Dutch privacy watchdog fines Kruidvat €600,000 for Illegal tracking cookies

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) this month announced a substantial fine of €600,000 imposed on AS Watson (Health & Beauty Continental Europe) B.V., the parent company of the popular Dutch drugstore chain Kruidvat. This penalty was levied due to the company's unlawful use of tracking cookies on its website, Kruidvat.nl, without obtaining proper consent from users. The fine highlights the growing scrutiny of digital privacy practices and the enforcement of data protection regulations in the Netherlands and across Europe.

The AP's investigation, which began in late 2019, revealed that Kruidvat.nl had been collecting sensitive personal data from millions of website visitors through tracking cookies without their knowledge or explicit consent. This practice violates the General Data Protection Regulation (GDPR), which requires clear and affirmative consent for the processing of personal data, especially when it comes to sensitive information.

According to the AP's findings, the data collected by Kruidvat.nl included visitors' location information, browsing history, product preferences, and purchase behaviors. Given the nature of products sold by Kruidvat, which include pregnancy tests, contraceptives, and various medications, this information is considered particularly sensitive. The combination of such data with location information (potentially derived from IP addresses) allowed the company to create detailed and invasive profiles of its website visitors.

Aleid Wolfsen, Chairman of the AP, emphasized the importance of user consent in tracking online behavior. He stated that organizations are not permitted to monitor internet behavior without explicit consent and proper notification to customers. Wolfsen highlighted that online activities are highly personal, and users must have the option to refuse tracking software without facing any negative consequences.

The investigation revealed several specific violations of privacy regulations by Kruidvat.nl. The website's cookie banner had pre-ticked boxes for accepting tracking cookies, a practice that is explicitly forbidden under GDPR. Furthermore, visitors who wished to refuse cookies were required to navigate through a complex and lengthy process, creating an undue barrier to exercising their privacy rights.

The AP's decision to impose this significant fine comes after a prolonged period of investigation and communication with AS Watson. The initial probe into various websites, including Kruidvat.nl, began in late 2019. After identifying non-compliance, the AP sent a letter to the company. However, a follow-up check in April 2020 showed that Kruidvat.nl was still not in compliance with privacy regulations, prompting a more detailed investigation. The company finally rectified the violation in October 2020.

This case is part of a broader effort by the AP to address growing public concerns about cookies and cookie notifications. These concerns range from annoying and misleading banners to worries about covert tracking of internet users. As a result, the AP has announced plans to increase its scrutiny of websites' cookie consent practices throughout 2024.

The importance of this enforcement action extends beyond the specific case of Kruidvat. It serves as a stark reminder to all online businesses operating in the Netherlands and the European Union about the seriousness of data protection regulations and the potential consequences of non-compliance. The size of the fine – €600,000 – is significant and designed to send a clear message to the business community about the importance of respecting user privacy.

To put this fine into context, it's worth noting that GDPR allows for penalties of up to €20 million or 4% of a company's global annual turnover, whichever is higher. While the fine imposed on AS Watson is not at the maximum level, it is substantial enough to have a significant impact and attract attention from other businesses.

The Kruidvat case also highlights the specific challenges faced by e-commerce websites, particularly those dealing with sensitive products like health and beauty items. These businesses must be especially cautious in their data collection and processing practices, given the potential for creating detailed profiles of customers based on their purchase history and browsing behavior.

The technical details of the Kruidvat case are particularly interesting. The use of pre-ticked boxes for cookie consent has been a contentious issue in privacy circles for years. In 2019, the Court of Justice of the European Union ruled in the Planet49 case that pre-ticked boxes do not constitute valid consent under GDPR. The Kruidvat case shows that regulators are actively enforcing this interpretation.

Moreover, the AP's criticism of Kruidvat's complex cookie refusal process touches on the concept of "dark patterns" in user interface design. Dark patterns are design choices that manipulate or heavily influence users into making certain decisions. In the context of privacy, making it difficult to refuse cookies while making acceptance easy is considered a dark pattern and is increasingly frowned upon by regulators.

The impact of this fine and the associated publicity could be far-reaching. Other e-commerce businesses, particularly those in the health and beauty sector, are likely to review their own cookie policies and consent mechanisms to ensure compliance. This could lead to a wave of website updates across the Netherlands and potentially beyond, as companies seek to avoid similar penalties.

Furthermore, this case may encourage greater consumer awareness about online privacy rights. As news of the fine spreads, more internet users may become conscious of their right to refuse cookies and may start to scrutinize the cookie policies of websites they visit more closely.

It's worth noting that AS Watson has filed an objection to the fine. This legal challenge could potentially lead to further clarification of cookie consent requirements in the Netherlands. The outcome of this objection will be closely watched by privacy advocates, businesses, and legal experts alike.

In conclusion, the €600,000 fine imposed on AS Watson for Kruidvat's cookie practices represents a significant moment in the enforcement of digital privacy regulations in the Netherlands. It underscores the importance of obtaining clear and affirmative consent for data collection, especially when dealing with sensitive personal information. As we move forward, we can expect to see continued scrutiny of online tracking practices, with regulators taking an increasingly active role in enforcing compliance with privacy laws.

The Kruidvat case serves as a wake-up call for businesses to prioritize user privacy and transparency in their digital operations. It also highlights the ongoing challenge of balancing the needs of digital marketing and e-commerce with the fundamental right to privacy in the online world. As technology continues to evolve and new forms of data collection emerge, this balance will remain a critical issue for regulators, businesses, and consumers alike.