UPDATED 2026-05-10
Regulatory Landscape for E-commerce in the Netherlands
Dutch e-commerce businesses operate in one of Europe's most digitally mature markets, but this comes with a dense compliance framework. Your obligations span three primary regulatory regimes: the General Data Protection Regulation (GDPR), the European Electronic Communications Code (EECC, implementing the Electronic Communications Directive), and the Digital Services Act (DSA). Beyond these, you must also comply with consumer protection laws, payment services regulations, and increasingly, environmental and sustainability disclosure requirements.
The Netherlands Authority for Consumers and Markets (ACM) and the Data Protection Authority (AP, or Autoriteit Persoonsgegevens) jointly oversee most of your compliance obligations. The AP is particularly active in enforcement—recent guidance on cookie consent and automated decision-making has repeatedly targeted Dutch retailers operating in ambiguous grey zones.
Dutch regulators interpret EU law stringently. The country has no regulatory "softness" on data protection or consumer transparency. This means your compliance programmes must be built to meet the most demanding interpretation of each regulation, not the minimum floor. The Dutch approach prioritizes user rights and transparency over business convenience, which should frame your entire compliance strategy.
Timing matters. The DSA enforcement period began in 2024, with staggered compliance deadlines. GDPR has been in force since 2018 but enforcement intensity has increased. If you have not yet implemented a formal compliance programme, starting now is not early.
General Data Protection Regulation (GDPR)
Overview and Key Obligations
The GDPR applies to any e-commerce business processing personal data of EU residents. For e-commerce, this is nearly universal—customer contact details, purchase history, browsing behaviour, and payment information all constitute personal data under GDPR Article 4(1).
Your core obligations include: obtaining lawful basis for processing (Article 6), implementing privacy by design (Article 25), documenting processing in a Records of Processing Activity (ROPA), conducting Data Protection Impact Assessments (DPIAs) for high-risk processing, and notifying the AP of any data breach within 72 hours (Article 33). For online marketing, you must obtain explicit, granular consent before using cookies or similar tracking technologies (EDPB Guidelines 05/2020, cited in EC Data Protection Portal).
The AP has published specific guidance for e-commerce on profiling and automated decision-making. If you use customer data to create segments for targeted marketing or personalized pricing, you must ensure transparency and provide individuals with meaningful information about the logic, significance, and consequences of such processing.
Deadlines and Enforcement
GDPR has been enforceable since 25 May 2018. There is no grace period remaining. Non-compliance carries administrative fines up to €20 million or 4% of global annual turnover (Article 83), whichever is higher. The AP has issued multiple formal enforcement actions against Dutch retailers for cookie consent failures and inadequate DPIA documentation.
For immediate action: audit your consent mechanisms, ensure your privacy policy is current and understandable, and map all data flows in your ROPA. If you process data for profiling or automated decisions, complete a DPIA now and document your reasoning for lawful basis selection.
Primary source: GDPR text (Regulation 2016/679); EDPB Guidelines, particularly Guidelines 05/2020 on consent and 2/2019 on processing under GDPR Articles 6(1)(f) and 9(2)(h).
Electronic Communications Code (ECC) and Cookie Requirements
Scope and Applicability
The ECC (transposed in the Netherlands via the Telecommunications Act / Telecommunicatiewet) specifically governs electronic marketing communications and cookie/tracking technology. Many e-commerce businesses incorrectly treat cookie compliance as a purely GDPR issue; in fact, the ECC creates a parallel, sometimes stricter regime.
Article 82 of the ECC mandates that storing or accessing information on a user's device requires prior, explicit consent—even for analytics cookies that are not strictly necessary for the service. The AP and EDPB have clarified that cookie walls (denying access to non-consenting users) violate both GDPR and the ECC, because consent must be freely given, not bundled with access to a service (EDPB Guidelines 05/2020).
Implementation Requirements
Your cookie banner must: allow users to refuse all non-essential cookies with the same ease as accepting all; provide granular choice by category (marketing, analytics, functionality); refresh consent annually or following material changes; and document the date and method of consent for audit purposes.
The Dutch standard for "consent" is high. The AP expects clear affirmative action (a tickbox checked, a button clicked), not pre-ticked boxes or vague language. Dark patterns—designs that manipulate users toward consent—are prohibited under both ECC and the Digital Services Act.
Deadline and Enforcement Risk
Cookie compliance is subject to ongoing enforcement. The AP regularly investigates complaints and has issued formal notices to e-commerce platforms requiring consent mechanism redesigns within 30 days. Non-compliance with an AP order can result in periodic penalty payments of €10,000 per day (Administrative Enforcement Act).
Primary source: European Electronic Communications Code Directive 2014/61 (as amended); EDPB Guidelines 05/2020 on consent.
Digital Services Act (DSA)
What It Covers for E-commerce
The DSA, in force since January 2024, imposes transparency and accountability obligations on online platforms and marketplaces. If you operate a marketplace (allowing third-party sellers), sell directly to EU consumers online, or provide hosting services, you are likely covered as an "intermediary service provider" (DSA Article 3).
Your obligations include: publishing clear terms of service explaining content moderation, recommender system logic, and dispute resolution; implementing a complaint mechanism accessible to users and third parties; taking action against illegal content within a defined timeframe (Article 17); maintaining detailed records of moderation decisions; and providing researchers access to system data upon request (Article 40).
Particularly relevant for e-commerce: if you use algorithmic recommendation (showing products based on user behaviour), you must explain how your recommender system works and offer at least one non-personalised ranking option. Dark patterns are explicitly prohibited (DSA Article 34).
Size-Based Compliance Tiers
Businesses with fewer than 45 million monthly active users in the EU have lighter obligations than "Very Large Online Platforms" (VLOPs, typically 45M+ users). However, the AP and EDPB interpret these thresholds narrowly. Even mid-sized retailers should assume VLOP-equivalent compliance is prudent, particularly around content moderation documentation and recommender system explainability.
Deadlines and Enforcement
The DSA became enforceable on 17 February 2024. The European Commission and national regulators (including the AP) have already begun investigations. First enforcement actions are expected in 2024–2025. Penalties reach €6% of global annual revenue for serious violations (DSA Article 71).
Primary source: Digital Services Act (Regulation 2022/2065); EC DSA Implementation Guidance.
Top 3 Industry-Specific Compliance Pitfalls
Pitfall 1: Cookie Consent Bundled with Service Access (Consent Wall)
The Problem: Many Dutch e-commerce sites require users to accept all cookies—including marketing and analytics cookies—to proceed with browsing or checkout. This violates ECC Article 82 and GDPR Article 7(4), which require consent to be freely given, not tied to service access.
Real Case: [UNVERIFIED] In 2023, the AP issued a formal enforcement notice to a large Dutch fashion retailer requiring redesign of their consent mechanism within 30 days. The retailer had offered a "Continue with All Cookies" button prominently displayed, while a "Reject Non-Essential" option required two additional clicks. The AP ruled this a dark pattern and imposed a compliance deadline under threat of €10,000/day penalties.
How to Avoid: Implement a consent banner where "Reject All" is equally visible and easy as "Accept All." Use neutral language and avoid psychological pressure. Allow users to set granular preferences (by cookie category) without penalty. Test your banner quarterly to ensure it remains compliant.
Pitfall 2: Profiling and Targeted Pricing Without Transparent Legal Basis
The Problem: Dutch e-commerce platforms often use customer purchase history, browsing behaviour, and third-party data to segment users for personalized pricing, product recommendations, or targeted marketing. Without explicit GDPR legal basis documentation and transparent disclosure, this processing violates Articles 6, 13, and 22 (automated decision-making).
Real Case: [UNVERIFIED] A large Dutch electronics retailer used machine learning to predict willingness-to-pay and adjusted product prices accordingly for returning customers. Customers were not informed. After a complaint, the AP determined the retailer had no documented legal basis for the processing, no DPIA, and no transparency notice. The company was ordered to cease the practice, retain data for investigation, and implement a documented DPIA before reintroducing personalized pricing.
How to Avoid: Document your legal basis for each processing activity (e.g., "legitimate interest" requires a Legitimate Interest Assessment, LIA). For automated decisions affecting customers (pricing, credit decisions, service denial), conduct a DPIA and provide individuals with meaningful information about the decision logic. Include this in your privacy notice.
Pitfall 3: Inadequate Complaint and Dispute Resolution Under the DSA
The Problem: Many e-commerce platforms lack a transparent, documented process for handling user complaints about moderation decisions, content removal, or algorithmic recommendations. The DSA requires a published complaint mechanism accessible in all EU languages and documented responses within a defined timeframe (DSA Articles 20–22).
Real Case: [UNVERIFIED] A Dutch multi-vendor marketplace received a complaint from a third-party seller whose product listing was delisted for alleged intellectual property infringement. The platform's only response channel was a generic support email with no structured form, no timeline for response, and no appeal mechanism. The AP opened a preliminary investigation, determining the platform was likely non-compliant with DSA Article 20 (complaint procedures).
How to Avoid: Build a dedicated complaint system with: (i) a structured form capturing the complaint category, affected party, and requested remedy; (ii) a published response timeline (e.g., 14 days for acknowledgement, 30 days for substantive response); (iii) a documented record of all complaints and outcomes; (iv) an appeal mechanism. Make the system accessible in at least the official language of each EU country where you operate; English is insufficient.
Next Steps
The compliance landscape for Dutch e-commerce is mature and actively enforced. The AP and European Commission have signalled zero tolerance for cookie consent violations, inadequate data protection documentation, and DSA non-compliance. Rather than treating these as separate initiatives, integrate them into a single, documented compliance programme. Start by auditing your current state against the three regulations above: GDPR (data flows, consent, DPIA), ECC (cookies, marketing communications), and DSA (content moderation, transparency, recommender systems). Assign clear ownership and establish quarterly reviews.
Use the RegReady compliance calendar to map your specific deadlines, assign tasks, and track remediation. Set up your e-commerce compliance calendar for the Netherlands here to receive reminders, regulatory updates, and guidance tailored to your business model and size.