Cookie consent for websites: GDPR and Dutch Telecom Act explained
Cookie consent is required for analytics cookies (Google Analytics) and marketing cookies under Dutch Telecommunications Act Art. 11.7a and GDPR Art. 6(1)(a). Strictly necessary cookies are exempt. Comparison of four CMP tools for Dutch SMEs.
- Cookie consent is required for analytics cookies (such as Google Analytics _ga and _gid) and marketing cookies under Dutch Telecommunications Act Art. 11.7a -- the Dutch implementation of ePrivacy Directive 2009/136/EC -- and GDPR Art. 6(1)(a). Strictly necessary cookies are exempt from the consent requirement.
- A valid cookie banner requires an equally prominent Reject button alongside Accept, opt-in (not opt-out) and logging of consent per user under GDPR Art. 7(1). Pre-ticked checkboxes are not permitted.
- The ACM enforces the Dutch Telecommunications Act; the Dutch Data Protection Authority (AP) enforces the GDPR. Fines run up to 20 million euro or 4% of global annual turnover. Complianz (WordPress) and Cookiebot are the most widely used CMP solutions for Dutch SMEs.
What is cookie consent and when is it required?
Cookie consent is the permission a website visitor gives before a website places non-necessary cookies. Article 11.7a of the Dutch Telecommunications Act (Tw) -- the Dutch implementation of ePrivacy Directive 2009/136/EC -- prohibits placing analytics and marketing cookies without prior, informed consent from the visitor. Where those cookies process personal data -- such as Google Analytics trackers (_ga, _gid) or the Meta Pixel -- GDPR Art. 6(1)(a) also applies: consent is then the legal basis for processing. That consent must be freely given, specific, informed and unambiguous: a pre-ticked checkbox does not comply, and continuing to browse does not count as acceptance. Strictly necessary cookies -- session cookies, CSRF security tokens, shopping-cart cookies and load-balancing cookies -- are exempt from the consent requirement: they are technically essential for the functioning of the site and may be placed without prior consent.
Which cookies require consent?
There are three categories. Strictly necessary cookies (session cookies, security tokens, CSRF protection, load-balancing cookies) are exempt: they are essential for the technical functioning of the website and may always be placed. Analytics cookies -- such as Google Analytics _ga and _gid -- measure visitor behaviour and are in principle subject to the consent requirement. The ACM recognises an exception for first-party analytics with only two aggregating measurement goals and no sharing with third parties, but the exact conditions are updated regularly; consult acm.nl for the most current guidelines. Marketing cookies and tracking pixels -- the Meta Pixel, LinkedIn Insight Tag, Google Ads remarketing cookies -- are always opt-in: they may not be placed without explicit consent.
How does a valid cookie consent banner work?
A valid cookie consent banner meets five requirements. The Reject button (or equivalent) has the same visual prominence as Accept: no grey versus green, no hidden text link versus large button. The banner asks for active opt-in: continuing to browse or scroll does not count as consent. Consent is requested per category (strictly necessary, analytics, marketing). The given or refused consent is logged per user with a timestamp under GDPR Art. 7(1), so you can provide evidence in the event of an enforcement request. Visitors can withdraw their consent at any time, just as easily as they gave it. Google Consent Mode v2 is required for GA4 and Google Ads in the EEA: it communicates the analytics_storage and ad_storage status to Google Tag Manager before tags load, so data processing stops as soon as a user refuses.
Which cookie consent tool should an SME choose?
There are four widely used CMP tools (Consent Management Platforms) for SMEs. Prices are indicative; check current pricing on the provider's website.
Complianz (WordPress / NL-native)
The most widely used WordPress CMP in the Netherlands. Native WordPress plug-in with no external dashboard required; automatically generates a cookie declaration based on a scan of your site. Indicatively: free basic plan available, Premium from approx. 49 euro/year (check complianz.io). IAB TCF 2.2 certification available in the Premium Plus variant. Ideal for WordPress sites with a Dutch audience that need a simple, NL-native solution.
Cookiebot (by Usercentrics)
Cloud-based CMP with daily automatic scan of all cookies on your domain. IAB TCF 2.2 certified; GDPR/ePrivacy certified by an independent auditor. Google Consent Mode v2 natively supported. Indicatively: free for small websites (max. 1 domain, max. 100 subpages); paid from approx. 9 euro/month (check cookiebot.com). Works platform-independently, also outside WordPress. Recommended for sites with multiple tracking pixels or EU advertising campaigns.
CookieYes
Cloud-based CMP suitable for both WordPress and other CMS platforms and custom websites. Free plan available for small sites; paid plans indicatively from approx. $9/month (check cookieyes.com). Google Consent Mode v2 natively supported. Automatic cookie scan and categorisation included. IAB TCF 2.2 support available in higher tiers. A good choice for SME sites that do not use WordPress or that serve an international audience.
iubenda
Legal-focused CMP and privacy policy bundle. In addition to the cookie consent tool, generates a GDPR privacy policy and cookie declaration as a legal document. Indicatively: sites plan from approx. 27 euro/year (check iubenda.com). Less automated scanning than Cookiebot; requires manual entry of cookies during setup. Good for businesses that want to manage their privacy policy, cookie declaration and consent in one tool.
Enforcement by the ACM and Dutch Data Protection Authority
Two regulators have jurisdiction over cookie violations. The Authority for Consumers and Markets (ACM) enforces Art. 11.7a of the Dutch Telecommunications Act: placing cookies without consent or displaying a misleading banner. The Dutch Data Protection Authority (AP) enforces the GDPR: unlawfully processing personal data via cookies without a valid consent basis. Common mistakes that lead to enforcement: an Accept button that is more prominent than Reject, cookies that load before the visitor has responded to the banner, and the absence of consent logging per user. Fines under the GDPR can reach 20 million euro or 4% of global annual turnover (GDPR Art. 83). Consult acm.nl and autoriteitpersoonsgegevens.nl for current guidelines and enforcement cases.
Frequently asked questions about cookie consent for websites
Is Google Analytics subject to consent in the Netherlands?
Which cookies are exempt from the consent requirement?
What is Google Consent Mode v2 and is it required?
What fines does an SME website risk without cookie consent?
How do I implement cookie consent on my website?
Cookie consent in order? Delahaye Care handles it continuously.
Cookies change alongside your website: new plug-ins, tracking pixels or Google tag updates make your cookie declaration outdated. Our Care plan (39-89 euro/month) keeps your cookie banner and declaration current, monitors your site for security issues and ensures compliance with every update.
Book a free call →Free and without obligation · Reply within one business day · Fixed price up front, no surprises