Article

Cookie consent for websites: GDPR and Dutch Telecom Act explained

Cookie consent is required for analytics cookies (Google Analytics) and marketing cookies under Dutch Telecommunications Act Art. 11.7a and GDPR Art. 6(1)(a). Strictly necessary cookies are exempt. Comparison of four CMP tools for Dutch SMEs.

Short answer
  • Cookie consent is required for analytics cookies (such as Google Analytics _ga and _gid) and marketing cookies under Dutch Telecommunications Act Art. 11.7a -- the Dutch implementation of ePrivacy Directive 2009/136/EC -- and GDPR Art. 6(1)(a). Strictly necessary cookies are exempt from the consent requirement.
  • A valid cookie banner requires an equally prominent Reject button alongside Accept, opt-in (not opt-out) and logging of consent per user under GDPR Art. 7(1). Pre-ticked checkboxes are not permitted.
  • The ACM enforces the Dutch Telecommunications Act; the Dutch Data Protection Authority (AP) enforces the GDPR. Fines run up to 20 million euro or 4% of global annual turnover. Complianz (WordPress) and Cookiebot are the most widely used CMP solutions for Dutch SMEs.

What is cookie consent and when is it required?

Cookie consent is the permission a website visitor gives before a website places non-necessary cookies. Article 11.7a of the Dutch Telecommunications Act (Tw) -- the Dutch implementation of ePrivacy Directive 2009/136/EC -- prohibits placing analytics and marketing cookies without prior, informed consent from the visitor. Where those cookies process personal data -- such as Google Analytics trackers (_ga, _gid) or the Meta Pixel -- GDPR Art. 6(1)(a) also applies: consent is then the legal basis for processing. That consent must be freely given, specific, informed and unambiguous: a pre-ticked checkbox does not comply, and continuing to browse does not count as acceptance. Strictly necessary cookies -- session cookies, CSRF security tokens, shopping-cart cookies and load-balancing cookies -- are exempt from the consent requirement: they are technically essential for the functioning of the site and may be placed without prior consent.

Cookie categories

Which cookies require consent?

There are three categories. Strictly necessary cookies (session cookies, security tokens, CSRF protection, load-balancing cookies) are exempt: they are essential for the technical functioning of the website and may always be placed. Analytics cookies -- such as Google Analytics _ga and _gid -- measure visitor behaviour and are in principle subject to the consent requirement. The ACM recognises an exception for first-party analytics with only two aggregating measurement goals and no sharing with third parties, but the exact conditions are updated regularly; consult acm.nl for the most current guidelines. Marketing cookies and tracking pixels -- the Meta Pixel, LinkedIn Insight Tag, Google Ads remarketing cookies -- are always opt-in: they may not be placed without explicit consent.

Cookie banner

How does a valid cookie consent banner work?

A valid cookie consent banner meets five requirements. The Reject button (or equivalent) has the same visual prominence as Accept: no grey versus green, no hidden text link versus large button. The banner asks for active opt-in: continuing to browse or scroll does not count as consent. Consent is requested per category (strictly necessary, analytics, marketing). The given or refused consent is logged per user with a timestamp under GDPR Art. 7(1), so you can provide evidence in the event of an enforcement request. Visitors can withdraw their consent at any time, just as easily as they gave it. Google Consent Mode v2 is required for GA4 and Google Ads in the EEA: it communicates the analytics_storage and ad_storage status to Google Tag Manager before tags load, so data processing stops as soon as a user refuses.

CMP comparison

Which cookie consent tool should an SME choose?

There are four widely used CMP tools (Consent Management Platforms) for SMEs. Prices are indicative; check current pricing on the provider's website.

Complianz (WordPress / NL-native)

The most widely used WordPress CMP in the Netherlands. Native WordPress plug-in with no external dashboard required; automatically generates a cookie declaration based on a scan of your site. Indicatively: free basic plan available, Premium from approx. 49 euro/year (check complianz.io). IAB TCF 2.2 certification available in the Premium Plus variant. Ideal for WordPress sites with a Dutch audience that need a simple, NL-native solution.

Cookiebot (by Usercentrics)

Cloud-based CMP with daily automatic scan of all cookies on your domain. IAB TCF 2.2 certified; GDPR/ePrivacy certified by an independent auditor. Google Consent Mode v2 natively supported. Indicatively: free for small websites (max. 1 domain, max. 100 subpages); paid from approx. 9 euro/month (check cookiebot.com). Works platform-independently, also outside WordPress. Recommended for sites with multiple tracking pixels or EU advertising campaigns.

CookieYes

Cloud-based CMP suitable for both WordPress and other CMS platforms and custom websites. Free plan available for small sites; paid plans indicatively from approx. $9/month (check cookieyes.com). Google Consent Mode v2 natively supported. Automatic cookie scan and categorisation included. IAB TCF 2.2 support available in higher tiers. A good choice for SME sites that do not use WordPress or that serve an international audience.

iubenda

Legal-focused CMP and privacy policy bundle. In addition to the cookie consent tool, generates a GDPR privacy policy and cookie declaration as a legal document. Indicatively: sites plan from approx. 27 euro/year (check iubenda.com). Less automated scanning than Cookiebot; requires manual entry of cookies during setup. Good for businesses that want to manage their privacy policy, cookie declaration and consent in one tool.

Enforcement

Enforcement by the ACM and Dutch Data Protection Authority

Two regulators have jurisdiction over cookie violations. The Authority for Consumers and Markets (ACM) enforces Art. 11.7a of the Dutch Telecommunications Act: placing cookies without consent or displaying a misleading banner. The Dutch Data Protection Authority (AP) enforces the GDPR: unlawfully processing personal data via cookies without a valid consent basis. Common mistakes that lead to enforcement: an Accept button that is more prominent than Reject, cookies that load before the visitor has responded to the banner, and the absence of consent logging per user. Fines under the GDPR can reach 20 million euro or 4% of global annual turnover (GDPR Art. 83). Consult acm.nl and autoriteitpersoonsgegevens.nl for current guidelines and enforcement cases.

Frequently asked questions

Frequently asked questions about cookie consent for websites

Is Google Analytics subject to consent in the Netherlands?
Yes, in most configurations Google Analytics (GA4) is subject to the consent requirement. The _ga and _gid cookies are analytics cookies transmitted to Google Inc. that process personal data. Consent is required under Dutch Telecommunications Act Art. 11.7a and GDPR Art. 6(1)(a). Use Google Consent Mode v2 so that GA4 stops processing identified user data as soon as a visitor refuses. Consult acm.nl for the current exception for first-party analytics without third-party sharing.
Which cookies are exempt from the consent requirement?
Strictly necessary cookies are exempt. These are cookies that are technically necessary for the requested service: session cookies for login, CSRF security tokens, shopping-cart cookies and load-balancing cookies. They may be placed without the visitor's consent. Analytics, marketing and tracking cookies are never exempt, unless they meet the specific ACM criteria for anonymised first-party analytics; consult acm.nl for the most current guidelines.
What is Google Consent Mode v2 and is it required?
Google Consent Mode v2 is a technical API that communicates the user's analytics_storage and ad_storage settings to Google Tag Manager before GA4 or Google Ads tags are loaded. Without Consent Mode v2, GA4 and Google Ads cannot comply with the requirement to first obtain consent before tracking begins. For EU advertisers using Google Ads or GA4, Consent Mode v2 has been required by Google since March 2024. Your CMP (Cookiebot, CookieYes, Complianz Premium Plus or iubenda) must natively support Consent Mode v2.
What fines does an SME website risk without cookie consent?
The Dutch Data Protection Authority (AP) can impose fines of up to 20 million euro or 4% of global annual turnover under GDPR Art. 83. The ACM can impose fines for violations of Dutch Telecommunications Act Art. 11.7a; the maximum ACM fine is 900,000 euro per violation. In practice, enforcement often starts with an order under penalty (an instruction to comply, with a fine per day for non-compliance). Enforcement cases are made public and cause reputational damage even for small businesses.
How do I implement cookie consent on my website?
Install a CMP tool that fits your platform: Complianz for WordPress (indicatively free or from approx. 49 euro/year), Cookiebot or CookieYes for other platforms (indicatively from approx. 9 euro/month and $9/month respectively). Run a cookie scan to identify and categorise all cookies. Configure the banner with equally prominent accept and reject buttons. Activate Google Consent Mode v2 if you use GA4 or Google Ads. The Delahaye Solutions Care plan (39-89 euro/month) includes ongoing cookie management, banner updates and compliance monitoring.

Cookie consent in order? Delahaye Care handles it continuously.

Cookies change alongside your website: new plug-ins, tracking pixels or Google tag updates make your cookie declaration outdated. Our Care plan (39-89 euro/month) keeps your cookie banner and declaration current, monitors your site for security issues and ensures compliance with every update.

Book a free call →

Free and without obligation · Reply within one business day · Fixed price up front, no surprises