Luxembourg National Commission for Data Protection (CNPD) has issued guidelines on cookies and other similar technologies. This article explains what the CNPD is and what are their cookie guidelines requirements.

What is CNPD?

The National Data Protection Commission (Commission Nationale pour la Protection des Données – CNPD) is an independent public institution and acts as the official data protection authority in the Grand Duchy of Luxembourg. 

It verifies the legality of the processing of personal data and ensures the protection of personal freedoms and fundamental rights in terms of data protection and privacy.

What are Luxembourg DPA Cookie Guidelines?

The Luxembourg DPA - CNPD published its guidelines on cookies and similar technologies (Cookies) on October 26, 2021. The guidelines aim to help website operators and mobile app operators in complying with the applicable legal framework in Luxembourg. 

The cookie guidelines differentiate between essential cookies and non-essential cookies. The essential cookies are those for which consent is not required. On the other hand, non-essential cookies require prior consent from users. 

What are the requirements of the Luxembourg DPA Cookie Guidelines?

In order to comply with Luxembourg DPA cookie guidelines, you must ensure to meet the following requirements:

1. There is no need to obtain consent for essential cookies. 

It is not necessary to obtain consent for essential cookies. Essential cookies are those that are either 1) used to carry out the transmission of a communication over an electronic communications network or 2) are strictly required for the provision of the services explicitly requested by the user. 

2. Provide information about the use of essential cookies. 

The guidelines recommend the website operators provide information about the use of essential cookies, such as a cookie banner. If the use of cookies involves the processing of personal data, you must provide information pursuant to Article 13 of the GDPR through a cookie policy or a privacy policy. 

3. You must obtain consent to use non-essential cookies. 

Website operators must obtain prior consent before placing non-essential cookies on the devices of their users. These cookies include tracking and profiling cookies, targeted advertising cookies, geolocation tracking cookies, social media plugins (i.e., “like” button), provided that the plugin is linked to the use of cookies.

4. You cannot use dark patterns for obtaining consent. 

You must avoid deceptive practices that mislead your users about your privacy practices and influence their choices. The following practices must be avoided:

• Using different forms or sizes of consent buttons (for example, a large "Accept" button and a small "Reject" button);
• Using different font sizes for the Accept and Reject buttons;
• Using different colors for the Accept and Reject buttons;
• Using different contrasts (for example, the "I accept" button has a high contrast and is easily visible, whereas the "I reject" button has a low contrast and is barely visible).

This requirement is consistent with the cookie guidelines of several other EU member DPAs, which also require website operators and mobile application operators to present users with a cookie banner that includes accept and refuse buttons of the same size, emphasis, and color.

5. Withdrawing consent must be as easy as giving it. 

The data subject must be able to withdraw their consent at any time and as easily as they gave it. This means that if consent can be granted with a single click, it should be equally simple to withdraw.

6. You must request consent after 12 months after obtaining the first consent. 

According to the Luxembourg DPA, the period of maintaining choice of consent should not exceed 12 months, after which the user's consent must be requested again.

If the consent period has not expired, the CNPD recommends not requesting consent from the individuals concerned again, unless there has been a significant change in the data processing in question (i.e., change of advertising partner, modification of the categories of data collected via cookies, modification of destination countries, modification of a processing purpose, etc.).

Consent may also be requested again if the user changes terminals (uses a different device) or deletes the cookies used to record the collection of consent.

7. Have a two-layered cookie banner. 

You must obtain freely given, informed, unambiguous and specific consent for the use of non-essential cookies. The guidelines recommend using a two-layered cookie banner to provide the necessary cookie information. 

• First layer of information 

The first layer of information is generally provided by a cookie banner or a pop-up which also contains a link to the more detailed second layer. 

The first layer should include information about the cookies, their purposes, who is responsible for them (i.e., first-party or third-party or both), how cookies can be accepted and refused, how to withdraw consent at any time, and consequences of refusing consent, among other things. 

The first layer also includes options such as "accept all" and "reject all."

• Second layer of information

The second layer, which is commonly referred to as a cookie policy, should be accessible through the first layer. The following information must be provided to the users through the cookie policy:

• Technical information about cookies and detailed information about their purposes
• A precise and exhaustive list of responsible parties 
• The categories of data collected via cookies
• The data recipients
• Functioning period of cookies and retention periods
• Data transfers to third countries 
• Existence of automated decision-making including profiling, if applicable
  
  See GDPR compliant cookie banner examples.

How to Comply with the Luxembourg DPA’s Consent Guidelines with Secure Privacy

The GDPR compliance solution from Secure Privacy includes enterprise-level features such as:

• Advanced  ongoing website scanning with our unique GDPR cookie scanner, which detects all cookies and trackers on your website and prevents the deployment of third-party cookies until consent is given 
• Cross-domain consent allows you to manage your data subjects' cookie consent preferences in a single step across multiple domains
• GDPR cookie consent banners that are highly customizable and stylish, allowing your users to easily opt-in or withdraw their cookie consent, as well as manage their preferences
• A privacy policy generator that allows you to automatically create a customized cookie notice for your company.
• Real-time logs and consents tracking to ensure you keep retrievable records of your data subjects’ consent status if requested by Data Protection Authorities (DPAs) 
• With 70+ languages supported, you can customize your cookie consent banner in the language of your target users
• Future-proof cookie consent compliance solution that supports California’s CCPA, Brazil’s LGPD, and other upcoming data privacy regulations globally.

Book a 30-min call today and get a quick ‘check-up’ of your website, cookie consent banner, or your cookie policy from a data privacy expert.

Additional Resources

Luxembourg DPA Official Website (CNPD)

Luxembourg DPA Cookie Guidelines (available in French)

Check out the other Cookie Consent Guidelines from other European Data Protection Authorities to see if you need to comply with them too:

• Belgian Data Protection Authority (DPA) Cookie Consent Guidance 
• Irish Data Protection Commission (DPC) Cookie Consent Guidance 
• French CNIL Consent Guidelines 
• Spanish AEPD Cookie Guidelines
• DSK Germany Cookie Guidelines
• Swedish Datainspektionenen Consent Guidelines 
• Italian DPA Cookie Guidelines
• Danish DPA Cookie Guidelines