The Belgian Data Protection Authority (BDPA) has issued a checklist on the correct usage of cookies and similar technologies, reaffirming its stringent stance on these matters. This checklist, long-anticipated by those in the field, provides insights into various contentious issues.
The BDPA first emphasises that the checklist does not impose any new obligations. However, the BDPA has now taken a concrete position on a number of issues that have been the subject of debate in practice. The BDPA also stresses that the checklist is not exhaustive. Additionally, it applies to both ‘cookies’ and other similar technologies, such as tracking pixels and device fingerprinting.
Principle: consent required, except for essential cookies
Barriers to free consent
For consent to be free, the visitor must have a real choice. Practices such as “cookie walls”, where users must accept all cookies to access a site, are deemed invalid by the BDPA. Notably, an emerging ‘pay or okay’ model in other European countries lets visitors either pay a small fee to access the site or accept specific cookies. The BDPA does not take an explicit stance on this practice, but appears to prohibit it.
Another contentious issue is the design of cookie banners. The BDPA insists that having a button to reject all cookies alongside the option to accept all cookies is necessary. However, it is important to note that not all data protection authorities share this view. Moreover, the BDPA strictly prohibits ‘deceptive design’ and refers to the European Data Protection Board’s (EDPB) guidelines, which recommend identical designs for accept and decline buttons.
More hurdles to valid consent
The BPDA continues its checklist with other requirements for obtaining valid consent through the cookie banner:
- Information-packed cookie banners. The BDPA requires that the first layer of the cookie banner should inform website visitors of (i) the purposes for which consent is sought, (ii) details of the data controller, (iii) the number of third parties placing cookies, with a click-through link to the full list, (iv) information on how to accept or reject cookies and the consequences of each choice, and (v) instructions on how to withdraw consent. In a subsequent layer of the cookie banner, you should include a full list of all cookies used, broken down by category, with their purpose, duration and recipients.
The BDPA highlights that cookies should only be retained for a limited period to track user preferences. This affects when consent must be sought again or when it is permissible to request consent after a refusal. The BDPA suggests that six months is reasonable, in line with the views of other European DPAs. Furthermore, companies should be ready to demonstrate how their cookie banners and policies have evolved over time and provide a date and version number for their cookie policies.
Stringent cookie rules
It is clear that the BDPA is taking a tough stance on cookies and related technologies compared with other European DPAs. Getting your cookie banner and policy right should therefore be a priority. After all, the BDPA has also announced inspections in this area.
- Minimise cookies and related technologies. Focus on essential cookies and avoid unnecessary ones. Reducing data collection from cookies can limit legal exposure.
- Opt-in approach. Seek active consent through an adequate number of opt-in boxes. Consider employing a layered approach.
- Don’t mislead. Ensure your cookie banner is transparent and informative, avoiding any deception.
- In-depth knowledge. A website is a company’s digital greeting card. Any mistakes will be seen, especially by the authorities. So check every cookie and similar technology you put on your site.
- Data transfer awareness. When you use American cookies, such as Google Analytics, there is usually also a data transfer involved. We wrote about this earlier in this newsflash.
Matthias Vandamme, Attorney – Associate Claeys & Engels
More Partner Blogs
On 31 January 2024, The Val Duchesse Social Partners Summit was hosted by the European Commission...
The recent uptake of generative AI systems such as ChatGPT, DALL-E and Midjourney sparks numerous...
Amendment of the Chain Liability Regulations for illegal employment of third-country nationals in the Flemish Region
Due to a few recent cases where illegal employment and human trafficking were discovered at large...
Embarking on a journey of transformative change within legal departments requires more than just...
Surely the Kids are Safe? – What the European Commission’s Updated Guidance Says About Joint Venture Agreements
What the European Commission’s Updated Guidance Says About Joint Venture Agreements