Dutch regulator releases final letters on cookie banner probe

The Dutch Data Protection Authority published final letters from five investigations into website cookie banner practices on July 15, 2025, according to documents released under the country's freedom of information law. The investigations concluded between March 24 and March 27, 2025, with enforcement actions terminated without financial penalties.

According to the published decision, the investigations began in 2024 targeting five unnamed websites for potential violations of the General Data Protection Regulation and ePrivacy Directive. The organizations violated data protection requirements by processing personal data through cookies without adequate legal basis, specifically through improperly designed consent banners.

Summary

Who: The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) investigated five unnamed website operators for GDPR and ePrivacy Directive violations related to cookie banner implementations.

What: Investigations found improperly designed cookie consent banners that failed to obtain valid user consent for personal data processing, with enforcement actions terminated after organizations implemented corrective measures.

When: Investigations began in 2024, concluded between March 24-27, 2025, with documents published July 15, 2025, following a freedom of information request processed from April through May 2025.

Where: The Netherlands, affecting five websites operating under Dutch jurisdiction, with documents published through the Dutch Data Protection Authority's official website and transparency portal.

Why: The authority aimed to ensure compliance with European data protection standards while demonstrating regulatory oversight of cookie consent practices, ultimately choosing corrective over punitive measures due to organizations' prompt remedial actions and the limited scope of violations.

The investigations revealed that cookie banners on the examined websites were "designed in such a way that consent within the meaning of the GDPR could not be established," according to the termination letters signed by A.C. de Bruijne, director of Legal Affairs and Legislation. Additionally, some websites processed personal data through cookies without any user consent, which the authority classified as unlawful.

The Dutch authority initiated enforcement proceedings against all five organizations, sending investigation reports and draft enforcement decisions between January and February 2025. Companies were provided opportunities to submit defensive statements, which they utilized between January 20 and February 21, 2025.

Despite finding violations, the authority chose to terminate enforcement actions without imposing administrative fines or other measures. The decision cited "very specific circumstances" in each case, noting that all organizations had modified their cookie banners to comply with GDPR requirements during the investigation period.

According to the Woo decision dated May 22, 2025, the enforcement termination reflected the relatively limited nature of the violations and the short duration of non-compliance. "Recovery was achieved through adjustment of cookie policy," the authority stated, emphasizing that violations had been resolved through remedial action rather than punitive measures.

The authority redacted all identifying information about the investigated organizations before publication. This approach aimed to prevent "disproportionate naming and shaming" given the limited severity of violations and absence of financial penalties. The decision noted that media coverage of data protection enforcement typically receives broad attention, potentially affecting organizational reputation and business operations.

Technical analysis within the termination letters indicates specific cookie implementation issues. One organization received clarification that a particular cookie served "another essential function" when no consent was given, leading to its subsequent deactivation. These technical details suggest sophisticated assessment methods employed during the investigations.

The investigation timeline spans several months, beginning with the initial Woo request submitted April 8, 2025. The requestor specified their interest in final letters regarding all five investigated websites on April 14, 2025. Processing involved consultation with affected organizations as third-party stakeholders, leading to deadline extensions through May 15, 2025.

The Dutch authority's approach contrasts with recent enforcement patterns across European jurisdictions. French regulators issued formal notices against multiple publishers in December 2024 for deceptive cookie banner designs. Belgian authorities imposed potential daily fines up to €25,000 against media company Mediahuis for cookie consent violations.

European data protection authorities have intensified scrutiny of cookie banner practices throughout 2024 and early 2025. Austrian regulators ordered public broadcaster ORF to modify consent interfaces for equal visual treatment of options. German courts clarified compliance requirements regarding scrolling content and reject button placement.

The enforcement approach demonstrates regulatory preference for compliance achievement over punitive action when organizations demonstrate willingness to address violations promptly. This methodology aligns with proportionality principles embedded within GDPR enforcement frameworks while maintaining deterrent effects through publication of investigation outcomes.

Cookie banner regulations derive from multiple legal sources, combining GDPR consent standards with ePrivacy Directive requirements. The Dutch implementation requires clear, unambiguous consent for non-essential cookies, prohibiting pre-selected options or designs that favor acceptance over rejection.

Legal experts note increasing regulatory consensus regarding acceptable cookie consent interface standards. The coordination of enforcement actions across multiple European jurisdictions suggests emerging harmonization of interpretation, despite variations in specific implementation requirements between member states.

The published documents totaling 7MB include both the Woo decision and redacted termination letters merged into a single file. The authority emphasized transparency objectives while protecting commercial interests of investigated organizations through anonymization.

Industry implications extend beyond the five investigated organizations. The detailed technical assessments provide guidance for website operators regarding compliant cookie banner implementation. Specific attention to consent banner design elements, cookie categorization, and user interface accessibility demonstrates regulatory expectations for lawful processing.

The termination approach reflects broader enforcement philosophy emphasizing corrective rather than punitive outcomes when organizations demonstrate good faith compliance efforts. This strategy maintains regulatory authority while encouraging voluntary compliance across the digital marketing ecosystem.

Marketing professionals should note the technical specificity of regulatory assessment methods. The investigations examined not only consent interface design but also underlying cookie implementation, suggesting comprehensive technical review capabilities within data protection authorities.

The timing coincides with ongoing debates regarding cookie deprecation timelines and alternative tracking technologies. While enforcement focused on traditional consent mechanisms, regulatory attention to emerging technologies continues developing as digital advertising adapts to privacy-enhanced environments.

Timeline

• 2024: Dutch Data Protection Authority initiates five investigations into website cookie banner practices
• January 20-February 21, 2025: Organizations submit defensive statements following enforcement notices
• March 24, 2025: First termination letter issued ending enforcement without penalties
• March 27, 2025: Final termination letters sent concluding all five investigations
• April 8, 2025: Freedom of information request submitted for investigation documents
• April 14, 2025: Request specified to cover final letters from all five investigations
• May 15, 2025: Extended deadline for processing following stakeholder consultation
• May 22, 2025: Woo decision approving partial document disclosure with redactions
• July 15, 2025: Dutch DPA publishes redacted investigation documents
• December 2024: French authorities target deceptive cookie banner designs
• September 2024: Belgian DPA imposes measures against Mediahuis