On 17 December 2019, the litigation chamber of the Belgian Data Protection Authority (DPA) issued a decision with valuable insights on how to get valid consent for your cookies, pursuant to Articles 6 (1) (a) of the General Data Protection Regulation (GDPR) and 5 (3) of the ePrivacy Directive 2002/58/EC as implemented into Belgian law by Article 129 of the Electronic Communications Act of 13 June 2005.
In essence, your website should display a cookie banner that clearly details what each type of cookie is used for (e.g. marketing, necessary and/or statistical cookies) and requires the user to take a specific action, such as ticking a box, to place the remaining cookies. For the avoidance of doubt, pre-ticked boxes are not permitted anymore, which is consistent with the landmark judgement rendered on 1st October 2019 by the European Court of Justice in the case Planet49 (C‑673/17). Also, the website users must have been provided with clear and comprehensive information, inter alia, about the duration of the operation of cookies and whether or not third parties may have access to those cookies.
Furthermore, the DPA found that, generally speaking, website user’s consent is required for “first-party analytics cookies”, i.e. cookies set by the website operator for statistical purposes. According to the DPA, these cookies do not benefit from the “strictly necessary” cookie consent exemption, i.e. the cookie is used to provide a service the user has explicitly requested.
Finally, in the case at stake, despite some improvements made since the start of the case, the website operator still failed to demonstrate sufficient compliance with the transparency and information requirements set out in Articles 12 and 13 of the GDPR. Its privacy and cookies statements remained insufficiently clear, notably as regards the data subject’s right to withdraw their consent at any time as well as the absence of complete versions in Dutch and French, which are the languages of the targeted Belgian audience.
This continued negligence was taken into account when the DPA decided to impose an administrative fine of 15k EUR (based on the annual turnover of 1,700k EUR of the preceding financial year), pursuant to Article 83 of the GDPR.
The decision (in Dutch) of the DPA (N° 12/2019) can be found on: