Two days ago, on December 24, 2024, the Dutch Data Protection Authority (Dutch DPA) imposed a €40,000 fine on Coolblue for unlawfully processing personal data through cookie tracking in 2020. The enforcement action stems from an investigation that revealed the company's online shop collected visitor data without obtaining explicit consent, according to official documents from the Dutch DPA.
The investigation, which began in late 2019, uncovered that Coolblue.nl employed pre-checked consent boxes for cookie usage and operated under an assumption of visitor agreement - practices that directly contravene the General Data Protection Regulation (GDPR). The regulatory body identified these violations during site visits in April and May 2020.
Following initial contact from regulators in November 2019, Coolblue received notification that its cookie consent mechanisms failed to meet legal requirements. The company continued operating with non-compliant practices until June 2020, when it finally implemented necessary adjustments to align with GDPR standards.
The Dutch DPA's investigation revealed specific technical violations in Coolblue's cookie implementation. The company's cookie statement incorrectly presumed visitor consent, while the technical configuration of their consent mechanism featured pre-selected checkboxes - a practice explicitly prohibited under current data protection legislation.
This enforcement action arrives amid intensified regulatory scrutiny of cookie consent practices across the Netherlands. The Dutch DPA has expanded its oversight activities throughout 2024, conducting additional compliance checks on website cookie implementations. The heightened enforcement reflects growing concerns over widespread non-compliance with data protection requirements in digital tracking practices.
The regulatory framework requires websites to obtain active, unambiguous consent before deploying cookies that collect personal data. This means visitors must take deliberate action to indicate their agreement, rather than having consent assumed or pre-selected on their behalf. The technical implementation must ensure that no personal data collection occurs before receiving explicit authorization from the user.
Industry impact extends beyond this single case, as the Dutch DPA has launched broader initiatives to improve cookie compliance across the digital landscape. The regulator has published detailed technical guidelines for implementing compliant cookie banners, including specific examples of acceptable and unacceptable practices.
Regulatory documents indicate that cookie-related complaints remain a significant concern among internet users. Many individuals report frustration with websites deploying cookies without proper consent mechanisms or implementing deliberately confusing interfaces that obstruct users' ability to decline tracking.
In response to these persistent issues, the Dutch DPA has initiated a comprehensive cookie campaign. This educational initiative aims to enhance organizational understanding of cookie compliance requirements while simultaneously raising public awareness about privacy implications of cookie tracking technologies.
The regulator's enforcement strategy combines punitive measures with educational outreach. While pursuing violations through financial penalties, the Dutch DPA also maintains extensive online resources detailing cookie regulations and privacy protection measures available to consumers.
This case highlights the technical complexities of implementing compliant cookie consent mechanisms in e-commerce environments. The specific violations identified in Coolblue's implementation - automatic consent assumption and pre-checked boxes - represent common technical mistakes that can result in significant regulatory consequences.
The Dutch DPA's enforcement action against Coolblue exemplifies the regulator's commitment to maintaining strict oversight of digital privacy practices. This case serves as a technical reference point for other organizations implementing cookie consent mechanisms, illustrating specific practices that fail to meet regulatory requirements.
Through this enforcement action and accompanying educational initiatives, the Dutch DPA continues its efforts to establish clear technical standards for cookie implementation while ensuring effective protection of individual privacy rights in digital environments.