21/04/20

Belgian Data Protection Authority releases recipe for compliant cookies

During these corona times, we have noticed a trend whereby many of us have started baking (cookies, cakes, and other delicious treats). It now appears that the Belgian Data Protection Authority (BDPA) also had something significant in the oven. We have had to wait quite some time for this, but the BDPA has finally issued regulatory guidance on the use of cookies.

Background

In December 2019, the BDPA had already imposed an administrative fine of EUR 15,000 on a company for, among other things, unlawful cookie use (click here for more information). This decision was criticised by practitioners, as no clear regulatory guidance was available in Belgium on how to apply the cookies rules post-GDPR. The standard for valid cookies consent and the exemptions to the consent requirement are in fact still quite divergent throughout the EU.

The Belgian cookies guidance can be found spread over various sections of the re-launched cookies theme page (Dutch/French) on the BDPA’s website. It has not been released in the form of a comprehensive recommendation or advice. The guidance mostly confirms and clarifies points that have been developed in case law.

Clarification on functional cookies (which do not require consent)

The BDPA confirms the general rule that consent is required for all types of cookies (and similar technologies for storing information or accessing information already stored on a user's device), with the sole exception of cookies that are 'strictly necessary'.

It also expressly clarifies that this exception applies both to cookies that are absolutely necessary to provide a service explicitly requested by a user (e.g. cookies that make it possible to store the contents of a shopping cart, or cookies that guarantee the security of a banking application) and cookies that are absolutely necessary to send a message via an electronic communication network (e.g. performance- and load-balancing cookies, provided that they are analysed on an anonymous basis).

Other examples of functional cookies are the following:

  • Cookies activated by the user and set for the duration of a session, which are used to keep track of the information entered by the user when filling in multipage online forms;
  • Authentication cookies used for authenticated services (e.g. a website offering online banking), for the duration of a session;
  • User-centric security cookies that are intended to improve the security of the service that the user has expressly requested and that are used in particular to detect unlawful authentication, for a repeated limited period of time;
  • Session cookies created by a media player, such as flash player cookies, for the duration of a session; and

User interface customization cookies (such as language preference or result display cookies), for the duration of a session (or slightly longer).

Cookies that do require consent

The BDPA confirms that analytical or statistical cookies (such as audience measurement cookies) cannot be qualified as 'strictly necessary' and therefore require consent. Please note however that some other EU countries (such as the Netherlands) have extended the consent exemption to cover statistical cookies as well. This is not the case in Belgium.

The BDPA also briefly discusses social media plug-ins. By using social media plug-ins, website designers can easily add features to their web pages to share the content of their website on social platforms. In the BDPA’s view, the source code for such plug-ins however uses cookies that enable social platforms to track internet users very easily, even if they do not have an account on these platforms. Therefore, prior to placing these plug-ins, the user's consent must be obtained.

Requirements for valid consent

In order to obtain valid consent for non-functional cookies, it is generally known that consent must be actively given prior to placing or reading cookies, and that such consent must be informed, free and specific.

In the cookies guidance, some of these requirements are now further clarified:

  • No valid consent on the basis of 'further browsing'. It was already mentioned in the Guidelines on Direct Marketing of January 2020 and is now also explicitly included in the cookies guidance: consent cannot be validly obtained on the basis of 'further browsing', as this cannot be qualified as active consent;
  • Informed consent. The user must be informed of the identity of the data controller, the purposes of each cookie, what data it collects and its storage duration, his/her rights pursuant to the GDPR, and more in particular the right to withdraw consent at any time;
  • No cookie walls. When a user refuses cookies, he/she cannot be exposed to any negative consequences and should still be able to access the website. Consent can also not be sought in exchange for a 'benefit' or 'reward' (which is however – in our view – debatable);
  • Layered specific consent. Until now, there was uncertainty as to whether consent per type of cookie was sufficient or whether cookie-per-cookie consent was required in order to comply with the requirement of specific consent. The BDPA now expressly confirms that the GDPR does not require a cookie-per-cookie consent. Nevertheless - and even though this seems somewhat contradictory - it also states that in the first layer of information, consent per cookie type is sufficient, but in the second layer of information, the user must be given the option to give cookie-per-cookie consent in a granular manner; and
  • No valid consent on the basis of browser settings. The BDPA clarifies that browser settings currently do not (yet) foresee the option for users to provide granular cookie consent. A general consent to accept cookies via the user’s browser settings is therefore not sufficiently specific. 

Considering the above, when collecting cookies consent, preferably by way of a consent banner, the banner should mention (i) the precise identity of the data controller, (ii) the types of cookies used, with the option to give consent per type, (iii) their purpose, (iv) a list of the data they collect, (v) their lifespan, (vi) the right to withdraw consent, and (vii) a hyperlink to the full cookies policy. The banner must be available in all languages of the website, be intelligible taking into account the target audience, and be brought to the users’ attention.

The underlying cookies policy must also be readily available and easy to consult. The policy should contain additional information such as (for example), the possibility for third parties to access cookies (and – if applicable – the identity of such third parties), information on how to delete cookies, the legal ground for the processing within the meaning of Article 6 GDPR, information on automated decision-making or profiling based on cookies, etc.

dotted_texture