Luxembourg National Commission for Data Protection (CNPD) has issued guidelines on cookies and other similar technologies. Learn about it here!
Luxembourg National Commission for Data Protection (CNPD) has issued guidelines on cookies and other similar technologies. This article explains what the CNPD is and what are their cookie guidelines requirements.
The National Data Protection Commission (Commission Nationale pour la Protection des Données – CNPD) is an independent public institution and acts as the official data protection authority in the Grand Duchy of Luxembourg.
It verifies the legality of the processing of personal data and ensures the protection of personal freedoms and fundamental rights in terms of data protection and privacy.
Explore more privacy compliance insights and best practices
The Luxembourg DPA - CNPD published its guidelines on cookies and similar technologies (Cookies) on October 26, 2021. The guidelines aim to help website operators and mobile app operators in complying with the applicable legal framework in Luxembourg.
The cookie guidelines differentiate between essential cookies and non-essential cookies. The essential cookies are those for which consent is not required. On the other hand, non-essential cookies require prior consent from users.
In order to comply with Luxembourg DPA cookie guidelines, you must ensure to meet the following requirements:
1. There is no need to obtain consent for essential cookies.
It is not necessary to obtain consent for essential cookies. Essential cookies are those that are either 1) used to carry out the transmission of a communication over an electronic communications network or 2) are strictly required for the provision of the services explicitly requested by the user.
2. Provide information about the use of essential cookies.
The guidelines recommend the website operators provide information about the use of essential cookies, such as a cookie banner. If the use of cookies involves the processing of personal data, you must provide information pursuant to Article 13 of the GDPR through a cookie policy or a privacy policy.
3. You must obtain consent to use non-essential cookies.
Website operators must obtain prior consent before placing non-essential cookies on the devices of their users. These cookies include tracking and profiling cookies, targeted advertising cookies, geolocation tracking cookies, social media plugins (i.e., “like” button), provided that the plugin is linked to the use of cookies.
4. You cannot use dark patterns for obtaining consent.
You must avoid deceptive practices that mislead your users about your privacy practices and influence their choices. The following practices must be avoided:
This requirement is consistent with the cookie guidelines of several other EU member DPAs, which also require website operators and mobile application operators to present users with a cookie banner that includes accept and refuse buttons of the same size, emphasis, and color.
5. Withdrawing consent must be as easy as giving it.
The data subject must be able to withdraw their consent at any time and as easily as they gave it. This means that if consent can be granted with a single click, it should be equally simple to withdraw.
6. You must request consent after 12 months after obtaining the first consent.
According to the Luxembourg DPA, the period of maintaining choice of consent should not exceed 12 months, after which the user's consent must be requested again.
If the consent period has not expired, the CNPD recommends not requesting consent from the individuals concerned again, unless there has been a significant change in the data processing in question (i.e., change of advertising partner, modification of the categories of data collected via cookies, modification of destination countries, modification of a processing purpose, etc.).
Consent may also be requested again if the user changes terminals (uses a different device) or deletes the cookies used to record the collection of consent.
7. Have a two-layered cookie banner.
You must obtain freely given, informed, unambiguous and specific consent for the use of non-essential cookies. The guidelines recommend using a two-layered cookie banner to provide the necessary cookie information.
The first layer of information is generally provided by a cookie banner or a pop-up which also contains a link to the more detailed second layer.
The first layer should include information about the cookies, their purposes, who is responsible for them (i.e., first-party or third-party or both), how cookies can be accepted and refused, how to withdraw consent at any time, and consequences of refusing consent, among other things.
The first layer also includes options such as "accept all" and "reject all."
The second layer, which is commonly referred to as a cookie policy, should be accessible through the first layer. The following information must be provided to the users through the cookie policy:
The GDPR compliance solution from Secure Privacy includes enterprise-level features such as:
Book a 30-min call today and get a quick ‘check-up’ of your website, cookie consent banner, or your cookie policy from a data privacy expert.
Schedule a call to learn more
Luxembourg DPA Official Website (CNPD)
Luxembourg DPA Cookie Guidelines (available in French)
Check out the other Cookie Consent Guidelines from other European Data Protection Authorities to see if you need to comply with them too:
