The Electronic Communications Act of 13 June 2005 was recently amended in order to implement, amongst other provisions, the new European rules on the use of cookies, thereby making the use of cookies subject to prior consent. The new rules entered into force on 4 August 2012.
1. Definition of cookies
Cookies are small files placed on a subscriber's or user's computer which allow information about the user to be gathered. Cookies are typically used by e-commerce websites in order, for example, to remember certain user settings, such as language, or make the website more user-friendly (e.g. the content of a shopping cart will remain available when the user leaves the webpage).
Cookies can also be used for a variety of other purposes, such as monitoring the user's internet behaviour in order to send targeted advertisements (so-called behavioural advertising) or for analytical purposes (e.g., analysis of the most visited pages on a website, the success of an advertising campaign, etc.).
2. Previous rules
Until 4 August 2012, the Electronic Communications Act ("ECA") provided that the storage of and access to information (e.g., using cookies) on a subscriber's or user's computer were only allowed if:
- the user was provided with information about the use and purpose of the cookies, pursuant to general data protection legislation; and
- the user was given an opportunity to block cookies.
In accordance with these rules, many companies included in their website's privacy statement a provision informing users of the use of cookies and indicating that users could block cookies by modifying their browser settings.
3. New rules
Following an amendment to the E-Privacy Directive 2002/58/EC, Belgium amended the ECA to incorporate the new rules.
Pursuant to these new rules, the storage of and access to information (e.g., using cookies) on a subscriber's or user's computer are now subject to the following conditions:
- the subscriber or user has been informed of the use of cookies and the purpose of such use, in accordance with general data protection legislation; and
- the subscriber or user has given his or her consent to allow cookies, after having received the abovementioned information.
The subscriber or user must also have the possibility to further block cookies in a user-friendly way.
It is not clear how the new consent rules can be implemented in practice in a way that is satisfactory to both businesses and regulators. In an opinion on the draft amendment to the ECA, issued on 21 March 2012, the Privacy Commission refers to the use of pop-up screens that request users to consent to the use of cookies before they are allowed to access a website. Whilst this technique certainly meets the requirements of the revised ECA, it makes web navigation less friendly. The regulators are expected to provide further guidance on this issue in the near future.
4. Exceptions to consent
The amended ECA provides that the subscriber's or user's prior consent is not necessary in two situations:
- the cookies are used for the sole purpose of transmitting a message over an electronic communications network; or
- the cookies are strictly necessary in order to provide an information society service expressly requested by the user.
In an opinion of 7 June 2011, the Article 29 Working Party (a European advisory group composed of representatives from national data protection authorities in the EU) commented on these two exceptions and concluded that, provided certain requirements are met, a series of cookies can benefit from the exceptions (e.g. session cookies that keep track of the content of a shopping cart, identify the user after he or she has logged in, or store a user's preferred settings such as
language).
The Working Party is also of the opinion that certain cookies cannot benefit from the consent exceptions, mainly third-party advertising and analytical cookies, such as Google Analytics. For these types of cookies, prior consent will still be necessary.
5. Implementation
The new rules entered into force on 4 August 2012. The amended ECA does not provide for a transition period, meaning websites should, in principle, have complied with the new rules since the above date. It is not yet clear whether, in practice, regulators will give businesses a reasonable period of time within which to amend their practices. More information should be available in the near future.