A guide to the Belgium’s Data Protection Authority cookie guidance

The uncomfortable truth is that most people (including website owners and website visitors) do not actually like cookie consent banners. However, cookie consent banners exist to comply with privacy laws that require user consent prior to that user being tracked online. Since so many websites do not properly obtain consent for cookies, Belgium’s Data Protection Authority has released comprehensive cookie guidance to ensure that businesses comply with the law. In this blog post, we will review the guidance and provide you with simple and easy-to-understand tips to ensure that you properly obtain consent for cookies on your website. 

What are cookies? 

Cookies are snippets of code that are placed on a user’s device (e..g computer, phone, tablet) and are used to collect and store information about how an individual behaves online. Cookies can be used for a variety of purposes including determining how an individual interacts with a website (analytics), advertisements, login screens or shopping carts. Cookies can also be used for security purposes, load balancing purposes or to enable the use of a video player. Cookies generally have the following classifications: 

1. Necessary cookies: cookies that enable the use of the website. Without these cookies, the website or its core features would not function. 
2. Functional cookies: cookies that are used to allow a website to remember the choices that you have made (e.g. language preferences). Without these cookies, the website would still function. 
3. Marketing and advertising cookies: cookies that allow for the tracking of online activity to provide advertisements (e.g. Facebook Pixel). Without these cookies, the website would still function. 

How can you avoid a cookie consent banner? 

If you are not a fan of having a cookie consent banner but would still like to avoid privacy fines, there are a few ways in which you can avoid having the banner on your website: 

1. Do not place any cookies or trackers on your website; 
2. Place only absolutely necessary cookies on your website (e.g. cookies that allow a user’s shopping cart to be stored or cookies that aim to ensure the security of your website) as these cookies do not need consent; 
3. Only use cookies that are absolutely necessary to send a communication via an electronic communications network (e.g. cookies to ensure load balancing). 

However, if you plan on using functional or marketing and advertising cookies, you will need to obtain consent from the user prior to placing those cookies on the user’s device and will need a cookie consent banner to do so. 

How do you obtain proper consent for cookies? 

To meet the requirements of privacy laws, you must obtain consent prior to the placement of functional or marketing and advertising cookies on the user’s device. The following lists the elements of proper consent: 

• Consent must be informed – the user must receive information on the types of cookies that will be placed on their device, where they are coming from, and what they will be used for; 
• The user must be presented with a real choice – the user must be able to accept or refuse each cookie (meaning that you must have an “accept” and a “refuse” button; 
• Consent must be specific – users must be able to provide or decline their consent for each cookie that you would like to place on the user’s device; 
• Consent must be able to be withdrawn – users have the right to withdraw their consent to cookies at any time, even if they have previously provided their consent for that cookie. 

Belgium’s Data Protection Authority tips for cookie consent 

The Data Protection Authority has provided the following tips to inform businesses of their cookie consent banner obligations: 

• Do not use cookie walls – a cookie wall requires users to agree to all cookies in order to use the website; 
• Do not use deceptive design techniques to trick users into accepting cookies; 
• Avoid using the same cookie for several purposes; 
• Provide the most specific reasons possible for the use of each cookie; 
• Inform users of their right to withdraw their consent to the cookies and provide information as to how users can exercise this right. Withdrawing consent should be as easy as it was to provide it. Place a clearly visible button or link to allow users to withdraw their consent; 
• When an individual withdraws their consent, those cookies should no longer be placed on their device in the future; 
• Do not infer consent from the closing of the banner, continued usage of the website or any inactivity – consent must be demonstrated through a clear, affirmative action; 
• Do not derive consent from the browser settings of a website visitor; 
• Cookies should be placed on the website visitor’s device for approximately 6 months or less; 
• Retain previous versions of your Cookie Policy; 
• Ensure that the cookie consent banner controls all cookies on your website and that no cookies fire without those cookies being controlled by the cookie consent banner. 

Since most website owners use a third party cookie consent banner to obtain consent, it is crucial that you perform due diligence to ensure that the cookie consent banner that you will be using meets all of the criteria above as the website owner is the one who will ultimately be held responsible for non-compliance.