Luxembourg

Can you place cookies without consent?

No.

In Luxembourg, Article 5(3) of the ePrivacy Directive 2002/58/EC, amended in 2009, was transposed by Article 4 of the amended law of 30 May 2005 on the protection of privacy in the electronic communications sector (“Law of 30 May 2005”).

Under Article 4 of the Law of 30 May 2005, consent is required to store cookies and similar technologies on a device. Nonetheless, some cookies are exempt from consent. For more information, see our answer to question 3 below.

Are cookie rules (whether specific or within general data protection laws) followed in practice?

Yes.

Are there any exemptions if consent is required?

Yes. Some cookies are exempt from requiring consent to place them. These are considered as “essential cookies”: (i) cookies which are strictly necessary for the provider, for the provision of an online communication service expressly requested by the subscriber or by the user; or (ii) cookies that exclusively aim to allow the transmission of communication by electronic means. These cookies do not require the consent of the users.

The data protection authority, the Commission Nationale pour la Protection des Données (“CNPD”), gives some examples in its guidelines published in October 2021 of cookies that do not require consent. There are cookies that are used for:

  • Registering a user’s choice regarding cookies;
  • User authentication where the cookie is only used for this purpose. The CNPD notes that this will not be the case for most cookies provided by social networks to simplify authentication;
  • Saving the contents of a shopping cart;
  • Recording responses to a contact form;
  • Content streaming, provided that the user has clearly indicated their wish to access the content concerned;
  • Service customisation. For example, to register a display format or language setting. The CNPD notes that personalisation of advertising does not fall into this category and consent must be obtained before a cookie can be placed or read for this purpose;
  • Security, if the cookie is only used for this purpose (e.g. fraud prevention, detection of multiple authentication attempts) and only on behalf of the website or application publisher; and
  • Certain types of analytics cookies (see below).

While consent is not required for these cookies, the CNPD recommends informing users of their use (via a cookie banner for instance, please see below).

Furthermore, where some cookies are considered strictly necessary but only necessary for certain functionalities of a site or application, the CNPD recommends placing such cookies only when the user indicates their wish to use the specific functionality (for instance a music player).

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

Yes, certain analytics cookies may be considered essential and placed automatically. However, cookies used for tracking, profiling, ad targeting, and geolocation purposes require consent. Social plugins also require consent where the plugins are linked to the use of cookies.

The CNPD states that analytical cookies may be considered essential – and exempted from consent – if the site operator can demonstrate that the use of these analytical cookies are necessary for the provision of the service (for example, because they are needed to assess necessary server capacity or to detect navigation problems).

In this case, the CNPD considers that the exception will only apply if the data collected via these cookies:

  • are not passed on to third parties or cross-checked with other processing;
  • do not allow for global tracking of a person’s browsing using different applications or browsing on several websites; and
  • are collected exclusively on behalf of the site editor and are used to produce anonymous statistics only.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

No.

Consent must be unambiguous: it must be clearly and actively given (i.e. the user must opt-in) and the person must have been informed beforehand of the consequences of his or her choice. Ticking a box or turning on a slider button are examples of valid consent. The following cases do not constitute valid consent:

  • continuing to browse the website or use an application;
  • the fact that the terminal’s configuration accepts cookies;
  • not unchecking a pre-checked box;
  • not having made a choice at the time of the request for consent.

Besides, the CNPD strongly recommends providing the same options for giving consent as for refusing it and that if an “accept all” button is included on the first layer, a similar “refuse all” button should also be included. The different choices available to the user should be presented in an identical manner (i.e. avoid using nudging techniques such as different forms, fonts, colours, sizes or contrasts).

Can you set cookies without a cookie notice? 

No.

According to the CNPD’s Guidelines, the user must consent in an informed manner (i.e. complete, clear information and drafted in simple terms that can be understood by all and that must allow the user to be duly informed of the different purposes of the cookie used). This information must be provided prior to obtaining his or her consent.

This information must comply with Articles 12 and 13 of the GDPR. Specifically, the CNPD recommends that the information be provided in two levels. The first level is mentioned below (For more information, see question 7).

The second level of information must be accessible from the first level (e.g. via a hyperlink or a drop-down menu). It generally corresponds to what is known as the "cookie policy". It may also be a section dedicated to cookies in the privacy policy.

Even if only strictly necessary cookies are used, in such cases, the CNPD recommends explaining to the user - at a minimum - what a cookie is and what the purposes of the cookies used are.

Can you set cookies without a cookie banner/ management tool?

No.

Are you able to use cookie walls? 

This is decided on a case-by-case basis, but most likely will not be possible unless it is low risk and unobtrusive.

However, where the user or subscriber has no genuine choice but to ‘agree’ or ‘accept’ the setting of cookies before they can access an online service’s content, or has to sign up to a service, the CNPD takes the view that this cookie wall does not allow for the collection of valid consent.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

CNPD has carried out audits, especially following complaints it has received over the past few years. The CNPD’s 2021 Annual Report highlights the Guidelines and Recommendations for Cookies and other Trackers.

However, we are not aware of any decision/ fine given by the CNPD in relation to cookie rules. The abovementioned report indicates that cookies represented 1% of the total of complaints that the CNPD received in 2021.

Are there any current consultations relating to ad tech/cookies?

None that we are aware of.

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

None that we are aware of.