31/01/22

Another cookie enforcement case: Belgian privacy watchdog reconfirms cookie consent rules

In its decision of 21 January 2022, the Belgian Data Protection Authority (“BDPA”) has reminded companies about some important rules on the use of cookies/trackers. Available in French, this decision also provides useful insight for DPOs into best practices for cookie compliance and the conditions under which companies are allowed to track online user behaviour and whether consent must always be obtained. We have set out below a summary of this decision and provided some key tips on complying with this ruling.

What is tracking technology?

The term tracking technology/tracker is quite broad. It includes cookies and HTTP variables, which may include web beacons, flash cookies, access to terminal information from APIs (e.g. advertising identifiers such as IDFA or Android ID, GPS access), or any software identifier or device identifier (e.g. serial number, MAC address, unique terminal identifier), or any other identifier generated by software or an operating system (e.g. MAC address).

Do I need consent for all cookies/trackers?

No. Trackers that are strictly necessary for providing an online communication service expressly requested by the user, or trackers that enable communication via electronic means, do not require consent. This also applies to cookies that retain the user’s choice to deposit cookies, that are used to authenticate a service, that retain the contents of a shopping cart, or that personalize the user interface (e.g. language selection or service layout), where such personalization is an intrinsic and expected feature of the service. Processing this data is generally based on the user’s legitimate interest.

According to the BDPA, you must obtain prior consent for all the other cookies and trackers. For example, cookies used for displaying personalized or non-personalized advertising (which uses trackers to analyse the advertising audience) or for sharing on social networks. Where consent is not given (i.e. consent is refused by the user), these cookies cannot be installed and/or read on the user’s terminal.

Consent must also be specific. Confirming a purchase or accepting general terms and conditions is therefore not sufficient to consider  that consent has been validly given to the placement or reading of cookies. Nor can the mere “use” of cookies imply that consent has been given, without any further specification as to the data collected via these cookies or the purposes for which this data is collected.

Do transparency requirements also apply to cookies?

Yes. Before user consent is requested, this principle requires that precise information, in simple terms that are understandable to any user, is provided on (i) the identity of the controller, (ii) the purposes of the cookies and other trackers that will be installed and/or read, (iii) the data they collect, and (iv) their lifetime. The information must also (i) explain the data subject’s GDPR rights, including the right to withdraw consent, and (ii) be presented in a language that is easily understood by the “target audience” (see our previous Law Now on this requirement).

This information requirement applies to all types of cookies, regardless of whether their impact on the data subject’s data protection rights is low or high. It must also be included in the banner, for instance via a direct link to the information required to be provided about cookies, instead of a general reference to the privacy policy. 

In the case at hand, the defendant argued that it was impossible to display the information about the problematic cookie (about whether the user’s browser accepted third party cookies) in the user’s language since this was the page on which the user had to select his/her language/country. The BDPA dismissed this argument. According to the BDPA, even if your website is aimed at a French-speaking and/or Dutch-speaking audience (and must therefore be provided in French and/or Dutch), it is “appropriate to display the warning of the use of the cookie in English, a widespread language commonly used by other websites before selecting the user’s language”.

Does the decision provide any recommendation concerning the record of processing activities (“ROPA”)?

Yes. The BDPA “strongly recommends that the third countries to which several categories of personal data are transferred are indicated and easily identifiable in the ROPA, particularly in view of the Schrems II case” (see our previous Law Now). As a result, the BDPA ordered the defendant to adapt its ROPA such that it expressly mentions these third countries (merely referring to documents of subcontractors with whom you have concluded agreements is not sufficient).

Do I need to upgrade my non-secure http website to https?

Yes. This may otherwise constitute a breach of the security obligation under the GDPR. With http, the procedure for communication between a web browser and server is a protocol that conveys data in clear text, i.e. not encapsulated in a tunnel like the TLS protocol would for an https link.

When will the EU finally adopt its new rules on cookies (Privacy and Electronic Communications (ePrivacy) Regulation)?

The EU’s draft ePrivacy Regulation is still not adopted. It’s now up to the French Presidency (which holds the rotating presidency of the Council of the EU from 1 January until 30 June 2022) to advance the negotiations with the EU Parliament. As there are still some points of disagreement regarding the current draft, the Regulation is not expected to come into force before 2023. A potential transition period of 24 months means that it won’t become effective before 2025. In the meantime, on 19 January 2022, the EU privacy regulator, the EDPB, adopted a letter calling for a consistent interpretation of cookie consent.

Tom De Cordier, Partner, Brussels

Thomas Dubuisson, Senior Associate, Brussels

dotted_texture