Skip to content

The nine rules

The Dutch privacy authority highlights nine key rules. Follow them properly and your banner meets the privacy law (GDPR). You still need to check for yourself that you meet every rule when your cookies collect personal data.

1Say what data you collect, and whyTell people which personal data you collect and what for — before they choose.
2Nothing ticked by defaultBoxes and toggles must start switched off — on every screen. Only an active choice counts as a “yes”.
3Use clear wordsPlain button words: Accept · Agree · Refuse. No vague or pushy wording.
4All choices on one screenAccept and refuse on the same screen. If accepting needs no extra click, refusing must not either.
5Don’t hide choicesThe refuse button must be easy to see and read — no forced scrolling, and it must not blend into the background.
6No extra clicks to refuseRefusing takes no more clicks than accepting. Don’t make people confirm a refusal.
7No hidden linkDon’t hide “refuse” as a link inside a block of text. It must be as easy to see as accept.
8Taking it back = as easy as givingPeople can withdraw at any time, for free, with no penalty — and reach that option outside the banner too.
9Don’t mix up the two legal reasonsKeep tracking cookies (which need a “yes”) apart from low-impact cookies (functional and basic stats).

Each rule is explained in full in the pages under Building the banner and Staying within the rules.