Dutch privacy regulator warns 50 organizations over misleading cookie banners
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP) issued formal warnings to 50 organizations for the use of deceptive cookie banners. The banners in question were found to violate the transparency and consent requirements set out by the GDPR and the Dutch implementation of the ePrivacy directive.
These violations are not minor technicalities. They represent a systemic failure to respect user privacy on some of the most visited websites in the Netherlands. The AP’s intervention follows growing public pressure and is part of a broader European trend where regulators are no longer tolerating non-compliant consent mechanisms.
What the Dutch DPA found
The AP’s investigation revealed several recurring patterns:
- Websites made it easy for users to accept cookies, but difficult to reject them.
- Consent banners often lacked a “reject all” option on the first layer.
- Some websites collected personal data before any consent was given, particularly through high-risk tracking tools.
- Cookie walls were used without valid legal justification.
- Consent logging was absent or incomplete, making it impossible to demonstrate compliance afterward.
Organizations have been given until June 2025 to bring their websites into compliance. Failure to do so may lead to further regulatory action, including financial penalties and public naming.
A national enforcement wave, mirroring the UK
This move mirrors recent action by the UK Information Commissioner’s Office (ICO), which earlier this year began auditing the top 1,000 websites in the UK for cookie consent compliance. While the legal frameworks differ slightly between the UK and the Netherlands, the enforcement goals are aligned: to ensure users have genuine, informed control over what data is collected about them online.
The pattern is becoming clear. Regulators across Europe are raising the bar. They are no longer relying on guidance and patience alone. Investigations and enforcement have become the default response to persistent non-compliance.
What happens if your website is not compliant?
If the ICO finds that a website is not following the rules, it can issue enforcement notices requiring immediate changes. In more serious cases, businesses can be fined under UK data protection law. Even if a website does not receive a fine, public exposure of non-compliance can harm customer trust.
Beyond legal penalties, failing to comply can also impact marketing effectiveness. Many ad platforms require compliance with data privacy regulations, and improper consent mechanisms could result in lost advertising revenue.
Why this is especially relevant for Dutch enterprises
Earlier this year, we at Nixon Digital conducted in-depth research of 150 large Dutch corporate websites using Nixon Lite. The findings confirmed what many privacy officers already suspected:
42.7% of homepages load high-risk trackers before user consent
This includes third-party trackers like Facebook, Hotjar, or LinkedIn Ads, all of which begin processing personal data on page load, often before a user sees the cookie banner.
12.6% had not implemented Google Consent Mode V2
Google’s updated consent mode is essential for aligning your marketing stack with privacy laws. Without it, organizations may be collecting and sharing user data improperly.
CMP misconfigurations were widespread
Even among companies using leading Consent Management Platforms (CMPs) like OneTrust or UserCentrics, we found errors that resulted in unauthorized tracking. This includes broken opt-out buttons, non-functional preferences, and banners that failed to block scripts correctly.
These are not technical issues. They are compliance risks. And they affect some of the most high-profile organizations in the country.
The operational challenge: compliance at scale
For privacy officers, CISOs, and digital leads responsible for multiple domains or brands, fixing a single cookie banner is rarely enough. The real challenge lies in maintaining compliance over time, across all your websites, channels, and CMS environments.
- Banners drift out of compliance due to content updates and script changes.
- Local teams install marketing tools without informing legal or IT.
- No central system exists to track which site runs which CMP version.
- Ownership is often unclear: who is responsible for fixing the issue?
Without continuous scanning and centralized visibility, even well-intentioned companies fall short.
How to prepare: auditing, monitoring, documenting
To meet the expectations of the AP, your organization should:
- Audit all live websites for cookies, trackers, and consent behavior.
- Ensure that consent is gathered before any data collection occurs.
- Validate that users can easily reject tracking on the first banner layer.
- Log and retain proof of consent in case of audit.
- Map responsibility: assign cookie compliance to specific teams or roles.
- Review Google Consent Mode V2 implementation across all domains.
From insight to action: tools that scale with you
At Nixon Digital, we specialize in privacy compliance for complex website portfolios. Whether you manage 10 or 500 domains, our solutions provide clarity, control, and actionable insights. Nixon Lite gives you a one-time privacy scan of any single webpage. The Nixon Platform goes further: continuous auditing, real-time alerts, integrated workflows, and ownership assignment across your digital landscape.
The AP’s warning is a clear signal. Compliance is not just about having a cookie banner. It is about how that banner behaves, what it blocks, what it allows, and what choices it offers to users. Those choices must be easy, equal, and enforceable.
Are your websites truly compliant—or just giving the appearance of it?
