GDPR Compliance:Belgian DPA's Cookie Guidance on Cookie Consent

• What is a cookie policy?
• What are the different types of cookies?
• What is the Belgian DPA Cookie Guidance?
• What are the key takeaways from the Belgian DPA Cookie Guidance for businesses? 
• How do I obtain valid GDPR cookie consent under the Belgian DPA Cookie Guidance? 

What is a Cookie Policy? 

Under both the GDPR and the ePrivacy Directive, you are required to have a cookie policy on your website that your users can access easily. 

A GDPR-compliant cookie policy should alert website visitors about; 

• The data you collect
• The purposes of collecting their personal information
• How you keep their data secure
• If you share any personal information with third parties
• How you store their personal information
• How they can access, transfer, request modifications, limit the use, or delete their data 

What are the Main Types of Cookies?

 Firstly, a cookie is a text file installed in your hard drive, or specifically, in your browser folder when you access a website. 

There are three primary categories of cookies;

• Session cookies
• Permanent cookies 
• Third-party cookies

Session Cookies 

These are website cookies that expire after your close your browser. Commonly, they are used in e-commerce websites to allow users to continue browsing without losing what is added to a cart. 

Permanent Cookies

This category refers to cookies that remain stored in the user’s device even when the browser is closed. 

However, these cookies must have an expiration date, which is subject to legal enforcement through data privacy regulations such as the GDPR. 

Examples of these cookies are those used to remember your login information and passwords. 

Third-Party Cookies

This type of cookies are installed in a user’s device by third-party websites such as advertisers. 

They collect information about your browsing behavior and allow advertisers to track users across multiple websites. 

What is the Belgian DPA Cookie Guidance? 

In December 2019, the Belgian Data Protection Authority enforced a regulatory fine of 15 thousand Euros on a website that provides legal news in the country. The main reason for this penalty was the company’s illegal use of cookies. 

However, the Belgian DPAs decision was challenged by different stakeholders because there was no clear framework to help businesses comply with GDPR cookie requirements, once the EU’s trendsetting data privacy law came into force. 

In response to the backlash, the Belgian Data Protection Authority announced in January that it was developing a framework that would provide clear guidelines for businesses to meet cookie obligations established by the enforcement of the General Data Protection Regulation (GDPR).

The framework was finalized and published on the Belgian DPAs website as the new Consolidated Cookie Guidance on April 9, 2020. 

What are the Key Takeaways From the Belgian DPA’s Cookie Guidance for Businesses? 

Cookie Consent Requirements

The Belgian DPA’s Cookie Guidance provides clear guidelines you need to follow to ensure you obtain valid cookie consent in line with GDPR requirements. They include; 

You must seek consent for all non-essential cookies; This requirement also applies to the audience measuring cookies as well as for the use of social media plugins on your website or mobile app. 

The only exemptions are cookies required to transmit messages over an electronic communication network and those used to provide a service requested by the user. 

For cookie consent to be considered valid, it must be informed; You must give users sufficient information about the use of cookies before obtaining their consent. 

The Belgian DPA requires a two-layered approach to achieve this. You need to give users the first notice at the point where they provide their consent. 

The second notice should be a cookie policy, which gives users detailed information about the use of cookies. 

The information you need to provide in your cookie policy includes; 

• The party responsible for the use of cookies
• The purposes of the different types of cookies you have on your website
• The information gathered using cookies
• The expiry date of the cookies

You must allow users to provide granular consent; the Belgian DPA makes it clear, in the initial phase, you must seek consent for every type of cookie. In the second phase, you must allow your visitors to express their consent for each cookie (individually).

Obtaining Unambiguous consent is mandatory; clear and affirmative action is required before the consent you obtain is considered valid under the GDPR. Actions such as mere browsing or scrolling a website or app do not indicate valid cookie consent. 

The Belgian DPA’s Cookie Guidance also makes it clear that you cannot use implied consent from the browser settings of the user as the basis to collect or process their data.

Cookie Walls are Invalid under the GDPR; Some websites deny users access to content in case they do not give consent to the use of cookies and fail to provide an easy way for them to withdraw their consent. This practice is commonly referred to as the use of “cookie walls.”

The Belgian DPA explains that using ‘cookie walls’ is illegal since you are coercing users to provide consent to the use of cookies. 

Users must be allowed to withdraw consent easily

You must offer proof that you obtain valid GDPR cookie consent from your website users. 

In case you obtain user consent using a cookie banner, The cookie guidance requires to ensure that it mentions; 

•  the specific identity of the data controller
•  the types of cookies used, with the option to give consent per type, 
• the purpose of the cookies 
• a list of the data the cookies collect
•  the lifespan of the cookies
•  the right to withdraw consent 
• a hyperlink to the full cookies policy

To learn more about how to obtain valid GDPR cookie consent, Read our blog to get a simplified breakdown of the latest EDPB Cookie Consent Guidelines.

Transparency Obligations

The Belgian Data Protection Authority directs businesses to alert users about the use of cookies in its Cookie Guidance. 

Specifically, you must have a cookie policy on your website or app. The cookie policy must contain; 

• Your identity and contact details as the data controller, as well as those of your Data Protection Officer (DPO) if you have any 
• Clear identification of the types of cookies you have on your website
• The purpose of the cookies and their expiry period
• Information about whether third-parties have access to the cookies
• The steps to take to delete cookies
•  The legal basis informing the use of cookies 
• Information about users’ data protection rights and their freedom to file a complaint with a reputable Data Protection Authority (DPA).
• Disclosure about any automated decision-making, as well as profiling. 

Under the Belgian DPA cookie guidance, you are required to ensure that your cookie policy is written in simple language that can be easily understood by your users. 

Furthermore, you should make it easily accessible, including the provision of a hyperlink. 

Expiry Period of Cookies 

You must ensure that the lifespan of a cookie is restricted to what is necessary to achieve the cookie’s purpose. Additionally, you must make sure that cookies used on your website do not have an unlimited lifespan. 

The Belgian DPA’s Cookie Guidance further requires you to ensure that cookies that are exempt from consent must be deleted once the purpose for which they are used is achieved.

What this means is that you must delete those cookies at the end of the user’s session

How to Obtain Valid GDPR Cookie Consent under the Belgian DPA’s Cookie Guidance

With Secure Privacy’s GDPR cookie banner (cookie banner examples), you can obtain valid cookie consent from users. Our solution helps you to ensure that:

• You implement a layered approach to seeking and explaining cookie consent to users. With the Secure Privacy cookie banner, Firstly, you can inform users of the need to use cookies and why their consent is vital for their placement. Secondly, our banner also helps you explain to users the different types and analytics tools you are using in your cookie notice.
• You do not bundle consents. Instead, Secure Privacy’s GDPR cookie banner ensures that consent is sought for every purpose by giving users choice over the types of cookies to give consent to.    
• You include an opt-in for every type of cookie on your website that is not pre-checked to show user consent
• You provide information on how to withdraw consent for using cookies within your cookie notice and a mechanism to guarantee that your visitors re-affirm their consent after every six months
• You record consents in a way that can show the visitors ability to withdraw
• You have a link to the cookie notice to give users additional information, such as the third parties that will have access to their personal data in case they give consent to the installation of third-party analytics cookie

If you would like to receive additional information on the BDPA’s cookies guidance or to have our data protection expert carry out a quick 'check-up' of your website, cookie consent banner, or your cookie policy, book a call today.

Schedule a call to learn more

Alternatively, you can sign up for your free trial of our complete GDPR compliance solution here. 

Additional Resources

Spanish AEPD Cookie Guidelines: The Ultimate Guide

Germany’s DSK

French CNIL Consent Guidelines

The Dutch DPA's Cookie Consent Guidelines

Greek DPA Cookie Consent Guidelines

The ultimate guide to GDPR Cookie Consent Compliance

Top 5 Key Website Legal Requirements To Ensure you Comply with the Law