said that it will enforce website compliance through this lens.
  • Wiretapping laws: Failure to notify and provide a choice regarding tracking technologies has, of late, been the subject of many lawsuits under wiretapping laws like California CIPA and others. 
  • Other laws: Plaintiffs have been using a variety of theories for website compliance related lawsuits. These range from intrusion upon seclusion to breach of confidence to unjust enrichment.

Whether you are in the US or in the EU, regulators, and plaintiffs firms, are taking a close look at your website tracking compliance. What used to be a very low priority, is now on the radar, and companies should take a renewed look at their websites with that in mind.