Cookie Banner Required in NL: What the AP Enforces in 2026

A cookie banner is mandatory in the Netherlands as soon as your website sets tracking cookies. This is set out in Article 11.7a of the Dutch Telecommunications Act. The Autoriteit Persoonsgegevens (AP) has been actively enforcing this since April 2025 and has warned more than 200 Dutch websites. Three-quarters fixed their banner. The rest are under formal investigation.

For context, we scanned 499 Dutch restaurant websites. 67.5 percent had no cookie banner at all. Of the rest, more than half lacked a working reject button. Only 16 percent had a banner that actually meets AP requirements.

Want to know in two minutes how your banner stands? Run a free scan. We check whether you have a banner, whether the reject button works, and which cookies are placed without consent.

When is a cookie banner mandatory?

The rule is clear. You need consent as soon as your website stores anything on a visitor's device that is not strictly necessary for the service requested. That's Article 11.7a Tw.

The European Data Protection Board (EDPB) confirms this in its guidelines on Article 5(3) ePrivacy Directive. Fingerprinting, local storage, and tracking pixels all fall under the same rule, not just cookies.

A cookie banner IS required if your site:

• Uses Google Analytics (unless fully anonymized without Google Signals)
• Sets marketing cookies (Facebook Pixel, Google Ads, LinkedIn Insight Tag)
• Embeds social media that sets cookies (YouTube, Instagram, X/Twitter)
• Uses non-essential preference cookies
• Loads Google Fonts from Google's servers (transmits IP addresses)

A cookie banner is NOT required if your site only:

• Uses functional cookies (session, cart, language preference)
• Runs fully anonymized analytics (Plausible, Fathom, Simple Analytics)
• Does not load external scripts that share visitor data

Most websites fall in the first category. If you're unsure, assume a banner is required.

What must the banner do?

The AP launched a public awareness campaign on misleading cookie banners with nine rules of thumb. The most-often-violated requirements:

Equal choice

The reject button must be as prominent as the accept button. Same size, same colour, same placement. A large green "Accept all" with a small grey "manage preferences" link does not comply. The AP calls this a misleading cookie banner.

No pre-ticked options

If your banner has category toggles (analytics, marketing, functional), non-functional categories cannot be pre-ticked. The visitor must actively opt in. This follows from the Planet49 judgment of the EU Court of Justice.

No cookies before consent

Your site must not set tracking cookies before the visitor clicks "accept". This is a common technical violation. Many Consent Management Platforms (CMPs) load Google Analytics or Facebook Pixel by default, including for visitors who haven't yet chosen. That's non-compliant.

Cookie walls are banned

You cannot force visitors to accept cookies as a condition of using your website. The site must remain fully usable without non-functional cookies.

Accessibility

Since 28 June 2025 your cookie banner falls under the European Accessibility Act. That means:

• Navigable by keyboard
• Readable by screen readers
• Colour contrast meeting WCAG 2.1 AA
• Buttons large enough for accessible touch targets

What the AP enforces in 2026

The AP's approach is methodical:

1. They visit your site and screenshot the banner.
2. If it doesn't comply, they send a warning letter.
3. You get three months to fix the banner.
4. After three months they re-check.
5. Still non-compliant? Formal investigation.

So far the AP has warned more than 200 websites. Three-quarters fixed the banner; investigations are running against the rest.

The AP receives 500,000 euros per year earmarked for this oversight. This is not a temporary action; it continues.

In December 2025 the AP launched a consumer campaign "Ga slim om met cookies" ("Be smart with cookies"). More consumer complaints means more enforcement.

Fines in practice

The GDPR allows fines up to 20 million euros or 4 percent of global turnover. In practice the levels are lower, but still material for an SME. Kruidvat received an initial 600,000 euro fine, reduced to 50,000 euros on appeal. Coolblue received 40,000 euros for the same pattern.

For SMEs, the reputational damage of a formal investigation often exceeds the fine itself. Investigations are published on the AP's site.

Common mistakes

"Continued browsing = consent"

Some sites show a banner with only "By continuing to browse you accept cookies." This is not valid. Consent must be an affirmative action. Scrolling does not count. The EDPB confirms this in its consent guidelines.

Reject via a detour

A banner with an "Accept" button and a "More information" link that leads to a page where you can then disable cookies does not count as equal choice. Reject must be as easy as accept, on the first screen.

Cookie settings not adjustable later

Visitors must be able to change their choice. A permanent footer link to "Cookie settings" is the simplest solution.

Vague categories

"Performance cookies" or "analytical cookies" means little to the average visitor. Explain in plain language what each category does. Name the third parties that set the cookies.

How to check your own banner

1. Open your site in an incognito window.
2. Check that a banner appears.
3. Check that reject is as visible as accept.
4. Click reject and reload.
5. Open DevTools (F12) and go to Application > Cookies.
6. Are there Google, Facebook, or other tracker cookies? Then your banner does not work correctly.

Or faster: scan your website free via TrustYourWebsite. We check this in two minutes.

Which CMP tools comply?

There are dozens of Consent Management Platforms. The tool doesn't decide compliance — the configuration does. The most expensive tool in the world fails if you configure it badly.

What to look for:

• Default-blocks all scripts until consent
• Reject button on the first screen (not behind "settings")
• Storage of consent proof
• Easily customisable layout so reject and accept can be equal
• Keyboard and screen-reader accessible

For the exact textual requirements, see cookie banner requirements Netherlands and the most common cookie banner dark patterns.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice tailored to your situation.