Belgian Data Protection Authority publishes checklist on the correct use of cookies and similar technologies

The Belgian Data Protection Authority (BDPA) has issued a checklist on the correct usage of cookies and similar technologies, reaffirming its stringent stance on these matters. This checklist, long-anticipated by those in the field, provides insights into various contentious issues.

The BDPA first emphasises that the checklist does not impose any new obligations.  However, the BDPA has now taken a concrete position on a number of issues that have been the subject of debate in practice. The BDPA also stresses that the checklist is not exhaustive. Additionally, it applies to both ‘cookies’ and other similar technologies, such as tracking pixels and device fingerprinting.

Principle: consent required, except for essential cookies

The BDPA underscores the necessity of free and informed consent for the use of cookies. Consent is mandatory for most cookies, except for ‘essential’ ones. These include technical cookies, such as those involved in “load balancing”, and functional cookies that store language preferences or shopping cart contents.

Barriers to free consent

For consent to be free, the visitor must have a real choice. Practices such as “cookie walls”, where users must accept all cookies to access a site, are deemed invalid by the BDPA. Notably, an emerging ‘pay or okay’ model in other European countries lets visitors either pay a small fee to access the site or accept specific cookies. The BDPA does not take an explicit stance on this practice, but appears to prohibit it.

Another contentious issue is the design of cookie banners. The BDPA insists that having a button to reject all cookies alongside the option to accept all cookies is necessary. However, it is important to note that not all data protection authorities share this view. Moreover, the BDPA strictly prohibits ‘deceptive design’ and refers to the European Data Protection Board’s (EDPB) guidelines, which recommend identical designs for accept and decline buttons.

More hurdles to valid consent

The BPDA continues its checklist with other requirements for obtaining valid consent through the cookie banner:

• The BDPA requires that by the second layer at the latest, you must offer the option of granting or denying consent for each specific category of cookie. Separate consent should be given for the use of cookies for your own advertising and profiling and for the use by third parties. Finally, it should be possible to give consent for each third party individually. However, this option can be placed in a third layer.
• Information-packed cookie banners. The BDPA requires that the first layer of the cookie banner should inform website visitors of (i) the purposes for which consent is sought, (ii) details of the data controller, (iii) the number of third parties placing cookies, with a click-through link to the full list, (iv) information on how to accept or reject cookies and the consequences of each choice, and (v) instructions on how to withdraw consent. In a subsequent layer of the cookie banner, you should include a full list of all cookies used, broken down by category, with their purpose, duration and recipients.
• Consent must be actively given. The BDPA disapproves of cookie banners stating ‘by continuing to browse, you agree to our use of cookies’. Pre-checked boxes are also prohibited, and consent cannot be tied to the acceptance of terms and conditions or inferred from the visitor’s browser settings.
• Easy withdrawal of consent. An accessible method for withdrawing consent is essential. This process should be as straightforward as granting consent, achieved through a button or link that allows visitors to manage their cookie settings and withdraw consent with a single click. A previous BDPA decision recommended placing this button or link at the top of the cookie policy.

Accountability

The BDPA highlights that cookies should only be retained for a limited period to track user preferences. This affects when consent must be sought again or when it is permissible to request consent after a refusal. The BDPA suggests that six months is reasonable, in line with the views of other European DPAs. Furthermore, companies should be ready to demonstrate how their cookie banners and policies have evolved over time and provide a date and version number for their cookie policies.

Stringent cookie rules

It is clear that the BDPA is taking a tough stance on cookies and related technologies compared with other European DPAs. Getting your cookie banner and policy right should therefore be a priority. After all, the BDPA has also announced inspections in this area. 

These five rules of thumb can help you get your cookie policy right:

1. Minimise cookies and related technologies. Focus on essential cookies and avoid unnecessary ones. Reducing data collection from cookies can limit legal exposure.
2. Opt-in approach. Seek active consent through an adequate number of opt-in boxes. Consider employing a layered approach.
3. Don’t mislead. Ensure your cookie banner is transparent and informative, avoiding any deception.
4. In-depth knowledge. A website is a company’s digital greeting card. Any mistakes will be seen, especially by the authorities. So check every cookie and similar technology you put on your site.
5. Data transfer awareness. When you use American cookies, such as Google Analytics, there is usually also a data transfer involved. We wrote about this earlier in this newsflash.

Matthias Vandamme, Attorney – Associate Claeys & Engels