The Dutch Data Protection Authority (AP) has imposed a fine of 600,000 euros on the company behind drugstore Kruidvat. Kruidvat.nl followed consumers with tracking cookies, without their knowledge or permission. AS Watson collected and used sensitive personal data of millions of website visitors in violation of the rules.
The company behind Kruidvat collected data from website visitors and was able to create personal profiles with it. In addition to location data from visitors, this included which pages they visited, which products they added to the shopping cart and bought, and which recommendations they clicked on.
That is very sensitive information, AP says, due to the specific nature of drugstore products. Such as pregnancy tests, contraceptives or medication for all kinds of ailments. That sensitive information, linked to the location (which can be traced via the IP address) of the unique visitor, can sketch a very specific and invasive profile of the people who visit Kruidvat.nl.
Kruidvat.nl should have asked permission to place tracking cookies on the computer of visitors. The privacy law AVG sets a number of requirements for valid permission. These requirements are that permission must have been given freely, for a specific processing of personal data, based on sufficient information and that there must be no doubt that permission has been given.
In the cookie banner on Kruidvat.nl, the boxes to agree to the placement of tracking software were checked by default. This is not allowed. Visitors who still wanted to refuse the cookies had to go through many steps to achieve this. The AP has found that personal data of website visitors of Kruidvat.nl have been processed unlawfully.
At the end of 2019, the AP started an investigation into various websites, including Kruidvat.nl. The AP tested whether these websites met the requirements for placing (tracking) cookies. In doing so, the AP checked whether permission for tracking cookies was requested from website visitors and, if so, how exactly this happened.
Kruidvat.nl was found to be non-compliant in April 2020, after which the AP sent the company a letter. In 2020, the AP found that Kruidvat.nl was still not in order. The AP then started further investigation into this website. This violation was ended in October 2020.
There is increasing social irritation about cookies and cookie notifications, ranging from annoying and misleading banners to concerns about the secret tracking of internet users. In 2024, the AP will check more often whether websites correctly request permission for tracking cookies or other tracking software.
AS Watson (Health & Beauty Continental Europe) BV has also lodged an objection against the fine decision.
Source: www.emerce.nl
