Website compliance in the Netherlands: cookies, GDPR and accessibility

The Netherlands is an EU member state, so the headline rules are the same ones that apply across the bloc: the GDPR for personal data, the ePrivacy Directive for cookies and storage, and the European Accessibility Act for digital accessibility. What trips up operators is that each of these reaches a Dutch website through a different national statute and a different regulator. This guide maps the three frameworks as they actually apply in the Netherlands in 2026.

The three frameworks that apply

• GDPR + UAVG. The GDPR applies directly, and the Dutch Uitvoeringswet AVG (UAVG) fills in the national detail. The supervisory authority is the Autoriteit Persoonsgegevens (AP).
• ePrivacy via the Telecommunicatiewet. The cookie-consent rule is Article 11.7a of the Telecommunicatiewet, in force since 2012. This is the rule that requires the banner — not the GDPR.
• EAA via the Implementatiewet. The European Accessibility Act is transposed by the Implementatiewet toegankelijkheidsvoorschriften producten en diensten, applying to in-scope consumer products and services from 28 June 2025.

Cookies: Article 11.7a Telecommunicatiewet

Article 11.7a requires that, before storing information on or reading information from a user’s terminal equipment, a website gives clear and complete information about the purposes and obtains consent. Two narrow exemptions apply: a cookie strictly necessary to transmit the communication, and a cookie strictly necessary to deliver a service the user explicitly requested (for example, a session or shopping-cart cookie).

Everything else — analytics, advertising pixels, social embeds, A/B testing, session recording — needs prior opt-in consent. As with the rest of the EU, the rule is technology-neutral: swapping a cookie for localStorage or a tracking pixel does not escape it.

The AP cookie crackdown

Through 2025 the Autoriteit Persoonsgegevens made cookie banners a stated enforcement priority. Several organisations received a “cookie letter” asking them to fix non-compliant banners, and the AP examined how sites deploy Google Analytics 4. The AP’s position on banner design is specific:

• If there is an “Accept all” button on the first layer, there must be a “Reject all” button on that same first layer, at the same level of prominence.
• A “Settings” or “Manage” link does not count as a reject option — rejecting must be as easy as accepting.
• No non-essential cookies or trackers may fire before the visitor actively consents.

This mirrors the broader EU consensus (see our piece on reject-all parity), and it is the single most common reproducible failure Veracly detects on Dutch sites.

Accessibility: the EAA in Dutch law

The European Accessibility Act applies EU-wide from 28 June 2025. In the Netherlands it is transposed by the Implementatiewet toegankelijkheidsvoorschriften producten en diensten, which amends several existing laws including the Warenwet (Commodity Act), the Telecommunicatiewet and the Civil Code. For digital services, consumer-facing websites, apps and web shops must be accessible — measured in practice against WCAG 2.1 AA through the harmonised standard EN 301 549.

Enforcement is split across supervisors depending on the product or service; the Authority for Consumers and Markets (ACM) supervises e-commerce. A microenterprise relief exists for service providers (fewer than 10 staff and turnover or balance sheet at or below €2 million), but it is narrow and does not extend to products. Public-sector bodies were already covered separately under the Web Accessibility Directive.

A practical checklist for a Dutch site

1. No non-essential cookie, pixel or storage write fires before consent.
2. The banner offers Reject all on the first layer, as prominent as Accept all.
3. A privacy statement names the trackers used and the GDPR/UAVG legal basis.
4. Analytics (including GA4) is consent-gated, and any US transfer rests on a valid Chapter V mechanism.
5. The site meets WCAG 2.1 AA (EN 301 549) for consumer-facing content.

How Veracly checks a Dutch website

Veracly evaluates a Dutch URL against all three frameworks in one scan. The cookie-audit module records every network request, cookie and storage write that occurs before banner interaction and flags Article 11.7a issues (pre-consent firing, missing reject path, banner absent). The accessibility module runs axe-core against the rendered DOM for WCAG 2.1 AA. Each finding is mapped to the framework it actually engages and is reproducible by you in your own browser’s DevTools.

See also: Website compliance in Finland · GDPR vs ePrivacy: which governs cookies? · The EAA for small and medium businesses