The Dutch Data Protection Authority (AP) has imposed a fine of 600,000 euros on the company behind the Kruidvat drugstore. Kruidvat.nl followed consumers with tracking cookies, without their knowledge or permission. AS Watson collected and used sensitive personal data from millions of website visitors against the rules.
The company behind Kruidvat collected data from website visitors and was able to create personal profiles. In addition to visitors’ location data, this included which pages they visited, which products they added to the shopping cart and purchased and which recommendations they clicked on.
That is very sensitive information, AP points out, due to the specific nature of drugstore products. Such as pregnancy tests, contraceptives or medication for all kinds of ailments. That sensitive information, linked to the location (which may be traceable via the IP address) of the unique visitor, can sketch a very specific and invasive profile of the people who visit Kruidvat.nl.
Kruidvat.nl should have asked permission to place tracking cookies on visitors’ computers. The GDPR privacy law sets a number of requirements for valid consent. These requirements are that consent must be given freely, for specific processing of personal data, on the basis of sufficient information and that there must be no doubt that consent has been given.
In the cookie banner on Kruidvat.nl, the boxes to agree to the installation of tracking software were checked by default. That’s not allowed. Visitors who still wanted to refuse the cookies had to go through many steps to achieve this. The AP has found that personal data of website visitors to Kruidvat.nl have been processed unlawfully.
At the end of 2019, the AP started an investigation into various websites, including Kruidvat.nl. The AP tested whether these websites met the requirements for placing (tracking) cookies. The AP checked whether permission for tracking cookies was asked from website visitors and, if so, how exactly this happened.
Kruidvat.nl was found not to comply in April 2020, after which the AP sent the company a letter. In 2020, the AP found that Kruidvat.nl was still not in order. The AP then started investigating this website further. This violation ended in October 2020.
There is increasing social irritation about cookies and cookie notifications, ranging from annoying and misleading banners to concerns about the secret tracking of internet users. In 2024, the AP will check more often whether websites correctly request permission for tracking cookies or other tracking software.
Source: Boete van 600.000 euro voor tracking cookies op Kruidvat.nl – Emerce
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft