Dutch cookie consent, decoded: what Article 11.7a and the AP actually require.
In the Netherlands, cookies are governed by Article 11.7a of the Telecommunicatiewet (Telecommunications Act), the national transposition of the EU ePrivacy Directive, read together with the GDPR consent standard given domestic effect through the Uitvoeringswet AVG (UAVG). Together they require prior, informed, and freely given consent before any non-essential cookie or tracker is placed or read on a visitor's device. The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, supervises and enforces these rules, and since 2024 it has moved cookie compliance to the front of its agenda with structured banner monitoring and warning letters.
Article 11.7a Telecommunicatiewet requires prior informed consent before storing or accessing information on a user's device, except for transmission-necessary or strictly-necessary cookies; consent must meet the GDPR standard (freely given, specific, informed, unambiguous).
Applicable laws
Art. 11.7a
Telecommunicatiewet provision requiring prior consent for non-essential cookies
Telecommunicatiewet, Article 11.7a (g-regs.com / Van Kaam advocaten)
50
Organisations warned by the AP over misleading cookie banners in April 2025, with 3 months to comply
Autoriteit Persoonsgegevens, April 2025 (Pinsent Masons Out-Law)
10,000
Websites the AP plans to monitor for cookie-banner compliance (about 500 per year)
Autoriteit Persoonsgegevens monitoring programme (Hogan Lovells / Pinsent Masons)
5
AP investigations opened into cookie-banner and tracking-consent failures in 2024
Autoriteit Persoonsgegevens, 2024 (Pinsent Masons Out-Law)
Under Article 11.7a of the Telecommunicatiewet, analytics, advertising, and other non-essential cookies and trackers may only be placed or read after the visitor has given consent. Cookies strictly necessary to deliver a requested service, and certain low-impact website statistics, are exempt.
In its April 2025 rules for clear cookie banners, the AP requires that visitors can reject cookies just as easily as they accept them. An 'Accept all' button with no equally prominent 'Reject all' option, or refusal hidden behind extra clicks, is treated as invalid consent.
Consent must be an unambiguous, affirmative action. Pre-checked consent boxes, hidden options, ambiguous wording, and design that nudges users toward acceptance do not produce valid consent under the GDPR standard applied via the UAVG.
The AP's position is that a cookie wall blocking access unless the visitor accepts tracking cookies is unlawful, because consent obtained under that pressure is not freely given. Access to the site cannot be conditioned on accepting non-essential tracking.
Visitors must receive clear, comprehensive information about each cookie purpose before consenting, and the controller must be able to demonstrate that valid consent was obtained and that nothing fired beforehand.
Cookie compliance in the Netherlands sits on two pillars. Article 11.7a of the Telecommunicatiewet is the operative 'cookie law': it implements the EU ePrivacy Directive and prohibits storing information on, or reading information from, a user's terminal equipment without prior consent. The provision carves out cookies needed purely to transmit a communication, cookies strictly necessary for a service the user requested, and (since a later amendment) certain website-quality statistics that have little or no privacy impact.
Whenever a cookie processes personal data, the consent itself must satisfy the GDPR. The Uitvoeringswet AVG (UAVG) gives the GDPR domestic effect in the Netherlands, so 'consent' under Article 11.7a inherits the GDPR definition: a freely given, specific, informed, and unambiguous indication of the user's wishes through clear affirmative action. That is why a Dutch banner has to do more than display a notice.
In practice this means the legal questions split cleanly: the Telecommunicatiewet decides whether you needed consent at all, and the GDPR (via the UAVG) decides whether the consent you collected was actually valid.
The Autoriteit Persoonsgegevens has made cookie banners an active enforcement priority. In 2024 it opened five investigations into organisations that had failed to obtain tracking-cookie consent correctly, and in April 2025 it published a concrete set of rules for clear cookie banners and sent warning letters to the first 50 organisations, including retailers, media companies, and insurers, giving them three months to fix non-compliant banners or face formal investigation and fines.
The AP has signalled this is not a one-off campaign. It intends to structurally and largely automatically monitor cookie banners across the Dutch web, targeting on the order of 10,000 websites over time at roughly 500 per year. Common failures it flags are an absent or buried reject option, pre-ticked boxes, misleading design, and trackers that fire before any choice is made.
Separately, the AP has been clear that cookie walls, where a visitor is denied access unless they accept tracking, do not produce valid consent because the choice is not free. Conditioning access on acceptance of non-essential cookies is therefore treated as a breach.
The recurring enforcement theme is the gap between what a banner promises and what the page actually does. A banner can look compliant while analytics, advertising pixels, or social widgets quietly set cookies the moment the page loads, before the visitor clicks anything. Under Article 11.7a that pre-consent firing is exactly what the law prohibits, and it is what automated monitoring is designed to detect.
CookieSentry loads your live pages the way a real Dutch visitor would and flags every cookie and tracker that fires before consent, naming the source so you can see precisely which scripts breach Article 11.7a. The free public scan needs no signup, and the exportable report plus PDF evidence give you a record of what was firing and when.
Alongside the scan, CookieSentry generates GDPR documents such as privacy and cookie policies localized to national requirements. It is not a consent banner or CMP: keep the banner you already run, and use CookieSentry to verify that nothing fires before consent and to back it with documentation aligned to Dutch expectations.
It is not allowed to place or read tracking cookies via a cookie wall. With a cookie wall, you only get access to a website or app if you agree to tracking cookies. That is not allowed, because then you do not have a free choice.
The Dutch cookie provision sits in the Telecommunications Act and transposes the ePrivacy Directive. It requires prior informed consent before placing or reading non-essential cookies, with exceptions for transmission-necessary, strictly-necessary, and certain low-impact statistical cookies. (Source: Telecommunicatiewet Art. 11.7a; Van Kaam advocaten; g-regs.com)
The AP is the Dutch supervisory authority for data protection and enforces both the GDPR/UAVG and the cookie rules of the Telecommunicatiewet. Its official site is autoriteitpersoonsgegevens.nl. (Source: Autoriteit Persoonsgegevens)
After five 2024 investigations and warnings to 50 organisations in April 2025 (with a three-month deadline), the AP plans to monitor roughly 10,000 websites, around 500 a year, for non-compliant banners. (Source: Autoriteit Persoonsgegevens; Pinsent Masons Out-Law; Hogan Lovells)
CookieSentry scans your live site and flags every cookie and tracker that fires before consent — the failure AP is most likely to act on — and names the source so you can fix it. Run the free public scan to get exportable evidence of what fires before consent, mapped to Netherlands's rules. It is not a consent banner — keep your banner and add the audit and evidence layer on top.
Article 11.7a of the Telecommunicatiewet (Telecommunications Act) is the Dutch cookie provision, transposing the EU ePrivacy Directive. It requires prior consent before non-essential cookies are placed or read. The validity of that consent is judged against the GDPR, which applies domestically through the Uitvoeringswet AVG (UAVG).
The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, supervises and enforces both the GDPR/UAVG and the cookie rules in the Telecommunicatiewet. It has been actively investigating cookie banners since 2024 and publishes guidance at autoriteitpersoonsgegevens.nl.
No. The AP's position is that a cookie wall, which blocks access unless the visitor accepts tracking cookies, is unlawful because the resulting consent is not freely given. Access to a site cannot be conditioned on accepting non-essential tracking.
CookieSentry scans your live pages the way a real visitor would and flags every cookie or tracker firing before consent, naming the source, which is exactly what Article 11.7a prohibits. It also generates localized GDPR documents. It is not a banner or CMP, so you keep your existing banner and use CookieSentry to verify nothing fires pre-consent and to document it.
Operating across the EU? The rules differ by market — check the country that applies to you.
Run a free CookieSentry scan on your live pages, catch cookies firing before consent, and export evidence mapped to Netherlands's rules — no signup required.
Run a free scan →Last reviewed 2026-06-14. General information on Netherlands cookie rules, not legal advice; verify current requirements with AP or qualified counsel.