Freshly baked cookie guidance from Belgian Data Protection Authority

It was announced already in January, but it's finally come out of the oven: new consolidated guidance by the Belgian Data Protection Authority (BDPA) in relation to the use of cookies.

This guidance has been placed on the BDPA's website in its revamped "Cookies" section (French Dutch), and it takes into account various recent evolutions (such as the Planet49 decision of the Court of Justice, as well as the BDPA's decision of 17 December 2019 imposing a fine for unlawful use of non-necessary cookies on a website).

Some of the guidance is already known, but there are a few new elements – and some considerations that seem difficult if not impossible to comply with from a technical perspective.

So what do you need to know?

Valid and prohibited means of obtaining consent

First, the BDPA has made it clear that further browsing is not "active" consent and thus prohibited. This was a long time coming and marks a repeal of a position of the BDPA's predecessor, the Belgian Privacy Commission, according to which further browsing could be a valid means of obtaining consent if various strict requirements in relation to transparency were met. Not every authority in the EU has so far explicitly excluded this means of obtaining consent.

Next, consent cannot be tied to any "advantage" or "reward" (otherwise, consent will not be "freely given"). By the same logic, cookie walls (where access is conditional upon accepting non-necessary cookies) are prohibited.

According to the BDPA, consent for non-necessary cookies must follow a layered approach, first by category of cookies and second by individual cookie:

  • In a first layer (i.e. the cookie banner as made visible to users), the website operator "must […] offer a choice per 'category of cookies' (e.g. audience measurement cookie or cookie for targeted marketing)";
  • On a second layer (e.g. a second view accessible through the cookie banner or a cookie policy page), the website operator must allow the user, "if he/she wishes, to express […] his/her consent individually per cookie".

This second aspect – the idea of allowing to manage consent per individual cookie – will likely give rise to much criticism. For one, the BDPA's own website does not allow this (only allowing the user to give or withdraw consent to "analytics cookies"); moreover, managing consent at an individual level is very complex from a technical perspective. In addition, consent "per individual cookie" will give rise to practical issues, as some cookies work together for related purposes (e.g. Google Analytics places several cookies, such as "_ga" and "_gid", or "__utma" and "__utmz"). If a user gives consent to one of those cookies but not the other, how will the two contradictory choices be reconciled?

Consent cannot be presumed: no non-necessary cookie may be placed or read before consent has been given. This is a repetition of a well-known principle that is often ignored in practice.

In any event, the controller must be able to demonstrate that it has obtained the user's consent prior to placing/reading cookies or other trackers on the user's device. This evidence can be brought by way of logs or other files keeping track of transactions.

What requires consent – and what doesn't

For an authority in a multilingual country, the BDPA appears to adopt a very strict approach to language preference cookies, considering that such cookies, just as any other "persisting cookies for user interface personalisation" require consent if they are not limited to the duration of a browsing session "or a slightly longer duration". This approach is at odds with the position adopted just a few days ago by the Irish Data Protection Commission, which recognised language and country preferences as cookies that did not require consent.

The BDPA provides various other examples of cookies that are exempt from consent only if they are "for the duration of a session" or "for a limited duration" (e.g. load balancing cookies, security cookies to identify "abusive authentications", etc.). In other words, for most cookies that last for more than 24 hours, the BDPA is likely to require consent.

On analytics, the BDPA has not changed its position and requires consent for all analytics cookies, whether first-party or third-party, whether they track individual sessions or aim to aggregate data. This position is understandable, as it is based on the current Belgian legislation relating to cookies. The positions of certain neighbouring countries (e.g. France and the Netherlands), which permit certain forms of analytics without consent, have therefore not made any inroads in Belgium. 

On social media plug-ins, the BDPA states that consent is required before a social media plug-in (e.g. a "share" button) can be activated because "the source code proposed to [web developers] exploits cookies that allow detailed tracking of web users, even if they do not have any account". This position can be seen as extreme, given that some of the cookies are in reality necessary for functionality reasons. At any rate, this position will prompt many organisations to rethink their approach to social media plug-ins – or to select social media plug-ins that limit the risk of tracking. 

What does a cookie banner have to include?

In addition to the information required under the GDPR, the cookie banner or other means of obtaining consent must provide information on (i) the identity of the controller, (ii) the purposes of placing & reading cookies, (iii) the data collected, (iv) the duration of the cookies and (v) the user's right to withdraw consent. 

The information must be visible, comprehensive and brought to the user's attention.

The information must be made available in the language(s) of the website, and in a language that is understandable for the target audience.

What does a cookie policy have to include?

According to the BDPA, a cookie policy must include:

  • The identity and contact details of the controller and, where applicable, its DPO
  • The identification of the various (categories of) cookies used
  • The purpose(s) of processing in the context of the placing and/or reading of those (categories of) cookies
  • The lifespan of cookies
  • The existence of a possibility for third parties – and where applicable which ones – to have access to such cookies
    • It is unclear based on the wording whether the BDPA requires systematic identification of those third parties. Interestingly, the reference to "which ones" is only present in the French version of the BDPA's guidance, not in the Dutch version.
  • The manner in which the user can delete cookies placed on his/her device
  • The legal grounds for the processing under the GDPR ("necessarily" consent for non-necessary cookies according to the BDPA – which therefore considers that consent under the cookie rules must necessarily go with consent under the GDPR; for necessary cookies, the BDPA states that "another legal ground, such as legitimate interests" can be relied upon)
  • The duration of storage of the data collected by way of the various cookies
  • The rights data subjects can invoke, including the right to withdraw consent and other data subject rights under the GDPR
  • The possibility to file a complaint with the BDPA
  • The existence of automated decision-making and, where this is the case, useful information on the underlying logic and the importance and consequences of this processing of the user.

In terms of language, the cookie policy must be made available in the language(s) of the website, and in a language that is understandable for the target audience.

Finally, the cookie policy must be accessible (e.g. by way of a link). In its Direct Marketing recommendation, the BDPA had stated that links in a website footer to a privacy statement or cookie policy are inadequate in terms of transparency. The BDPA did not repeat this in its new cookie guidance, but given the recent nature of the Direct Marketing recommendation (January 2020), this appears to be an oversight. 

By when do you need to comply?

Some of these requirements may seem difficult to implement, in particular the requirement of consent to "individual" cookies. Unlike certain other authorities, the BDPA has not indicated any specific timeframe for compliance, perhaps considering this to be a reflection of existing rules.

Given that this follows both a decision of December 2019 and recommendations of January 2020, we can only advise putting cookies back on the agenda. But whether the BDPA will start enforcing this guidance in the middle of the COVID-19 situation is anyone's guess.