Belgium

Can you place cookies without consent?

Only strictly necessary “functional” cookies can be placed without consent (e.g., to remember what has been placed in a shopping cart or to ensure the security of a financial transaction). This requirement of the ePrivacy Directive is implemented in Article 10/2 of the Belgian Data Protection Act.

Are cookie rules(whether specific or within general data protection laws) followed in practice?

Due to increasing enforcement by the Belgian Data Protection Authority, compliance has been more common.

Are there any exemptions if consent is required?

There are no exemptions if consent is required for the placement of cookies.

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

No, none of these three categories of cookies are considered strictly necessary by the Belgian Data Protection Authority, and their placement therefore requires consent.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

Following the Planet49 ruling of the CJEU, consent is deemed validly obtained when the user takes positive action to grant it (e.g., ticking a box, sliding a button, etc.), and given that this consent is free, informed and specific. On the other hand, mechanisms such as further browsing or deducing consent from the parameters of a browser are not valid ways to obtain consent from the user.

Can you set cookies without a cookie notice? 

No, as any cookie set may process personal data, a cookie notice is required in any case to set out the information required under the GDPR. Additionally, where the placement of cookies requires consent, a cookie notice also fulfils the information requirement for user’s consent to be “informed”.

Can you set cookies without a cookie banner/ management tool?

The law does not prescribe the means or manner to obtain and manage consent, so a cookie banner or management tool is not technically required. However, the management and obtention of consent should comply with all requirements under the GDPR (freely given, specific, informed, as easy to give as to withdraw, etc.), meaning the use of a cookie banner is de facto very much recommended to ensure such compliance. In addition, the Belgian DPA is explicitly aligning itself on the majority findings of the report of the EDPB’s “Cookie Banner Taskforce”, which gives practical guidance on the functionalities a cookie banner should or may not have. In addition, the Belgian DPA published a non-binding checklist for cookie placement in October 2023 (available here in French and here in Dutch).

Are you able to use cookie walls? 

No, the Belgian Data Protection Authority follows the EDPB’s assessment in Guidelines 05/2020: “In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user”. Therefore, cookie walls are prohibited as they cannot result in users freely giving consent.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

Yes, the Belgian DPA has taken a dozen decisions enforcing cookies rules, the majority of which imposed fines on defendants. These cases were both complaint-driven and led of the initiative of the Belgian DPA. Where the Belgian DPA decides to enforce and impose a sanction, that sanction is often an administrative fine. The average fine imposed is, from an international perspective, typically rather low. In addition, the value of the fines imposed by the Belgian DPA are not always proportionate to the size and turnover of the defendants (i.e., often lower fines for big organisations). Aforementioned decisions by the Belgian DPA mainly focusing on cookies have imposed fines ranging from 1,500 to 50,000 EUR. However, a risk of outliers to this trend does exist.

Incidentally, other decisions may not relate directly to the enforcement of cookies rules but nevertheless involve discussions over the existence of data processing activities in relation to the saving of user cookie preferences (for example, the decision against IAB Europe or “TCF case”, in which the Belgian DPA imposed a €250,000 fine, amongst others).

Are there any current consultations relating to ad tech/cookies?

None that we are aware of - the Belgian DPA’s latest activity regarding cookie was (i) its participation to the work of the EDPB’s “Cookie Banner Taskforce” and resulting report and (ii) the publication of its cookie checklist (see above).

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

The decisions of the Belgian Data Protection Authority on cookies have been consistent and follow the rulings of the Court of Justice of the European Union and the Guidelines of the EDPB closely. In the same vein, the Belgian Data Protection Authority also tends to align with interpretations held by supervisory authorities in the EU. We therefore do not expect any significant changes in rules or attitudes in the market.