The Dutch Data Protection Authority announced on 7 March that giving visitors access to websites only if they agree to their internet browsing activities being tracked by so-called “cookies” or other tracking software does not comply with the EU’s General Data Protection Regulation.

Also known as the Autoriteit Persoonsgegevens (AP), the Dutch Data Protection Authority said it has received dozens of complaints from website visitors who were unable to access the web pages they wanted after refusing to accept being tracked by cookies.

In a translated statement, AP Chairman Aleid Wolfsen said, “The digital tracking and recording of surfing behavior on the Internet via tracking software or other digital methods is one of the largest processing of personal data because almost everyone is active on the Internet. To protect privacy, it is therefore important that parties request permission from website visitors.”

Under the GDPR, companies must request permission from website visitors to use tracking software. Permission is not “freely” given if it is coerced or if the person cannot refuse to give permission without adverse consequences, the AP said.

In response to the complaints it has received, the AP said it has sent letters to numerous organizations with which it has received the most complaints. In its letter, the AP said it will intensify its audit and compliance efforts to assess whether organizations are complying with the GDPR in the interest of protecting privacy.