Privacy & Information Security Law Blog

On April 9, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) released guidance and a set of frequently asked questions (“FAQs”) regarding the use of cookies and other tracking technologies.

Key takeaways from the Belgian DPA’s guidance and the FAQs include:

• Transparency: Users must be informed about the use of cookies. In particular, a cookie policy should be posted on the relevant site or mobile app, and should contain information about the identity and contact details of the data controller and the data protection officer (if any). Additionally, a cookie policy should provide:
  • identification of the (types of) cookies used;
  • their purposes and duration;
  • whether third-parties have access to such cookies;
  • information about how to delete cookies;
  • the legal basis(es) relied upon for the use of cookies (i.e., consent for non-essential cookies and the legitimate interest of the data controller for the use of essential and functional cookies);
  • information about individuals’ data protection rights and the ability to lodge a complaint to the competent data protection authority; and
  • information about any automated decision making, including profiling.

The cookie policy should be drafted in a language that is understandable to the site’s or mobile app’s audience and it should be easily available to users, such as via a hyperlink.

• Consent:
  • Consent should be obtained for the use of all non-essential cookies. Cookies that are necessary to transmit a communication over an electronic communications network or to provide an information society service requested by the subscriber or user do not require consent. According to the Belgian DPA, audience measuring cookies are not exempt from the consent requirement under the current legal framework. The Belgian DPA also confirms in its guidance that consent is required for the use of social media plug-ins on a site or mobile app.
  • To be valid, consent must be informed. The Belgian DPA clarifies that prior to giving their consent to the use of cookies, users must be provided with information regarding the use of cookies. The Belgian DPA suggests that such information should be provided in two phases (i.e., a first notice at the time users provide their consent and a second, more detailed notice in the form of a cookie policy). According to the Belgian DPA, users must be provided with the following information when consenting to the use of cookies: (1) the entity responsible for the use of cookies; (2) the cookies’ purposes; (3) the data collected through the use of cookies; and (4) their expiration. Users must also be informed about their rights with respect to cookies, including the right to withdraw their consent.
  • Users must have the option to provide granular consent. In this respect, the Belgian DPA notes that in a first phase, consent can be provided per type of cookie. In a second phase, users should be able to express their consent per cookie (i.e., individually).
  • The use of so called “cookie walls” (i.e., consent solutions which prevent users who do not consent to the use of cookies from accessing a site or mobile app) is unlawful as the consent obtained through cookie walls is not freely given and is, therefore, invalid.
  • Companies must be able to demonstrate that consent was collected, e.g., by using logs.
  • Consent must be unambiguous and provided through a clear affirmative action. Merely continuing to browse a site or mobile app, or scroll down the page of a site or mobile app can no longer be considered valid consent. Similarly, consent cannot be deduced from the user’s browser settings.
  • Consent should be easy to withdraw at any time.

• Cookie Lifespan: The lifespan of a cookie must be limited to what is necessary to achieve the cookie’s purpose and cookies should not have an unlimited lifespan. Where it is not possible to delete the cookie and related data within a reasonable time (e.g., because it is not technically possible), it should be clearly explained to users how they can delete those cookies themselves (such as via their browser settings). According to the Belgian DPA, cookies that are exempt from consent (i.e., necessary and functional cookies) must be deleted once the purpose for which they are used is achieved. Typically, this means that those cookies should be deleted at the end of the user’s session. If that is not the case, the data controller should determine the cookie’s lifespan taking into account users’ reasonable expectations (e.g., users that place items in their shopping baskets and that accidentally close their session would typically expect those items to still be in their basket a few minutes after closing the session). Users can also specifically ask that some of their information is memorized from one session to another, which requires the use of persistent cookies.

Read the Belgian DPA guidance materials and FAQs (in French).