17 oktober 2025 | Geschreven door Janus de Visser, Director
This year, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has stepped up enforcement on obtaining valid cookie consent, including for analytics and marketing tools. The AP aims to audit 500 organisations a year (around 50 per month). Since the programme began, at least 150 organisations have been audited, ranging from major players to individual sites. In short: there’s no reason to assume your organisation won’t be next.
This year, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has stepped up enforcement on obtaining valid cookie consent, including for analytics and marketing tools. The AP aims to audit 500 organisations a year (around 50 per month). Since the programme began, at least 150 organisations have been audited, ranging from major players to individual sites. In short: there’s no reason to assume your organisation won’t be next.
The AP is also leaning more on automation to operate at scale, think of it as digital speed cameras. All the more reason to get your house in order; that’s precisely the outcome the AP intends.
In recent months, Cloud Nine Digital has supported multiple organisations after they received an AP notice. Successfully closing these cases has yielded insight into what, exactly, is expected. We’ll set aside our view of the letter itself, but the AP’s position is clear. A few critical points deserve your attention:
Multi-step checks
AP audits run in stages. First comes a largely automated quick scan. You’ll receive the scan’s findings by letter and be expected to fix the violations. That may suffice, but in most cases a second, deeper review follows, often with additional findings.
The hard deadline
You have three months to respond to the letter and to the potential violations identified in the quick scan. Because the quick scan isn’t a full audit, addressing only those items risks fresh findings in the second review, also due within the same three-month window. Conduct additional checks and plan your first response 4–6 weeks after receipt. Also note: the AP itself may take up to two weeks to reply.
All your websites and apps
The scope extends beyond the website named in the letter to all domains and apps you control. In practice, this broader lens isn’t always applied - apps, for example, are often overlooked - but we see the AP sharpening its reviews each round. Include every digital channel in your assessments and fixes.
Preliminary findings (and wording matters)
Quick-scan items arrive as preliminary findings. Watch for phrasing like “doubt has arisen about…”. Not everything is necessarily an error; sometimes a clear explanation is enough. For instance, functional cookies such as Cloudflare’s fraud-detection cookies are allowed without consent, yet they can still appear as “unlawful” in the list.
The attachment is helpful but incomplete
The AP often attaches a list of cookies observed before consent. Useful, but thus far never complete. Additional cookies may surface in the second review. Don’t rely solely on the attachment; conduct your own thorough investigation.
Given tight timelines, move quickly and deliberately. The goal is to have the AP (provisionally) close the case. Don’t let this balloon into a broad GDPR programme. The window is simply too short.
Our recommended approach:
Automated checks mean continuous oversight of thousands of Dutch websites. Not having received a notice, or having closed a case, doesn’t grant a free pass to repeat old mistakes.
We also have criticisms of the AP’s approach:
All the more reason to conduct robust internal reviews and keep precise documentation of what’s happening and what’s been changed. You’ll cover a broader scope yourself and reduce surprises in round two.
The AP is clear: cookie consent must be set up correctly and transparently. With digital speed cameras, they’re watching continuously, and ignorance is no longer a valid excuse, laws and guidance are sufficiently clear by now.
For organisations, this means cookie compliance isn’t a one-off project; it must be a standing part of your data policy. Handled in a structured and timely way, cases usually close quickly while you lay the groundwork for reliable, privacy-first marketing data.
And yes, it’s a cliché, but prevention truly is better than cure here. If cookie consent hasn’t had enough attention, schedule a review and start improving now. Even if you don’t (yet) reach the AP’s ideal setup, strong knowledge of, and grip on, consent management is valuable, or even essential, in every scenario.
Want to learn more on this topic? Join us at our breakfast session in Amsterdam with our partner Piano, in which we'll dive into more details on what we have observed from recent AP cases and share insights on how businesses can stay aligned with data protection requirements without limiting their digital performance.
A small, interactive session designed for open discussion and knowledge sharing - a great opportunity to learn from peers and experts in the field.
📅 Date: Thursday, November 13th
📍 Location: Piano Office, Herengracht 433, 1017 BR Amsterdam
🕗 Time: 9:00 – 11:00 (breakfast included)
Register easily here.
This year, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has stepped up enforcement on obtaining valid cookie consent, including for analytics and marketing tools. The AP aims...
LevelUp Group BV, parent company of six specialist digital marketing agencies - including Cloud Nine Digital - has been certified as a B Corporation.
Cloud Nine Digital has secured the top spot as the highest-ranked Analytics Agency in the Netherlands in the Emerce 100 for the third year in a row (2023–2025). This ranking, based on evaluations...