Dutch AP Cookie Warnings: What They Mean for Your Website

The Autoriteit Persoonsgegevens (AP) has been sending warning letters to Dutch businesses about their cookie practices since late 2024. If you got one, you're not alone. And if you haven't gotten one yet, your setup might still have problems.

Here is what the AP is actually looking for and how to fix it before a warning turns into a fine.

What the AP has been doing since 2024

The AP started a focused enforcement campaign on cookie consent in the second half of 2024. They didn't go after the big tech companies this time. They went after regular Dutch businesses: webshops, service companies, local businesses with a website.

Their approach is straightforward. They visit your website, check whether cookies are set before you give consent and look at how your cookie banner works. If something is wrong, they send a warning letter with a deadline to fix it.

By mid-2025, hundreds of businesses had received these letters. The AP published guidance stating that websites placing tracking cookies without valid consent are violating Article 11.7a of the Telecommunicatiewet and Article 6 of the GDPR/AVG.

What the AP checks on your website

The AP's cookie checks focus on a few specific things.

Cookies before consent. When someone visits your site for the first time, do cookies get placed before they click "accept"? Many cookie banners load Google Analytics, Facebook Pixel or marketing cookies the moment the page loads. The banner shows up, but the tracking already started. That's a violation.

Reject must be as easy as accept. If your cookie banner has a big green "Accept all" button but hides the reject option behind a settings menu, that's not valid consent. The AP requires that refusing cookies is just as easy as accepting them. One click to accept means one click to reject.

Pre-checked boxes. If your cookie settings page shows checkboxes that are already ticked, that violates the GDPR. Consent must be an active choice. The user has to check the box themselves.

Cookie walls. Some websites block access until you accept cookies. The AP considers this coercive and not freely given consent. There are limited exceptions, but for most business websites, cookie walls don't fly.

Dark patterns in banner design. Using colors, sizing or wording that push users toward accepting is something the AP now specifically looks for. A tiny grey "reject" link next to an oversized "Accept all" button counts as a dark pattern.

Who has been fined

The AP hasn't published individual fines for small business cookie violations yet from this wave. Their approach so far has been warnings first, with a compliance deadline. But the precedent exists.

In 2022, the AP worked with other European data protection authorities on a coordinated cookie sweep. Over 1,000 websites were checked across Europe. The result: enforcement actions in multiple countries, including fines.

France's CNIL fined Google €150 million and Facebook €60 million for cookie consent violations in 2022. While those are tech giants, the legal standard is the same for your restaurant website. The rules don't have a size exception.

In the Netherlands, the AP can issue fines up to €10 million or 2% of annual worldwide turnover for cookie violations under the Telecommunicatiewet. For GDPR violations related to cookie data processing, fines can reach €20 million or 4% of turnover.

For a small business, realistic fine amounts would be much lower. But even a €5,000 to €25,000 fine hurts when you're running a small operation.

How to check your cookie setup

You can check most of this yourself in about 10 minutes.

Step 1: Open your website in a private/incognito window. This gives you a fresh session with no existing cookies.

Step 2: Before clicking anything on the cookie banner, check what cookies are set. In Chrome, press F12, go to the Application tab and look under Cookies. If you see tracking cookies from Google, Facebook, Hotjar or similar services, your site is placing cookies before consent. That's the number one violation the AP catches.

Step 3: Look at your cookie banner. Is there a clear "Reject" or "Deny" button that's equally visible as the "Accept" button? If reject is hidden behind "Manage preferences" or "Cookie settings," you have a problem.

Step 4: If your banner has settings, check the default state. Are any non-functional cookie categories pre-selected? They shouldn't be.

Step 5: Click reject and check again. After rejecting, are tracking cookies still present? Some cookie banners don't actually block cookies when you reject. They just record your preference and do nothing with it.

You can also run a free compliance scan on your website that checks cookie behavior automatically, including what fires before consent.

How to fix your cookie banner

If your check revealed problems, here is what to do.

Switch to a consent-first setup. Your cookie management tool (Cookiebot, CookieYes, Complianz or whatever you use) needs to block all non-functional cookies and scripts until consent is given. Most tools have this feature, but it's often not enabled by default. Look for settings called "auto-blocking" or "prior blocking."

Add a visible reject button. Your banner needs a clear reject option at the same level as accept. Not behind a submenu. Not in smaller text. Same visual weight. Many cookie tools let you configure this in their dashboard.

Uncheck all default selections. Go into your cookie tool settings and make sure no optional categories are pre-selected in the preferences panel.

Remove cookie walls. If your site blocks content until cookies are accepted, change it. Let users browse with only functional cookies active.

Test after changes. Open an incognito window again and repeat the check. Click reject and verify that tracking cookies don't appear.

What to do if you received an AP warning letter

Don't ignore it. The letter will include a deadline, usually 4 to 6 weeks.

Fix your cookie setup before the deadline. Document what you changed and when. If the AP follows up, you want to show that you took action promptly.

If you're unsure whether your fix is sufficient, get your website scanned by an independent tool. Don't just trust your cookie plugin's "compliant" badge.

Keep the letter and your documentation. If the AP does a follow-up check and finds you've fixed the issues, that's usually the end of it.

The bigger picture

Cookie enforcement in the Netherlands is only increasing. The AP received a larger budget in 2025 specifically for digital enforcement. They've also been coordinating with other EU data protection authorities through the European Data Protection Board.

This isn't a one-time campaign. It's a shift toward consistent enforcement. Getting your cookie setup right now saves you from repeat problems later.

Your cookie banner is also the first thing visitors see on your site. A sloppy or manipulative consent setup damages trust before someone even reads your content.

---

Check your website now. Scan your website for cookie compliance issues and more. Free, takes 2 minutes.

---

Frequently asked questions

Does the AP only check Dutch websites?

The AP focuses on websites targeting Dutch users. If your site is in Dutch or your business is registered in the Netherlands, you're in scope regardless of where your server is hosted.

Are functional cookies affected by these rules?

No. Cookies that are strictly necessary for your website to function (shopping cart, login session, language preference) don't require consent. The rules apply to analytics, marketing and tracking cookies.

My cookie plugin says I'm compliant. Is that enough?

Not necessarily. Many cookie plugins have compliant settings available but don't enable them by default. The AP checks actual behavior, not what your plugin dashboard says. Test it yourself in an incognito window.

Can I just remove my cookie banner entirely?

Only if your website genuinely doesn't use any non-functional cookies. No Google Analytics, no Facebook Pixel, no embedded YouTube videos, no third-party fonts loaded from external servers. If you strip all of that out, you might not need a banner. But most business websites use at least one of these.

What if my web designer set up the cookie banner?

You're still responsible for your own website. But if your web designer configured something incorrectly, talk to them about fixing it. Many web designers will update the setup at no extra cost since it's a configuration change, not a rebuild.