ARTICLE
9 December 2025

Is Your Website's Cookie Banner Up To Date? New Guidance From Dutch DPA

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore Firm Details
The Dutch Data Protection Authority recently updated its cookie banner guidance.
United States Privacy
Liisa M. Thomas and Kathryn Smith
Your Author LinkedIn Connections
Sheppard Mullin Richter & Hampton are most popular:
  • within Compliance topic(s)

The Dutch Data Protection Authority recently updated its cookie banner guidance. This comes after the agency, the Autoriteit Persoonsgegevens (or AP), promoted a goal earlier this year to monitor 500 websites a year to ensure their use of cookies complies with GDPR. The Dutch are not the only ones concerned about cookie banners. See, for example, activity from the UK that we wrote about last year. Of note, the Dutch authority stresses in its guide that even if a company uses third-party consent management platforms, the site operator is still responsible for compliance.

In its guidance, the Dutch authority has reminded companies that if they use cookies that collect personal information, they need a banner that clearly tells people what personal information the site collects and if the company shares that information with anyone else. This content must be in the banner's first layer. If visitors want more details, they can find more layers with extra information. The guide gives as a suggested banner one with three choices: "Accept," "Reject," and "Set It Yourself."

Once the user clicks to the second layer -where they can control their options- the Dutch authority cautions that for consent to be valid, sliders, toggles, or other choice mechanisms must be easy to understand. If there are check boxes, they cannot be pre-checked. It also must be just as simple for users to withdraw consent as it was to give it.

The Dutch authority's guidance also addresses categorizing cookies, stressing that they should be organized between those where consent is required and those where it is not. The Dutch authority reminds companies in its guide that cookies that are placed based on a "legitimate interest", for example functional or analytic cookies, do not require consent.

Putting it into Practice: This guide is a reminder that regulators are focused on the level of control companies give over website tracking tools. Keep in mind that cookies are dynamic: lower risk by avoiding a "set it and forget it" approach to cookie categorization. Other techniques can include regularly testing banners for user ease and functionality.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Kathryn Smith
Kathryn Smith
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More