The Data Protection Authority (BE DPA) has published its long-awaited stance on the use of cookies by way of a checklist (in French or Dutch). Additionally, it has also announced an update of its cookie information.
The BE DPA starts by emphasising that the checklist contains no new obligations. Strictly speaking, this is correct as the relevant regulations have not been changed. However, the BE DPA has now taken a specific stance regarding several issues that are subject to debate in practice.
In addition, the BE DPA also emphasises that this checklist is not exhaustive. So even if you can tick off the entire checklist, you may still be sanctioned.
It clarifies that the checklist applies to both "cookies", and other similar technologies (e.g., tracking pixels).
The principle: consent required except for strictly necessary cookies
The BE DPA confirms the principle of obtaining free and informed consent when processing cookies.
The above, by exception, does not apply to so-called "strictly necessary cookies". The checklist gives some examples of cookies that can be considered strictly necessary. On the one hand, these include technical cookies, for example, cookies that distribute information across networks ("load balancing") and on the other hand functional cookies that reveal, for example, language preferences, cookie preferences or the content of a shopping cart.
Unfortunately, the BE DPA does not provide many examples of strictly necessary cookies. After all, it is not always clear exactly which cookies are "necessary". For instance, there exists disagreement within the EU about the qualification of analytical cookies.
On cookie walls, the placement of a decline button and deceptive design
Subsequently, the BE DPA addresses some known practices that threaten "free" consent and consequently lead to an invalid consent. The BE DPA, unlike authorities in other European countries, takes the view that cookie walls (i.e., requiring consent for cookies as a condition for accessing services and functionalities) are prohibited.
The BE DPA also requires the provision of a "reject all cookies" button at the same level as the "accept all cookies" button. Not all European national data protection authorities approved of this.
Finally, it is not allowed to apply 'deceptive design'. This includes, for example, using colours to highlight the acceptance button or possibly modifying the shape of the decline button to make it less readable. A good practice is to put both the button to accept all cookies and the button to reject all cookies in the same colour and layout. However, the BE DPA does not comment on whether this should also be the case for the button to choose your cookie preferences.
Be as specific as possible
To obtain specific consent, the BE DPA indicates a few more requirements. For example, you must, at the latest in the second layer of the cookie banner, provide the option of granting or withholding permission for each target. There is much disagreement about the subdivision and naming of the categories, but the BE DPA provides no clarity on this.
The BE DPA reiterates its position from its direct marketing recommendation (French or Dutch) that separate consent must be obtained regarding the use of cookies for in-house advertising, profiling and third-party use. Moreover, consent must be capable of being given by a third party.
Cookie banner packed with information
The GBA requires that website visitors are immediately informed in the first layer of the cookie banner about the purposes for which consent is requested.
In addition, that first layer must include information about the companies responsible for the cookies. For third parties who place cookies, it is sufficient to mention some of these third parties with a link to the complete list. There also needs to be an explanation of how cookies can be accepted or refused, what the consequences are, that consent can always be withdrawn and how to do so.
Another layer of the cookie banner should contain a complete list of all cookies used, divided by category, indicating their purpose, duration and recipients. The BE DPA apparently feels that merely being able to read this information in a cookie policy is not enough.
Consent must be actively given
The BE DPA confirms that cookie banners stating "by continuing to browse, you agree to our use of cookies" are not permitted.
In addition, pre-ticked boxes are not allowed either, consent may not be linked to acceptance of general terms and conditions, nor may it be derived from the website visitor's browser settings.
Easy withdrawal of consent
The company must provide a means to easily withdraw consent. Withdrawing consent should be as easy as giving it. This can be by way of a button or link that manages the cookie settings and allows the website visitor to withdraw consent with one click. A previous decision of the litigation chamber at the BE DPA stated that this button or link is best placed at the top of the cookie policy.
Responsible use
Next, the BE DPA states that you may only keep cookies for tracking cookie preferences for a limited period of time. In practice, this has an impact as to when you must ask permission again (after consent) or may ask permission again (after refusal). The BE DPA argues that 6 months is reasonable for this, following previous views of other authorities.
Companies must also be able to demonstrate how their banners and cookie policies have been modified over time and provide their cookie policies with a date and version number.
Strict guidelines for cookie use
It should be clear that, compared with other authorities within the EU, the BE DPA is strict about cookies and similar technologies. Putting your cookie banner and policies in order should therefore be a priority. After all, the BE DPA also announced inspections in this regard.
These five rules of thumb can help you get your cookie policy right:
- Minimise the number of cookies and similar technologies. In practice, we find that many companies do little with the data they get from cookies. By focusing only on necessary cookies, you also limit the company's liability.
- Use sufficient checkboxes. After all, active consent must be requested.
- Don't mislead. Do not give the impression that you are trying to mislead visitors to your website by presenting an illegible cookie banner.
- Demonstrate that you know which cookies and similar technologies are on your website. A website is a company's digital billboard. Mistakes are visible as a result, even to the authorities. Therefore, thoroughly vet each cookie you place on your website.
- Be careful with American cookies. When you use American cookies, such as Google Analytics, there is usually also a transfer of data. We previously wrote about this in this newsflash.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.