Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial emblem — NLStylized flag-color motif for editorial reference. Not an official symbol.NL
Netherlands Koninkrijk der Nederlanden

WEB ANALYTICS · COOKIE COMPLIANCE · WESTERN EUROPE · NL

Netherlands — analytics & cookie compliance reference

What you can run on a Dutch-targeted website without a fine — GA4, cookies, vendor stack, and the rules behind them. AP is pragmatic on tooling but enforcement-led on cookie-banner equivalence: the reject button must carry the same weight as accept.

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting the Netherlands. Sectoral rules (healthcare, banking, employment) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

UAVG
Uitvoeringswet Algemene Verordening Gegevensbescherming
Dutch implementation of GDPR opening clauses — supervisory-authority powers, child consent age (kept at 16), special-category permissions, employee data, criminal offences, and the BSN (citizen service number) regime. Replaced the legacy Wet bescherming persoonsgegevens (Wbp) on 25 May 2018.
  • Art 5 Child consent — age 16 retained (Netherlands did not lower from GDPR Art 8 ceiling)
  • Art 22-30 Special-category data — derogations for employment, social security, public health, scientific research
  • Art 46 BSN (Burgerservicenummer) — restricted to cases with a statutory basis
  • Art 6 Confidentiality and processing duties for AP staff and assistants
Stb. 2018, 144 (in force 25 May 2018); consolidated text current 2026.
Telecommunicatiewet Art 11.7a
Telecommunicatiewet — Article 11.7a (cookie provision)
Cookies and similar terminal-equipment access. Storage or read access on a user's device requires prior, informed consent — the same GDPR-equivalent standard. The 2015 amendment narrowed the analytics exemption to strictly anonymous, low-impact analytics; commercial GA-class deployments are out of scope.
  • 11.7a(1) Storage / read access requires prior, informed consent
  • 11.7a(3) Strictly-necessary exception — narrowly construed; standard analytics does not qualify unless privacy-friendly configured
  • 11.7 Direct-marketing email — opt-in for commercial communication (B2C), soft opt-in narrow exception
Telecommunicatiewet, consolidated as amended 2012, 2015, 2025; transposes ePrivacy Directive Art 5(3).
Wbp (legacy)
Wet bescherming persoonsgegevens
Pre-GDPR Dutch data-protection statute. Listed for historical reference only — pre-2018 case law and AP guidance still cite Wbp provisions when discussing pre-GDPR conduct (e.g. parts of the Toeslagenaffaire timeline).
Repealed 25 May 2018 — superseded by UAVG.

Regulators

Supervisory authorities that interpret and enforce privacy law here.

Notable enforcement

The Netherlands AP punches above its size on aggregate fine value, driven by the August 2024 Uber €290M transfer fine — the largest single Dutch GDPR fine on record and one of the top-five EU fines overall. Outside that headline outlier, AP enforcement has historically focused on public-sector data-protection failures (Belastingdienst Toeslagenaffaire €2.75M and FSV €3.7M, UWV €450K), late-breach-notification cases (Booking.com €475K), and recently a systemic cookie-banner programme (200 warning letters in 2024 escalating to 500 organisations/year from 2025). On transfers AP follows the EDPB consensus rather than CNIL/Garante's national-level GA4 enforcement.

  1. 2024-08 €290.0M
    Uber Technologies / Uber B.V. AP · Art 44–49 stood

    AP fined Uber €290M for transferring driver personal data (incl. taxi licences, ID documents, medical/criminal data) to the United States without an adequate transfer mechanism — Schrems II era SCCs without supplementary measures, post-Privacy-Shield. Largest Dutch GDPR fine on record.

  2. 2022-04 €3.7M
    Belastingdienst (Tax Authority) AP · Art 5, 6 stood

    Fraud Signaling Facility (FSV) — blacklist of citizens suspected of tax/benefit fraud, processed unlawfully and disproportionately for years. Largest Dutch GDPR fine to date.

  3. 2021-04 €2.8M
    Belastingdienst (Tax Authority) AP · Art 5, 9 stood

    Toeslagenaffaire (childcare-allowance scandal) — discriminatory processing of dual-nationality data on benefit applicants for years; data should have been deleted in 2014 but persisted into 2018.

  4. 2020-12 €475k
    Booking.com AP · Art 33 stood

    Late breach notification — credentials phishing affecting 4,000+ customers reported 22 days after Booking became aware (74 hours past the 72-hour deadline). 'Serious violation' per AP.

  5. 2021-07 €450k
    UWV (Werknemersverzekeringen) AP · Art 32 stood

    Insufficient security on 'Mijn Werkmap' group-message function 2016-2018 — nine data leaks exposing BSN, health, and work-capacity data of 15,000+ jobseekers to wrong recipients.

GA4 status

GA4 is usable in the Netherlands when configured per AP's privacy-friendly guidance — anonymize-IP, no data-sharing with Google services, signed DPA, EU-Region setting where available — combined with Consent Mode v2 and prior consent for any non-strictly-necessary configuration. After EU-US DPF (10 Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. AP is markedly more pragmatic than CNIL/Garante on GA4 — there is no Dutch ban or formal warning targeting GA4 specifically, but the underlying Telecommunicatiewet 11.7a consent obligation still applies for non-anonymous deployments.

DPAStance
APPragmatic — published 'GA configured for privacy' manual (2018), still circulated in third-party guides; accepts cookieless / Consent Mode v2 / DPF-certified deployments without bespoke TIA demands.

Cross-border transfers + Schrems II

AP follows EDPB baseline and is markedly less aggressive than CNIL (France) or Garante (Italy) on Transfer Impact Assessments. Post-DPF (10 Jul 2023) AP accepts adequacy for DPF-certified US importers without bespoke supplementary-measures demands. Controllers are still expected to document a TIA and verify DPF status periodically; AP has not published a Schrems II-style ban on any specific US tool.

EU 2021/914 SCCs remain the fallback when DPF certification is absent or revoked. AP scrutiny of SCCs is risk-based — public-sector and high-volume processors receive more attention than SMB analytics rollouts.

Topic: International transfers

Employee data

Key thresholds

Child consent age
16 years
Article 27 representative
Required
Marketing consent
Single opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 12 · 6 green · 5 yellow · 1 red
VendorStatusRationale
 GREEN Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII).
 GREEN Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config.
 GREEN EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany.
 GREEN German-hosted, cookieless, GDPR-aligned by design.
 GREEN EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required.
 GREEN Open-source, cookieless, fully self-hostable. Default-green when self-hosted.
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW Default config sends data to US infrastructure. Needs Consent Mode v2 + IP anonymization + DPF active + signed DPA + reject-all banner. Server-side EU proxy moves to green.
 YELLOW EU residency available on paid plans; default cloud is US. Identifies users by default — needs config.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Tag managers · 1 · 0 green · 1 yellow · 0 red
VendorStatusRationale
 YELLOW Container only — verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended.
Session replay · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Full session capture — highest-risk category. Explicit consent + DPIA + strict retention.
 RED Session replay — high-risk processing per EDPB Guidelines 3/2019. DPIA + explicit consent required. Cannot run pre-consent.
 RED Session replay + Microsoft tracking. DPIA + explicit consent required.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Netherlands vs Germany
COMPARE
Netherlands vs Belgium
COMPARE
Netherlands vs UK

Common questions

Is Google Analytics legal in the Netherlands in 2026?
Yes, conditionally — and with a markedly more pragmatic AP posture than CNIL or Garante. AP's 2018 'Handleiding privacyvriendelijk instellen van Google Analytics' set out a configuration recipe (anonymize-IP, signed processor agreement, no data-sharing with Google services, opt-out path) under which AP held no consent was required. The handleiding was quietly removed from the AP website around 2022-2023, but the configuration logic remains the de facto compliance model — combined now with Consent Mode v2, EU-Region setting, and DPF-certified transfers. Default GA4 deployments still require prior consent under Telecommunicatiewet 11.7a.
Do I need a Dutch DPO?
The UAVG follows GDPR Art 37 verbatim — no Dutch-specific lower threshold (unlike Germany's BDSG §38 at 20 employees). DPO is mandatory for public bodies, large-scale systematic monitoring, or large-scale special-category processing. SMB analytics deployments rarely trigger the threshold.
What is the Dutch cookie-banner standard?
Telecommunicatiewet 11.7a requires prior consent for non-strictly-necessary cookies. Since 2024 AP has prioritised the equal-prominence reject button — 'reject all' must be as visible, accessible, and one-click as 'accept all'. Hiding reject behind a second layer, greying it out, or using dark-pattern colour contrast triggers the AP letter cycle. ~75% of warned sites complied in 2024; remainder face the new 500-sites/year enforcement programme.
What was the Toeslagenaffaire and why does AP enforcement reflect it?
The Toeslagenaffaire (childcare-allowance scandal) is the defining Dutch privacy-and-discrimination case. The Belastingdienst (Tax Authority) used dual-nationality and ethnicity-correlated data to flag families for fraud investigation, devastating thousands of innocent households 2014-2019 and triggering the resignation of the Rutte III cabinet. AP imposed two fines: €2.75M (Apr 2021, dual-nationality processing) + €3.7M (Apr 2022, Fraud Signaling Facility blacklist). The case shapes AP's enforcement priorities — algorithmic fairness, blacklists, and special-category processing receive disproportionate scrutiny.
Why was Booking.com fined €475K?
Late breach notification. In December 2018-January 2019, attackers phished credentials from 40 UAE travel-accommodation employees, accessing 4,000+ customer records including ~300 credit-card numbers. Booking.com became aware on 13 Jan 2019 but reported to AP only on 7 Feb 2019 — 22 days, well past the GDPR Art 33 72-hour deadline. AP described the delay as 'a serious violation'; the fine stood.
What is the child consent age in the Netherlands?
16 years old — the Netherlands chose the GDPR Art 8 maximum and the UAVG retains it. Children under 16 cannot independently consent to information-society services; processing requires consent of a parent or carer. (Compare: UK and many other EU member states lowered to 13.)
Do I need a works-council agreement for analytics tools?
Yes, when the tool can monitor employee behaviour. Wet op de ondernemingsraden (WOR) Art 27(1)(l) gives the Ondernemingsraad (OR — works council) mandatory consent rights over any system intended to monitor or register employee performance, presence, or behaviour. This includes most internal-dashboard analytics, productivity pixels, and HR-monitoring tools. AP guidance reinforces the obligation; OR consent is independent of GDPR consent and frequently overlooked.
Do I need a Dutch Article 27 representative?
Yes if you are a non-EU controller offering goods/services to or monitoring behaviour of people in the Netherlands (or any EEA state), unless the small-business exception in Art 27(2) applies. AP enforcement on representative non-designation is moderate compared with German Länder DPAs.
How does AP compare with CNIL or Garante on transfers?
AP is meaningfully more pragmatic. AP follows EDPB baseline guidance and has not published a Schrems II-style ban on GA4 or any specific US tool. Post-DPF (Jul 2023) AP accepts DPF-certified US importers without bespoke supplementary-measures demands. A documented Transfer Impact Assessment is still expected, but AP-led enforcement actions hinge on breach notification, security, and discrimination — not transfer architecture.
Is the legacy Wet bescherming persoonsgegevens still relevant?
No, except for historical reference. Wbp was repealed on 25 May 2018 when GDPR + UAVG entered into force. Pre-2018 case law and AP guidance still cite Wbp provisions when discussing pre-GDPR conduct (e.g. early Toeslagenaffaire timeline), but no new processing falls under Wbp.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Netherlands's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.