Introduction
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) recently fined Coolblue €40,000 for violating the General Data Protection Regulation (GDPR). This decision, outlined in an official objection ruling, demonstrates how organizations can face substantial consequences for mishandling user consent regarding cookies. Below, we’ll unpack the case, explain how the AP reached its decision, and explore practical steps businesses can take to ensure cookie compliance.
Understanding the Coolblue Case
Between April and June 2020, Coolblue used tracking cookies on its website without obtaining proper user consent. The AP’s investigation revealed two significant issues with Coolblue’s cookie banner:
- Implied Consent: Coolblue assumed visitors consented to cookie usage simply by continuing to browse the site, without requiring an explicit action.
- Pre-Checked Options: The company used pre-selected checkboxes for cookie preferences, violating GDPR’s active-consent requirement.
Coolblue’s practices undermined the GDPR principle of lawfulness (Article 5) and lacked a valid legal basis for processing personal data (Article 6). While Coolblue eventually revised its cookie banner in June 2020, its earlier approach exposed the company to regulatory penalties.
How the Violation Was Proven
The AP built its case against Coolblue through detailed investigations:
- Initial Audit (2019): In October and November 2019, the AP reviewed Coolblue’s website and identified non-compliance with GDPR cookie consent rules. The agency issued a warning letter urging corrective action.
- Follow-Up Visits (2020): Subsequent inspections in April and May 2020 confirmed that the company had not updated its practices.
- Evidence of Non-Compliance: The AP documented how Coolblue’s cookie banner continued to assume consent and used default settings, contradicting GDPR guidelines. The Court of Justice of the European Union’s Planet49 ruling (2019) was cited as precedent, reinforcing that valid consent must involve an unambiguous affirmative action.
Although Coolblue ended the violations by June 2020, the AP concluded that the company’s earlier actions warranted a financial penalty.
Cookie Consent Manager | Take a 2 week free trial
Take a 2 week free trial for our paid plans or create a free account …
Key Takeaways for Businesses
The AP’s detailed ruling not only highlights Coolblue’s shortcomings but also offers guidance for companies navigating cookie compliance:
1. Designing Compliant Cookie Banners
- Use clear language to explain cookie types and their functions.
- Offer distinct “Accept” and “Reject” options without pre-selecting either.
2. Avoiding Misleading Practices
- Don’t rely on implied consent or bury important information in dense legal text.
3. Regular Compliance Reviews
- Conduct periodic audits to ensure cookie practices meet evolving GDPR standards.
4. Learn from Precedents
- The Planet49 case underscores that consent must be active and informed. Use this as a benchmark for compliance.
5. Collaborate with Experts
- Seek legal or technical advice to implement robust cookie management systems.
AP’s Enforcement Guidelines and Mitigation Considerations
The AP factored in several mitigating circumstances while setting Coolblue’s fine:
- Limited Duration: The violations lasted seven weeks, deemed a relatively short period.
- Corrective Actions: Coolblue proactively updated its cookie practices before being officially penalized.
- Data Sensitivity: The processed data wasn’t highly sensitive, reducing the perceived harm.
These factors, combined with the principle of proportionality, led to a reduced fine of €40,000—far below the standard range for similar violations.
Why Cookie Compliance Matters
Coolblue’s experience serves as a cautionary tale for businesses across the EU. Cookie compliance isn’t just a legal requirement; it’s a trust-building opportunity. By respecting user preferences and safeguarding data, organizations can foster stronger relationships with their audience while avoiding regulatory scrutiny.
Adopt privacy by design, and make compliance an integral part of your business operations. After all, when it comes to data protection, prevention is always better than a cure.