A cookie tool can become a consent, vendor and breach question before the founder notices.
It often starts with a harmless screen. A founder checks yesterday’s visitors, abandoned carts, pages that worked and pages that failed. The dashboard helps with stock, pricing, campaigns and service. It feels far away from law, contracts and breach reporting.
The signal has to become readable
Then the comfort breaks. On 11 June 2026, Rijksoverheid reported that an ethical hacker had warned the Belastingdienst about Adobe Analytics on Belastingdienst websites. Behavioural data had been sent to Adobe without consent. The functionality was switched off, the Autoriteit Persoonsgegevens was informed, and a datalek notification was filed. An inventory of similar tooling was also underway.
The reading for business is simple. This is not only a government story. It is a signal to every company with a website. Analytics is not just a dashboard. It is part of the control chain.
The script is part of the control chain
The Belastingdienst sits in a special position. It handles tax, identity-linked services and public trust. That makes the public weight heavier. Yet the mechanics are familiar to small firms. A script is added, a vendor receives data, a cookie statement says one thing, and the live site starts to do another.
Dutch cookie law is not complicated at its core. Telecommunicatiewet article 11.7a generally requires clear information and prior consent before storing or reading information on a user’s device, unless an exception applies. Rijksoverheid guidance says functional cookies and some low-impact analytical cookies may fall outside consent. Tracking cookies require consent. If personal data is processed, the AVG also applies.
That is the practical line. Analytics is allowed. Blind analytics is the weak point. A company needs to know what it measures, which tool does the measuring, what data leaves the site, and whether the paperwork matches the live setup.
What the signal changes
Rijksoverheid also placed the incident inside a broader digital-autonomy programme at the Belastingdienst. That programme points to more in-house development, own IT operations, open source and changed vendor relations. The business signal is not ideological. If an organisation cannot explain and control its technology chain, trust becomes harder to keep.
The small company version
Picture a small online retailer in Utrecht. The owner wants better conversion figures before the summer sale. A web agency adds a tag manager, an analytics tool, a marketing pixel and a heatmap. Later, a payment provider adds its own script. Months pass. The privacy statement still describes simple website statistics.
No one intended to create a compliance problem. That is why this topic matters. Most website control failures do not begin in a boardroom. They grow through small changes, old agency access, quick campaign fixes and tools that nobody removes when the campaign ends.
The same pattern appears in booking sites, recruitment pages, client portals, accountants’ upload environments and SaaS products. Customers do not experience these as separate technical zones. They see one company. If the login page, checkout and analytics layer do not speak the same compliance language, trust leaks through the joins.
A consent banner helps only if it reflects the real site. It cannot repair a tool stack that nobody has mapped. A privacy statement cannot carry the weight if scripts are added without review. The serious question for the founder is plain: who owns the website after it goes live?
Where compliance touches cash
The subject sounds like compliance, but the cash effect is real. If a company finds that its analytics setup is wrong, the cost is not limited to a legal check. Someone has to scan the site, identify the tools, clean the tag manager, speak with vendors, update notices, review processor terms and assess higher-risk processing.
Rijksoverheid’s AVG handbook says a DPIA is required before processing where intended personal-data processing is likely to create a high risk for people. It also sets out the 72-hour framework for reporting a personal-data breach to the Autoriteit Persoonsgegevens where reporting is required, and the duty to document breaches internally. If a processor handles personal data, a written or electronic processor agreement, or another binding legal act, is part of the discipline.
What founders should check
For a micro company, this pressure is practical. A paused booking flow delays cash. A rebuilt checkout costs money. Cleaner analytics may reduce behavioural data, so marketing decisions become less comfortable for a while. Yet a smaller stack can also make the business easier to run. Fewer tools mean fewer contracts, fewer settings and fewer surprises.
This is where the ledger meets the website. The invoice for analytics is visible. The hidden cost of poor control arrives later, when the company has to reconstruct what happened.
A cleaner ownership habit
A sensible first move is ownership. One person should know which scripts run on the public site, checkout, portal, recruitment page and booking path. That person does not need to be a lawyer. They need enough authority to ask the web agency, the marketing team and the software supplier simple questions and wait for clear answers.
Useful questions are concrete. Which cookies and trackers run before consent? Which vendors receive data? Are IP addresses, account identifiers, transaction references or page paths involved? Does the cookie statement describe the live configuration? Who can add a tag? Which old tools and agency accounts still have access?
Companies handling client documents, payroll data, tax files, health information, applications or financial records need extra care around portals and uploads. Analytics near sensitive journeys deserves a stricter eye than analytics on a public brochure page. The same is true for login environments and payment flows, where customers expect care even if they never read the privacy notice.
I would rather see a small business keep modest analytics that it can explain than an impressive dashboard it cannot defend. The Belastingdienst incident shows how fast a measurement tool can become a consent issue, a vendor issue, a breach issue and a trust issue.
Back at the dashboard
Return to the founder looking at yesterday’s visitors. The dashboard is still useful. It can help with stock, pricing, campaigns and service. But it should no longer sit outside governance. A website is not finished when it looks good. It is finished when the company knows what it sends, why it sends it, who receives it, and where that decision is recorded.
Sources
- Gebruik Adobe Analytics bij Belastingdienst gestopt – Taxence
- Rijksoverheid (Kamerbrief Digitale autonomie bij de Belastingdienst) – Adobe Analytics incident acknowledged and disabled
- Rijksoverheid (news) – Belastingdienst strategy: digital autonomy
- Wettenbank (wetten.overheid.nl) – Cookie consent rule (Telecommunicatiewet art. 11.7a)
- Rijksoverheid (Q&A) – Government view: when cookies may be set without consent
- Belastingdienst – Belastingdienst cookie statement (main site)
- Belastingdienst – Belastingdienst recruitment site cookie regime
- Rijksoverheid (Handleiding AVG) – GDPR implementation and DPIA duty
Referenced in the article
Column | Compliance
When Dutch Heat Reaches the Roster, Compliance Starts Early
Heat is no longer only a hot-day problem when breaks, evidence, and customer promises meet.
Column | Human Resources
Care Pay Is Rising, and the Roster Carries the Real Cost
A reported VVT pay deal lands in a sector where absence, travel, and safety already shape every hour.
The Polder is written for readers who need the Dutch business environment translated into practical meaning. Corrections, source policy and editorial accountability are part of the publication record.
