Each week in July and August, our focus will be on a different topic that has been scrutinized by the Belgian Data Protection Authority. With a few simple tips, your summer cocktail of data protection news will be complete.
This week’s topic: cookies
In its decision no. 12/2019, the BDPA issued recommendations on the compliant use of cookies and similar technologies. Below, we have included a basic cookies checklist:
- Know exactly which cookies (and similar technologies) you place and use reliable tools for cookie mapping (inadequate mapping can be qualified as negligence)
- Cookies information to be available in all languages of the website or application, intelligible taking into account the target audience, actively brought to the users’ attention, and easily accessible from the home page of a website
- Consent required for all non-functional cookies, including analytical and statistical cookies
- Informed consent means that certain essential information must be included in the cookies banner itself (e.g. identity of data controller, categories of cookies, their purposes and which data they collect, right to withdraw consent, etc.)
- Consent must be active, prior to placing cookies (i.e. empty box the user must actively tick, use of sliders, etc.) - not acceptable: pre-ticked box, consent “by further browsing”
- Consent must be free, i.e. no cookie walls, no consent in exchange for a 'benefit' or 'reward'
- Consent must be specific, i.e. per type/category of cookie in first layer (second layer preferably includes cookie-per-cookie consent option)
- Consent by a user should be able to be proven at any later stage
- Add required GDPR wording (cf. article 12-13 GDPR) if the use of cookies entails a processing of personal data (e.g. IP address)
- Lifespan/retention of the cookies should be transparently disclosed and limited according to their purpose (e.g. keeping the shopping basket until the order is placed)
- Disclose which third parties have access to cookies
- Right to easily withdraw consent (and preferably in a granular manner) should be made explicit
- Instructions (preferably per Internet browser) on how the user can delete the cookies placed on his/her device (by for example referring to the possibility to delete cookies via specific browser settings)
- Verify how changes to the cookies policy will be (actively) brought to the user’s attention (e-mail, pop-up when visiting site or application, etc.)