Privacy & Information Security Law Blog

On April 24, 2014, the Belgian Data Protection Authority (the “Privacy Commission”) published a Draft Recommendation regarding cookie usage, inviting all stakeholders to provide their input on the text. The Draft Recommendation clarifies the Belgian legal framework for the use of cookies and similar technologies, examining in detail the different purposes for which cookies and similar technologies may be used (e.g., authentication, storage of preferences) and explaining the steps to be taken to ensure compliance for each type of cookie use.

In particular, the Draft Recommendation explains how to comply with the new obligation to obtain prior consent before placing or accessing cookies and similar technologies on users’ devices, as provided by Article 129 of the Belgian Electronic Communications Act (which transposes Article 5.3 of the revised e-Privacy Directive 2002/58/EC). Consent is not required if the cookie or similar technology is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or if it is strictly necessary for the provision of a service requested by the user. The Draft Recommendation provides examples of cookies that fall under these exceptions (e.g., “shopping basket” cookies, authentication cookies).

According to the Draft Recommendation, to obtain valid consent to use cookies and similar technologies, users must have the opportunity to accept only certain cookies and refuse others, and be able to change their choices later on. Valid consent requires an affirmative action by the user. In addition, prior to providing consent, users must have a chance to review a cookie policy that details the different categories of cookies and their purposes, the categories of information stored, the retention period, how to delete cookies, and any disclosures of information to third parties. The Draft Recommendation provides useful examples of such cookie policies.

Comments on the Draft Recommendation may be sent to the Privacy Commission by mail (rue de la Presse, 35 - 1000 Brussels) or by email (commission@privacycommission.be). The public consultation will be closed on July 31, 2014, after which the Privacy Commission will publish the final version of the Recommendation.