Dutch regulator reduces AS Watson fine to €50,000 for cookie violations
Dutch authority cuts penalty after company appeals original decision against Kruidvat website tracking practices.
The Dutch Data Protection Authority (AP) reduced a penalty against AS Watson Health & Beauty Continental Europe B.V. to €50,000 on May 27, 2025, following the company's successful appeal of an earlier enforcement action. The authority announced the decision after determining that circumstances warranted moderating the original fine imposed on May 3, 2024.
According to the AP's decision document, AS Watson had objected to the initial penalty, which stemmed from violations related to tracking cookies on the Kruidvat.nl website. The original investigation found that the company processed personal data through tracking cookies without obtaining proper consent from website visitors, violating Article 6 and Article 5 of the General Data Protection Regulation (GDPR).
Get the PPC Land newsletter ✉️ for more like this.
Summary
Who: AS Watson Health & Beauty Continental Europe B.V., parent company of Dutch drugstore chain Kruidvat, and the Dutch Data Protection Authority (AP)
What: The AP reduced an administrative fine from an undisclosed higher amount to €50,000 for GDPR violations related to tracking cookies on the Kruidvat.nl website
When: The reduced penalty was announced on May 27, 2025, following an appeal of the original May 3, 2024 decision
Where: The Netherlands, specifically affecting the Kruidvat.nl website operated by AS Watson Health & Beauty Continental Europe B.V.
Why: AS Watson processed personal data through tracking cookies without obtaining proper consent from website visitors, violating Articles 5 and 6 of GDPR. The fine was reduced due to the lengthy procedural timeline, company cooperation in acknowledging violations, and the relatively minor severity of the breach compared to other potential violations.
The enforcement action centered on AS Watson's failure to establish a lawful basis for processing personal data collected through cookies during user visits to kruidvat.nl. According to the authority, "AS Watson heeft nagelaten toestemming te vragen aan betrokkenen voor de verwerking van hun persoonsgegevens door (tracking) cookies te gebruiken bij het bezoek van betrokkenen aan de website kruidvat.nl."
The enforcement action centered on AS Watson's failure to establish a lawful basis for processing personal data collected through cookies during user visits to kruidvat.nl. According to the authority, AS Watson "failed to ask for consent from data subjects for the processing of their personal data by using tracking cookies during visits by data subjects to the website kruidvat.nl."
The AP's evaluation considered multiple factors when determining the reduced penalty amount. The authority applied both its 2019 Policy Rules for determining administrative fine amounts and the European Data Protection Board's Guidelines 04/2022 for calculating administrative fines under GDPR. According to the decision document, both methodologies yielded the same penalty amount in this case.
Under the AP's classification system, violations of Articles 5 and 6 of GDPR fall into Category III, which carries a penalty range of €300,000 to €750,000. However, the authority considered several mitigating circumstances. According to the decision, "the long duration of the procedure at the AP, without the investigation and subsequent enforcement phase justifying this treatment duration, the recognition of the (complete) violation by AS Watson, the minor severity of the violation" justified reducing the fine.
The reduced penalty reflects the AP's assessment of procedural factors and company cooperation. The authority noted the lengthy duration of proceedings without justification from the investigation and enforcement phases. Additionally, AS Watson's full acknowledgment of the violations and the relatively minor severity of the breach influenced the final amount.
The case illustrates ongoing regulatory focus on cookie compliance across European markets. Cookie-related enforcement has intensified throughout 2024, with the Dutch DPA conducting additional compliance checks on website implementations. The regulatory body has published detailed technical guidelines for implementing compliant cookie banners, including specific examples of acceptable and unacceptable practices.
Earlier enforcement actions demonstrate the AP's consistent approach to cookie violations. In December 2024, the authority fined Coolblue €40,000 for similar tracking cookie violations on its online shop. That case involved pre-selected checkboxes for cookie consent and assumptions of visitor agreement - practices explicitly prohibited under GDPR.
The AS Watson case follows a pattern of significant penalties for cookie-related violations across the Netherlands. In July 2024, the AP initially fined Kruidvat €600,000 for illegal tracking cookies, representing one of the more substantial penalties in the Dutch market. That enforcement action highlighted violations including pre-ticked boxes for accepting tracking cookies and complex processes for users attempting to refuse cookies.
The technical violations identified in the AS Watson investigation mirror common compliance failures across the industry. Cookie consent mechanisms that fail to provide equally accessible options for accepting and rejecting tracking technologies have become a primary enforcement target. French authorities have similarly acted against deceptive cookie consent practices, identifying issues with visual hierarchies that pressure users toward accepting cookies.
The marketing industry has closely monitored these enforcement developments as cookie compliance costs increase. GDPR enforcement statistics show authorities have imposed over 6,680 fines totaling approximately €4.2 billion since implementation. Ireland's data protection authority has levied the highest total amount at €2.8 billion, while Luxembourg follows at €746 million.
According to the AP's decision, the €50,000 penalty represents an amount that is "effective, proportionate and deterrent." The authority emphasized that the fine amount ensures compliance with EU Charter of Fundamental Rights requirements and Dutch administrative law principles preventing disproportionate outcomes.
The enforcement timeline reveals the lengthy process typical of data protection investigations. The initial probe began in late 2019, with follow-up compliance checks conducted in April 2020. AS Watson eventually rectified the violations in October 2020, but the formal enforcement process continued through the May 2024 decision and subsequent appeal resolution in May 2025.
For companies operating cookie-based advertising technologies, the case underscores critical compliance requirements. Valid consent mechanisms must avoid pre-selected options and provide equally prominent choices for accepting or declining tracking. The Planet49 case established in 2019 that pre-ticked boxes do not constitute valid consent under GDPR, an interpretation actively enforced by regulators.
The reduced penalty amount reflects several factors beyond the technical violations. The AP considered the extended procedural timeline, company cooperation in acknowledging violations, and the relatively minor nature of the breach when compared to more severe data protection violations. These considerations align with established precedent in similar cookie compliance cases.
AS Watson's acknowledgment of violations during the appeal process likely influenced the penalty reduction. Companies that cooperate fully with investigations and implement necessary corrections typically receive more favorable treatment in enforcement actions. The decision establishes a framework for how regulatory authorities balance procedural fairness with enforcement effectiveness.
The cookie compliance landscape continues shifting as browser manufacturers implement new tracking restrictions. Chrome's implementation of Tracking Protection and similar privacy features in Safari and Firefox have reduced reliance on third-party cookies. However, first-party cookie implementations remain subject to consent requirements under GDPR.
Industry observers note the importance of implementing technically compliant consent mechanisms before regulatory scrutiny intensifies. The AS Watson case demonstrates that even acknowledged violations can result in significant penalties, though cooperation and remediation efforts may influence final amounts. The €50,000 fine represents a substantial reduction from potential maximum penalties but still reflects meaningful enforcement action.
The decision document indicates that collection of the fine will be handled by the Centraal Justitieel Incassobureau (CJIB). AS Watson has the option to appeal the decision to an administrative court within six weeks of the announcement date, though the company had already achieved a significant reduction through the initial appeal process.
Timeline
- Late 2019: Dutch DPA begins investigating cookie compliance across multiple websites including Kruidvat.nl
- April 2020: Follow-up compliance check reveals continued violations
October 2020: AS Watson implements necessary corrections to website - May 3, 2024: AP issues initial penalty decision against AS Watson
- May 27, 2025: AP reduces fine to €50,000 following company appeal
- July 2024: AP initially fined Kruidvat parent company €600,000 for similar violations
- December 2024: Dutch DPA fines Coolblue €40,000 for cookie consent violations