The Belgian Data Protection Authority (“BDPA”) has highlighted privacy in the digital environment (including cookies) as one of its top priorities in the next five years. This is illustrated by the recent publication of an updated thematic dossier about cookies, which provides practical tips and tricks for companies.
Do we have to follow this thematic dossier?
Yes, it is highly recommended. With a thematic dossier, the BDPA aims to provide clear and targeted information on a specific subject (in this case, cookies). It brings together the recommendations, FAQs and previous statements by the BDPA and other bodies, including the European Data Protection Board (“EDPB”).
What should you do to comply with the new cookie thematic dossier?
Be transparent: update your cookie banner and policy
First level of information: the cookie banner and consent management platform should explain the following in a clear, visible and understandable way:
- The identity of the controller (your company);
- The types of cookie you have installed (e.g. analytical cookies);
- What the cookies do and why you use them (e.g. cookies to measure the audience of a website);
- The ability to set certain types of cookie so that data subjects are able to consent or not to the collection of some of their data by the cookies;
- The lifetime of the cookies and the data collected.
Second level of information: the cookie policy. The BDPA has now listed all the mandatory sections of the cookie policy, namely:
- The identity and contact details of the controller and, if applicable, the data protection officer;
- Which cookies you use;
- The purpose(s) of the cookies;
- The lifetime of the cookies;
- Whether third parties have access to the cookies (and, if so, the identity of the third parties if necessary);
- The procedure for deleting cookies that have been installed on a user’s device;
- The legal basis for processing such data (legitimate interest for ‘functional’ cookies and consent for the rest);
- The period of time for storing the data collected by the cookies;
- The data subjects’ rights under the GDPR (e.g. their right to withdraw consent, their right to access their personal data, etc.);
- Setting out a complaints procedure for data subjects to lodge a complaint with the BDPA;
- Whether the data will be used for automated decision making, including profiling (and, where appropriate, relevant information about the underlying reasoning, as well as explaining how the data will be protected and used).
In addition, we recommend:
- Completing a cookie audit. Together with your IT department and/or website operator, check what cookies you use on your website and why you use them (remove any cookies that you do not need);
- Assessing whether you need consent for the cookies you use. If a cookie is not strictly necessary, you will need to obtain the user’s consent before installing each cookie;
- Determining the mechanism that you will implement to obtain consent (e.g. the consent management platform).
Ensure that your consent mechanism is in line with the GDPR's requirements
- Storing cookies requires users' active consent (a positive action): a pre-ticked box or a slider set to “ON” by default is therefore not valid. Also, continued browsing or acceptance of terms and conditions does not constitute a valid means for obtaining consent;
- Consent must be obtained prior to installing or reading cookies;
- Consent must be unambiguous: the platform’s design should in no way mislead users about their choice. Users should get a real choice between accepting or refusing cookies;
- Consent must be specific: according to the BDPA, consent must be obtained for each type of (non-necessary) cookie. But you must also give users the ability to make a specific choice for each individual cookie (this requirement will be difficult to obtain in practice);
- Data subjects must be able to withdraw consent at any time. A user-friendly solution must be implemented so that withdrawing consent will be as easy as giving it.
Can the cookie policy and the privacy policy be in the same document? What about language requirements?
No. The cookie policy must be presented separately from any other document (such as your privacy policy). According to the BDPA, if your website is aimed at a French-speaking and/or Dutch-speaking audience, you must provide the information in French and/or Dutch. If you have a teenage audience, you will need to use language that is simple enough to be understood by that target audience.
Do I need consent for social plug-ins?
Yes. Social plug-ins that allow you to add share icons for RSS, Facebook, Twitter, LinkedIn, Pinterest, Instagram, YouTube and the like use cookies that can closely track Internet users (even if they do not have an account on those platforms). The consent of users must therefore be obtained before these plug-ins are installed.
What do the new EDPB guidelines say about cookies?
In May, the EDPB published its new Guidelines 05/2020 on consent, which included two major points on cookies:
Cookie walls are forbidden. Consent is not free, and therefore not valid, when access to a service is conditional on the acceptance of cookies. Therefore, when a website provider sets up a script that blocks access to the website if the user has not clicked the “Accept Cookies” button (i.e. cookie walls), this does not constitute valid consent because the user is not presented with a real choice.
Scrolling is not an affirmative action. Scrolling or dragging on a web page or similar user activity does not constitute a clear and affirmative action.
News update on the debate about the ePrivacy Regulation
Owing to the ongoing COVID-19 pandemic, the proposed ePrivacy Regulation has been put on the back burner. The latest proposal by the Croatian Presidency introduced “legitimate interests” as a basis for using metadata and cookies, but additional discussions with the delegations have not yet taken place. Considering that Germany will focus its upcoming six-month presidency of the EU (starting on 1 July) on the fight against COVID-19, it is unlikely that much progress will be made with the draft ePrivacy Regulation before the end of 2020.
Tom De Cordier, Partner, Brussels
Thomas Dubuisson, Associate, Brussels