Belgian DPA Releases Guidance Materials and FAQs on Cookies and Other Tracking Technologies
5 Minute Read
On April 9, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) released guidance and a set of frequently asked questions (“FAQs”) regarding the use of cookies and other tracking technologies.
Key takeaways from the Belgian DPA’s guidance and the FAQs include:
- Transparency: Users must be informed about the use of cookies. In particular, a cookie policy should be posted on the relevant site or mobile app, and should contain information about the identity and contact details of the data controller and the data protection officer (if any). Additionally, a cookie policy should provide:
- identification of the (types of) cookies used;
- their purposes and duration;
- whether third-parties have access to such cookies;
- information about how to delete cookies;
- the legal basis(es) relied upon for the use of cookies (i.e., consent for non-essential cookies and the legitimate interest of the data controller for the use of essential and functional cookies);
- information about individuals’ data protection rights and the ability to lodge a complaint to the competent data protection authority; and
- information about any automated decision making, including profiling.
The cookie policy should be drafted in a language that is understandable to the site’s or mobile app’s audience and it should be easily available to users, such as via a hyperlink.
- Consent:
- Consent should be obtained for the use of all non-essential cookies. Cookies that are necessary to transmit a communication over an electronic communications network or to provide an information society service requested by the subscriber or user do not require consent. According to the Belgian DPA, audience measuring cookies are not exempt from the consent requirement under the current legal framework. The Belgian DPA also confirms in its guidance that consent is required for the use of social media plug-ins on a site or mobile app.
- To be valid, consent must be informed. The Belgian DPA clarifies that prior to giving their consent to the use of cookies, users must be provided with information regarding the use of cookies. The Belgian DPA suggests that such information should be provided in two phases (i.e., a first notice at the time users provide their consent and a second, more detailed notice in the form of a cookie policy). According to the Belgian DPA, users must be provided with the following information when consenting to the use of cookies: (1) the entity responsible for the use of cookies; (2) the cookies’ purposes; (3) the data collected through the use of cookies; and (4) their expiration. Users must also be informed about their rights with respect to cookies, including the right to withdraw their consent.
- Users must have the option to provide granular consent. In this respect, the Belgian DPA notes that in a first phase, consent can be provided per type of cookie. In a second phase, users should be able to express their consent per cookie (i.e., individually).
- The use of so called “cookie walls” (i.e., consent solutions which prevent users who do not consent to the use of cookies from accessing a site or mobile app) is unlawful as the consent obtained through cookie walls is not freely given and is, therefore, invalid.
- Companies must be able to demonstrate that consent was collected, e.g., by using logs.
- Consent must be unambiguous and provided through a clear affirmative action. Merely continuing to browse a site or mobile app, or scroll down the page of a site or mobile app can no longer be considered valid consent. Similarly, consent cannot be deduced from the user’s browser settings.
- Consent should be easy to withdraw at any time.
- Cookie Lifespan: The lifespan of a cookie must be limited to what is necessary to achieve the cookie’s purpose and cookies should not have an unlimited lifespan. Where it is not possible to delete the cookie and related data within a reasonable time (e.g., because it is not technically possible), it should be clearly explained to users how they can delete those cookies themselves (such as via their browser settings). According to the Belgian DPA, cookies that are exempt from consent (i.e., necessary and functional cookies) must be deleted once the purpose for which they are used is achieved. Typically, this means that those cookies should be deleted at the end of the user’s session. If that is not the case, the data controller should determine the cookie’s lifespan taking into account users’ reasonable expectations (e.g., users that place items in their shopping baskets and that accidentally close their session would typically expect those items to still be in their basket a few minutes after closing the session). Users can also specifically ask that some of their information is memorized from one session to another, which requires the use of persistent cookies.
Read the Belgian DPA guidance materials and FAQs (in French).
Tags: Belgium, Consent, Cookies, Data Controller, Data Processor, Data Protection Authority, Personal Information
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code