Cookies: Belgian Privacy Commission publishes official guidance

Almost one year after the publication of the draft version, the Belgian Privacy Commission has recently issued the final version of its recommendation regarding the use of cookies (which can be consulted through the following links in Dutch language or in French language).

The extensive document (over 70 pages), covering both technical and legal aspects, constitutes the first official guidance by a Belgian authority on the use of cookies.

In accordance with the opt-in rule, introduced by the revised ePrivacy Directive in 2009 and transposed into Belgian law by an amendment of the Act on Electronic Communications in 2012, cookies (and similar technologies) can only be stored and accessed on a user's device after having obtained the informed consent of this user.

However, in two cases cookies are exempted from this informed consent requirement:

  1. when the cookies are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  2. when they are strictly necessary in order to provide the user with a service s/he has explicitly requested.

These rules have not always been easy to implement in practice and therefore this recent recommendation may provide useful guidance to website owners and other stakeholders.

Below some key points of the recommendation relating to (1) the information obligation, (2) the consent requirement and (3) the exemptions have been summarized.

1. Information obligation

Users should be provided with a clear, comprehensible and visible notice on the use of cookies. This notice should provide a link to a more detailed cookie policy.

The cookie policy should be accessible and referred to at every page of a website.

The information should cover the following elements:

  • the purposes for which the different types of cookies are stored or accessed;
  • the categories of saved information;
  • the storage terms;
  • how to erase the information;
  • means to object to the processing;
  • the communications, if any, to third parties.

The Privacy Commission stresses that in case the data controller does not respect his cookie policy it may be subject to sanctions based on the Privacy Act and consumer legislation.

2. Obtaining consent

The Privacy Commission calls for a granular approach, giving users the possibility to accept all or only certain types of cookies. Moreover, users should be able to change their choices at all times.

Consent can be given through an affirmative action of the user (e.g. clicking or checking a box) from which the consent can be inferred unambiguously.

It is explicitly stated that "further browsing" can qualify as a valid consent provided that:

  • the notice regarding the use of cookies is clearly visible on the homepage in such a manner that it cannot be missed;
  • the notice has to state explicitly that further browsing on the website can be construed as consent;
  • the notice remains visible as long as the user has not continued browsing the website.

However, a lack of action cannot be interpreted as a valid consent.

Once consent has been obtained it is not required to ask the user's consent again for the storing of a cookie with the same purpose and originating from the same provider. However, the validity of the consent should be limited in time, especially when the consent was obtained implicitly or relates to tracking cookies.

The Privacy Commission advises against the use of pop-ups due to their obtrusive nature and provides several examples of means to validly obtain consent from visitors such as banners (provided an affirmative action of the visitor is required in order to proceed his/her visit of the website) and tick boxes.

Visitors should at all times be able to easily withdraw their consent. Upon withdrawal the cookies and data collected through the cookies shall be deleted from the devices of the users by the data controller. In case this is not possible, the privacy policy of the data controller should clearly describe how the user can delete the information himself.

3. Exemptions

The recommendation also sheds some light on the exemptions by illustrating the two categories with examples and by giving examples of non-exempted cookies. Unless stated otherwise all these examples relate to session cookies.

Examples of cookies exempted according to the first criterion (i.e. cookies that are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network) are:

  • cookies used to detect to origin of the users and how they visit a website, provided they are analyzed anonymously. However, it should be noted that the Privacy Commission explicitly states that first party analytic cookies do not fall within the scope of this exemption;
  • load balancing session cookies provided they are only analyzed anonymously.

The following cookies are exempted according to the second criterion (i.e. strictly necessary cookies for providing a service the user has explicitly requested):

  • user input cookies;
  • authentication cookies that are necessary for authenticated services;
  • user centric security cookies, e.g. the data necessary for securing a service the user has explicitly requested;
  • multimedia content player cookies;
  • user interface customization cookies, for the duration of a session (or slightly more if additional information is provided).

Finally, the Privacy Commission explicitly states that no exemption exists for the following types of cookies:

  • tracking cookies of social network plug-ins;
  • advertising cookies.

It is important to note that apart from the abovementioned cookie rules the general rules of the Privacy Act (e.g. regarding the purpose limitation principle, the transfer of personal data to third countries, the data subject's rights, etc.) will generally also apply taking into account the fact that most cookies constitute personal data.

Voir aussi : DLA Piper LLP ( Mr. Patrick Van Eecke ,  Mr. Mathieu Le Boudec )

Mr. Patrick Van Eecke Mr. Patrick Van Eecke
Mr. Mathieu Le Boudec Mr. Mathieu Le Boudec

Click here to see the ad(s)
Tous les articles Droit des medias

Derniers articles Droit des medias

Digital content makers’ do’s & don’ts in the Digital single market

The Directive (EU) 2017/790 on copyright and related rights in the Digital Single Market was adopted by the Euro...

Digital content makers’ do’s & don’ts in the Digital single market Read more

Newsflash RGPD : Un bouton « j’aime » sur le site web? Responsable conjoint du traitement ave...

Dans un arrêt du 29 juillet 2019 ( C-40/17, Fashion ID GmbH & Co ), la Cour Européenne de Justi...

Newsflash RGPD : Un bouton « j’aime » sur le site web? Responsable conjoint du traitement avec Facebook ! Read more

Using social plug-ins on your website? You and the social network will be jointly liable for the ...

Using social plug-ins on your website? You and the social network will be jointly liable for the data processing Read more

Nieuwe “online broadcasting” richtlijn in werking

In de schaduw van de “Digital Copyright Directive” (Richtlijn 2019/790 van 17 april 2019, cfr. onze bijdr...

Read more

Derniers articles de Mr. Patrick Van Eecke

Dynamic IP-addresses can be "personal data" says EU Court of Justice

On October 19, 2016, the European Court of Justice decided on the question whether or not dynamic IP-addresses consti...

Read more

Belgian Privacy Commission issues a 13 step plan for companies preparing for GDPR compliance

Following a series of guidance published by fellow national DPAs, the Belgian Privacy Commission launched a 13 step GDPR-r...

Read more

Europe’s Right to be forgotten: update on implementation guidelines

In an earlier newsletter, we wrote that the Article 29 Working Party ("Working Party 29″) has adopted guidelines rel...

Read more

Connected Cars & Privacy: Automotive industry adopts consumer privacy principles

Last week proved to be an important week for privacy and data protection in the US: while representatives of the European ...

Read more

Derniers articles de Mr. Mathieu Le Boudec

LexGO Network