Super cookies used in the Netherlands

New research, executed by US privacy organisation Access now, shows that so-called super cookies are also used in the Netherlands.

Tracking headers, better known as ‘super cookies’, ‘zombie cookies’ or ‘perma-cookies’ are technically not cookies. Cookies are injected locally and can be manipulated by the user in a web browser. Tracking headers, however, are placed at network-level, beyond the reach of users. These controversial headers are practically undeletable and track the app- and browsing habits of users, after which these data are transmitted to the network administrator. Moreover, programs that are designed to protect the privacy of users, such as ad blockers or incognito mode, are ineffective against this technology.

Access Now searched for tracking headers in transmissions of 200,000 users in 164 countries who clicked on a button on the specially created website The ‘super cookies’ were found in a total of 10 countries, including China, Canada, India, Spain and the Netherlands. Earlier this year, researchers in the US found that these tracking headers were used by US telecommunication providers AT&T and Verizon Wireless. These revelations led to an investigation by the US Federal Communications Commission (FCC), regulatory action by the lawmakers in the US Congress and several lawsuits. According to Access Now, ‘super cookies’ are no longer used in the US at the moment.

The investigation shows that telecom provider Vodafone still uses these ‘super cookies’ in the Netherlands. Vodafone acknowledges this, but states that the technology is used only ‘for functional purposes’. Examples include services in which customers make payments for goods by charging it to their phone bill. Furthermore, Vodafone underlines that these personal customer data are not shared with third parties.

In the Netherlands, the use of cookies has been subject of debate for several years now. Earlier this year, this has resulted in another change of the cookie provisions laid down in the Dutch Telecommunications Act. The provisions prescribes websites who place cookies should inform users in advance and in a clear manner. In principle, users must always give active consent for prior to the placement of cookies. Now that the law has been changed, such consent is no longer required for analytical cookies that only constitute a minor infringement to the privacy of users. The Authority on Consumers and Markets (ACM), which oversees compliance with the Telecommunications Act, can impose fines of up to €450.000,-.

For more information about cookie legislation, contact our privacy specialists.

Bart Schermer Partner / oprichter