What are Luxembourg DPA Cookie Guidelines?
Luxembourg National Commission for Data Protection (CNPD) has issued guidelines on cookies and other similar technologies. Learn about it here!
Luxembourg National Commission for Data Protection (CNPD) has issued guidelines on cookies and other similar technologies. This article explains what the CNPD is and what are their cookie guidelines requirements.
What is CNPD?
The National Data Protection Commission (Commission Nationale pour la Protection des Données – CNPD) is an independent public institution and acts as the official data protection authority in the Grand Duchy of Luxembourg.
It verifies the legality of the processing of personal data and ensures the protection of personal freedoms and fundamental rights in terms of data protection and privacy.
What are Luxembourg DPA Cookie Guidelines?
The Luxembourg DPA - CNPD published its guidelines on cookies and similar technologies (Cookies) on October 26, 2021. The guidelines aim to help website operators and mobile app operators in complying with the applicable legal framework in Luxembourg.
The cookie guidelines differentiate between essential cookies and non-essential cookies. The essential cookies are those for which consent is not required. On the other hand, non-essential cookies require prior consent from users.
What are the requirements of the Luxembourg DPA Cookie Guidelines?
In order to comply with Luxembourg DPA cookie guidelines, you must ensure to meet the following requirements:
1. There is no need to obtain consent for essential cookies.
It is not necessary to obtain consent for essential cookies. Essential cookies are those that are either 1) used to carry out the transmission of a communication over an electronic communications network or 2) are strictly required for the provision of the services explicitly requested by the user.
2. Provide information about the use of essential cookies.
3. You must obtain consent to use non-essential cookies.
4. You cannot use dark patterns for obtaining consent.
You must avoid deceptive practices that mislead your users about your privacy practices and influence their choices. The following practices must be avoided:
- Using different forms or sizes of consent buttons (for example, a large "Accept" button and a small "Reject" button);
- Using different font sizes for the Accept and Reject buttons;
- Using different colors for the Accept and Reject buttons;
- Using different contrasts (for example, the "I accept" button has a high contrast and is easily visible, whereas the "I reject" button has a low contrast and is barely visible).
This requirement is consistent with the cookie guidelines of several other EU member DPAs, which also require website operators and mobile application operators to present users with a cookie banner that includes accept and refuse buttons of the same size, emphasis, and color.
5. Withdrawing consent must be as easy as giving it.
The data subject must be able to withdraw their consent at any time and as easily as they gave it. This means that if consent can be granted with a single click, it should be equally simple to withdraw.
6. You must request consent after 12 months after obtaining the first consent.
According to the Luxembourg DPA, the period of maintaining choice of consent should not exceed 12 months, after which the user's consent must be requested again.
If the consent period has not expired, the CNPD recommends not requesting consent from the individuals concerned again, unless there has been a significant change in the data processing in question (i.e., change of advertising partner, modification of the categories of data collected via cookies, modification of destination countries, modification of a processing purpose, etc.).
Consent may also be requested again if the user changes terminals (uses a different device) or deletes the cookies used to record the collection of consent.
7. Have a two-layered cookie banner.
You must obtain freely given, informed, unambiguous and specific consent for the use of non-essential cookies. The guidelines recommend using a two-layered cookie banner to provide the necessary cookie information.
- First layer of information
The first layer of information is generally provided by a cookie banner or a pop-up which also contains a link to the more detailed second layer.
The first layer should include information about the cookies, their purposes, who is responsible for them (i.e., first-party or third-party or both), how cookies can be accepted and refused, how to withdraw consent at any time, and consequences of refusing consent, among other things.
The first layer also includes options such as "accept all" and "reject all."
- Second layer of information
- Technical information about cookies and detailed information about their purposes
- A precise and exhaustive list of responsible parties
- The categories of data collected via cookies
- The data recipients
- Functioning period of cookies and retention periods
- Data transfers to third countries
- Existence of automated decision-making including profiling, if applicable
See GDPR compliant cookie banner examples.
How to Comply with the Luxembourg DPA’s Consent Guidelines with Secure Privacy
The GDPR compliance solution from Secure Privacy includes enterprise-level features such as:
- Advanced ongoing website scanning with our unique GDPR cookie scanner, which detects all cookies and trackers on your website and prevents the deployment of third-party cookies until consent is given
- Cross-domain consent allows you to manage your data subjects' cookie consent preferences in a single step across multiple domains
- GDPR cookie consent banners that are highly customizable and stylish, allowing your users to easily opt-in or withdraw their cookie consent, as well as manage their preferences
- Real-time logs and consents tracking to ensure you keep retrievable records of your data subjects’ consent status if requested by Data Protection Authorities (DPAs)
- With 70+ languages supported, you can customize your cookie consent banner in the language of your target users
- Future-proof cookie consent compliance solution that supports California’s CCPA, Brazil’s LGPD, and other upcoming data privacy regulations globally.
Luxembourg DPA Cookie Guidelines (available in French)
Check out the other Cookie Consent Guidelines from other European Data Protection Authorities to see if you need to comply with them too:
- Belgian Data Protection Authority (DPA) Cookie Consent Guidance
- Irish Data Protection Commission (DPC) Cookie Consent Guidance
- French CNIL Consent Guidelines
- Spanish AEPD Cookie Guidelines
- DSK Germany Cookie Guidelines
- Swedish Datainspektionenen Consent Guidelines
- Italian DPA Cookie Guidelines
- Danish DPA Cookie Guidelines
This article keeps track of the new CPRA regulations passed by the California AG. In the first part, we’ll briefly overview the existing regulations. The proposed regulations follow. Finally, we’ll provide a brief overview of all the regulations that could be expected in the next few years.
The Data Protection and Digital Information Bill: Data Privacy Reform in the UK Government
The introduction of Bill 143 to the House of Commons on July 18, 2022, follows the UK Government’s consultation in September 2021. The consultation detailed the UK Government’s proposed reforms to the UK’s data protection regime following Brexit and is a big step towards achieving the planned reform of the UK's data protection framework, with many significant proposed changes for companies to be aware of. To get started, here are some key provisions to consider about this new data protection legislation.
CPRA Guide | Full Text Summary
If you need to comply with the CCPA, you must also comply with the California Privacy Rights Act (CPRA). Here we have the full text of the CPRA. California legislature bodies have written it in legalese, of course, but we added notes at the beginning of each section to help you understand what that specific section is about.