GDPR Compliance: Belgian DPA's Cookie Guidance on Cookie Consent
In this article we explore the key takeaways from the Belgian DPA Cookie Guidance for businesses.
In April 2020, the Belgian Data Protection Authority (BDPA) released new consolidated cookie guidance for GDPR compliance by businesses.
The Belgian DPA’s cookie guidance incorporates recent developments in the GDPR cookie consent requirements such as the EU’s Court of Justice (CJEU) ruling in the case involving German company, Planet49.
In this article, we explore:
- What are the different types of cookies?
- What is the Belgian DPA Cookie Guidance?
- What are the key takeaways from the Belgian DPA Cookie Guidance for businesses?
- How do I obtain valid GDPR cookie consent under the Belgian DPA Cookie Guidance?
- The data you collect
- The purposes of collecting their personal information
- How you keep their data secure
- If you share any personal information with third parties
- How you store their personal information
- How they can access, transfer, request modifications, limit the use, or delete their data
What are the Main Types of Cookies?
Firstly, a cookie is a text file installed in your hard drive, or specifically, in your browser folder when you access a website.
There are three primary categories of cookies;
- Session cookies
- Permanent cookies
- Third-party cookies
These are website cookies that expire after your close your browser. Commonly, they are used in e-commerce websites to allow users to continue browsing without losing what is added to a cart.
This category refers to cookies that remain stored in the user’s device even when the browser is closed.
However, these cookies must have an expiration date, which is subject to legal enforcement through data privacy regulations such as the GDPR.
Examples of these cookies are those used to remember your login information and passwords.
This type of cookies are installed in a user’s device by third-party websites such as advertisers.
They collect information about your browsing behavior and allow advertisers to track users across multiple websites.
What is the Belgian DPA Cookie Guidance?
However, the Belgian DPAs decision was challenged by different stakeholders because there was no clear framework to help businesses comply with GDPR cookie requirements, once the EU’s trendsetting data privacy law came into force.
In response to the backlash, the Belgian Data Protection Authority announced in January that it was developing a framework that would provide clear guidelines for businesses to meet cookie obligations established by the enforcement of the General Data Protection Regulation (GDPR).
The framework was finalized and published on the Belgian DPAs website as the new Consolidated Cookie Guidance on April 9, 2020.
What are the Key Takeaways From the Belgian DPA’s Cookie Guidance for Businesses?
Cookie Consent Requirements
The Belgian DPA’s Cookie Guidance provides clear guidelines you need to follow to ensure you obtain valid cookie consent in line with GDPR requirements. They include;
You must seek consent for all non-essential cookies; This requirement also applies to the audience measuring cookies as well as for the use of social media plugins on your website or mobile app.
The only exemptions are cookies required to transmit messages over an electronic communication network and those used to provide a service requested by the user.
The Belgian DPA requires a two-layered approach to achieve this. You need to give users the first notice at the point where they provide their consent.
- The purposes of the different types of cookies you have on your website
- The information gathered using cookies
- The expiry date of the cookies
You must allow users to provide granular consent; the Belgian DPA makes it clear, in the initial phase, you must seek consent for every type of cookie. In the second phase, you must allow your visitors to express their consent for each cookie (individually).
Obtaining Unambiguous consent is mandatory; clear and affirmative action is required before the consent you obtain is considered valid under the GDPR. Actions such as mere browsing or scrolling a website or app do not indicate valid cookie consent.
The Belgian DPA’s Cookie Guidance also makes it clear that you cannot use implied consent from the browser settings of the user as the basis to collect or process their data.
Users must be allowed to withdraw consent easily
You must offer proof that you obtain valid GDPR cookie consent from your website users.
In case you obtain user consent using a cookie banner, The cookie guidance requires to ensure that it mentions;
- the specific identity of the data controller
- the types of cookies used, with the option to give consent per type,
- the purpose of the cookies
- a list of the data the cookies collect
- the lifespan of the cookies
- the right to withdraw consent
- a hyperlink to the full cookies policy
To learn more about how to obtain valid GDPR cookie consent, Read our blog to get a simplified breakdown of the latest EDPB Cookie Consent Guidelines: https://secureprivacy.ai/blog/gdpr-cookie-consent-the-latest-edpb-guidelines-on-cookie-walls
- Your identity and contact details as the data controller, as well as those of your Data Protection Officer (DPO) if you have any
- Clear identification of the types of cookies you have on your website
- The purpose of the cookies and their expiry period
- Information about whether third-parties have access to the cookies
- The steps to take to delete cookies
- Information about users’ data protection rights and their freedom to file a complaint with a reputable Data Protection Authority (DPA).
- Disclosure about any automated decision-making, as well as profiling.
Furthermore, you should make it easily accessible, including the provision of a hyperlink.
Expiry Period of Cookies
You must ensure that the lifespan of a cookie is restricted to what is necessary to achieve the cookie’s purpose. Additionally, you must make sure that cookies used on your website do not have an unlimited lifespan.
The Belgian DPA’s Cookie Guidance further requires you to ensure that cookies that are exempt from consent must be deleted once the purpose for which they are used is achieved.
What this means is that you must delete those cookies at the end of the user’s session
How to Obtain Valid GDPR Cookie Consent under the Belgian DPA’s Cookie Guidance
With Secure Privacy’s GDPR cookie banner, you can obtain valid cookie consent from users. Our solution helps you to ensure that:
- You do not bundle consents. Instead, Secure Privacy’s GDPR cookie banner ensures that consent is sought for every purpose by giving users choice over the types of cookies to give consent to.
- You include an opt-in for every type of cookie on your website that is not pre-checked to show user consent
- You provide information on how to withdraw consent for using cookies within your cookie notice and a mechanism to guarantee that your visitors re-affirm their consent after every six months
- You record consents in a way that can show the visitors ability to withdraw
- You have a link to the cookie notice to give users additional information, such as the third parties that will have access to their personal data in case they give consent to the installation of third-party analytics cookie
Alternatively, you can sign up for your free trial of our complete GDPR compliance solution here.
Our detailed GDPR compliance guide
The ultimate guide to GDPR Cookie Consent Compliance
Want to try
Get your free cookie banner up and running today!
That also interest you
Data Subject Access Requests: Do's and Don’ts in Handling GDPR DSARs
Data Subject Access Requests (DSARs) are one of the less-talked-about GDPR requirements, but failure to handle them correctly could land your company in trouble.
ePrivacy Regulation vs GDPR: 4 Key Differences
The ePrivacy Regulation was set to come into force alongside the GDPR on May 25, 2018, but delays in the approval phase meant its implementation was delayed.
EDPB Guidelines on Targeting Social Media Users: 4 Quick Compliance Tips
EDPB guidelines on targeting social media users published in September 2020 bring new GDPR compliance obligations that social media service providers and targeters need to adopt.