Belgian Data Protection Authority fines legal website €15,000
Since the entry into force of the GDPR and from an enforcement perspective, the obligations on cookies depend on the type of cookie, i.e.:
- Strictly necessary cookies: these cookies are essential to use the website and its features, such as accessing secure areas of the site (e.g. cookies that allow web shops to hold your chosen items in your shopping cart while you are purchasing online). For strictly necessary cookies, the website owner is obliged to inform the visitor of their existence and function but does not have to obtain explicit consent.
- All other cookies (e.g. cookies that allow a website to remember the choices you have made in the past on preferred language, your user name and password). Cookies that are not strictly necessary to use the website can only be placed on a website when a visitor has given his express consent for the use thereof.
The key takeaway from the decision of the DPA is that most analytical cookies, i.e. cookies that are used to monitor the activities of the visitors on the website and to improve access and user experience, are not strictly necessary and therefore need explicit consent insofar as they are exclusively beneficial to the website and not to the visitor.
Please find below a brief analysis of analytical cookies as personal data, the necessity of analytical cookies and the issues faced by websites in this regard.
Analytical cookies are personal data
In its decision, the DPA starts by stating that analytical cookies are personal data.
Until this decision, it was assumed that analytical cookies did not pose any privacy concern since they only keep a record of how long, when and on which pages someone is surfing, but not who is visiting the website (e.g. the commonly used Google Analytics only records the last three digits of the IP addresses). As a result, it was assumed that the anonymity of the user was guaranteed and the information recorded in the analytical cookies should not be regarded as personal data.
However, the DPA has now confirmed that the specific information recorded in the analytical cookies on the website Jubel.be does not fall under anonymous collection of data since, even if the data were to be anonymized in the end, there is no guarantee that all personal data had been anonymized at the start of processing.
Analytical cookies are generally not strictly necessary and require explicit consent
Since, in light of this decision, information stored in the analytical cookies will most likely be considered as personal data, a website has to obtain explicit consent from the visitor for the use of these cookies on the website. The website must disable the analytical cookie until explicit consent has been obtained.
Jubel.be argued that their analytical cookies did not require explicit consent of the visitor to the website because they were strictly necessary for the functioning of the website in accordance with the ePrivacy Directive. The ePrivacy Directive states that consent is not required for cookies that are (i) necessary for the communication or (ii) the provision of a service that the user of the website has explicitly requested, on the condition that the user of the website is notified about the use of these cookies on the website, that those cookies will not be saved for longer than strictly necessary and can be deleted by the user himself.
The DPA did not follow this argumentation and stated that strictly necessary cookies are cookies that are beneficial to the user, and not just to the website, which was not the case for these analytical cookies. Consequently, Jubel.be should have obtained explicit consent.
The DPA does not exclude, however, that some analytical cookies can be qualified as strictly necessary for supplying a(n) (informative) service requested by the visitor of the website, e.g. to detect navigation problems. In this case, explicit consent would not be necessary and the analytical cookies could be used insofar as the website owner has informed the visitor of their existence and function.
Most websites are not compliant – expect active enforcement
Do not hesitate to reach out if you would like the Brussels office of Dentons Europe LLP to perform a preliminary check of your website on compliancy with the rules on cookies and the GDPR to avoid any unnecessary fines!
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.