In this article we explore the key takeaways from the Belgian DPA Cookie Guidance for businesses.
In April 2020, the Belgian Data Protection Authority (BDPA) released new consolidated cookie guidance for GDPR compliance by businesses.
The Belgian DPA’s cookie guidance incorporates recent developments in the GDPR cookie consent requirements such as the EU’s Court of Justice (CJEU) ruling in the case involving German company, Planet49.
In this article, we explore:
Explore more privacy compliance insights and best practices
Under both the GDPR and the ePrivacy Directive, you are required to have a cookie policy on your website that your users can access easily.
A GDPR-compliant cookie policy should alert website visitors about;
Firstly, a cookie is a text file installed in your hard drive, or specifically, in your browser folder when you access a website.
There are three primary categories of cookies;
These are website cookies that expire after your close your browser. Commonly, they are used in e-commerce websites to allow users to continue browsing without losing what is added to a cart.
This category refers to cookies that remain stored in the user’s device even when the browser is closed.
However, these cookies must have an expiration date, which is subject to legal enforcement through data privacy regulations such as the GDPR.
Examples of these cookies are those used to remember your login information and passwords.
This type of cookies are installed in a user’s device by third-party websites such as advertisers.
They collect information about your browsing behavior and allow advertisers to track users across multiple websites.
In December 2019, the Belgian Data Protection Authority enforced a regulatory fine of 15 thousand Euros on a website that provides legal news in the country. The main reason for this penalty was the company’s illegal use of cookies.
However, the Belgian DPAs decision was challenged by different stakeholders because there was no clear framework to help businesses comply with GDPR cookie requirements, once the EU’s trendsetting data privacy law came into force.
In response to the backlash, the Belgian Data Protection Authority announced in January that it was developing a framework that would provide clear guidelines for businesses to meet cookie obligations established by the enforcement of the General Data Protection Regulation (GDPR).
The framework was finalized and published on the Belgian DPAs website as the new Consolidated Cookie Guidance on April 9, 2020.
The Belgian DPA’s Cookie Guidance provides clear guidelines you need to follow to ensure you obtain valid cookie consent in line with GDPR requirements. They include;
You must seek consent for all non-essential cookies; This requirement also applies to the audience measuring cookies as well as for the use of social media plugins on your website or mobile app.
The only exemptions are cookies required to transmit messages over an electronic communication network and those used to provide a service requested by the user.
For cookie consent to be considered valid, it must be informed; You must give users sufficient information about the use of cookies before obtaining their consent.
The Belgian DPA requires a two-layered approach to achieve this. You need to give users the first notice at the point where they provide their consent.
The second notice should be a cookie policy, which gives users detailed information about the use of cookies.
The information you need to provide in your cookie policy includes;
You must allow users to provide granular consent; the Belgian DPA makes it clear, in the initial phase, you must seek consent for every type of cookie. In the second phase, you must allow your visitors to express their consent for each cookie (individually).
Obtaining Unambiguous consent is mandatory; clear and affirmative action is required before the consent you obtain is considered valid under the GDPR. Actions such as mere browsing or scrolling a website or app do not indicate valid cookie consent.
The Belgian DPA’s Cookie Guidance also makes it clear that you cannot use implied consent from the browser settings of the user as the basis to collect or process their data.
Cookie Walls are Invalid under the GDPR; Some websites deny users access to content in case they do not give consent to the use of cookies and fail to provide an easy way for them to withdraw their consent. This practice is commonly referred to as the use of “cookie walls.”
The Belgian DPA explains that using ‘cookie walls’ is illegal since you are coercing users to provide consent to the use of cookies.
Users must be allowed to withdraw consent easily
You must offer proof that you obtain valid GDPR cookie consent from your website users.
In case you obtain user consent using a cookie banner, The cookie guidance requires to ensure that it mentions;
To learn more about how to obtain valid GDPR cookie consent, Read our blog to get a simplified breakdown of the latest EDPB Cookie Consent Guidelines.
The Belgian Data Protection Authority directs businesses to alert users about the use of cookies in its Cookie Guidance.
Specifically, you must have a cookie policy on your website or app. The cookie policy must contain;
Under the Belgian DPA cookie guidance, you are required to ensure that your cookie policy is written in simple language that can be easily understood by your users.
Furthermore, you should make it easily accessible, including the provision of a hyperlink.
You must ensure that the lifespan of a cookie is restricted to what is necessary to achieve the cookie’s purpose. Additionally, you must make sure that cookies used on your website do not have an unlimited lifespan.
The Belgian DPA’s Cookie Guidance further requires you to ensure that cookies that are exempt from consent must be deleted once the purpose for which they are used is achieved.
What this means is that you must delete those cookies at the end of the user’s session
With Secure Privacy’s GDPR cookie banner (cookie banner examples), you can obtain valid cookie consent from users. Our solution helps you to ensure that:
If you would like to receive additional information on the BDPA’s cookies guidance or to have our data protection expert carry out a quick 'check-up' of your website, cookie consent banner, or your cookie policy, book a call today.
Schedule a call to learn more
Alternatively, you can sign up for your free trial of our complete GDPR compliance solution here.
Spanish AEPD Cookie Guidelines: The Ultimate Guide
Germany’s DSK
French CNIL Consent Guidelines
The Dutch DPA's Cookie Consent Guidelines
Greek DPA Cookie Consent Guidelines
The ultimate guide to GDPR Cookie Consent Compliance
Top 5 Key Website Legal Requirements To Ensure you Comply with the Law
