Almost one year after the publication of the draft version, the Belgian Privacy Commission has recently issued the final version of its recommendation regarding the use of cookies (which can be consulted through the following links in Dutch language or in French language).
The extensive document (over 70 pages), covering both technical and legal aspects, constitutes the first official guidance by a Belgian authority on the use of cookies.
In accordance with the opt-in rule, introduced by the revised ePrivacy Directive in 2009 and transposed into Belgian law by an amendment of the Act on Electronic Communications in 2012, cookies (and similar technologies) can only be stored and accessed on a user's device after having obtained the informed consent of this user.
However, in two cases cookies are exempted from this informed consent requirement:
- when the cookies are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- when they are strictly necessary in order to provide the user with a service s/he has explicitly requested.
These rules have not always been easy to implement in practice and therefore this recent recommendation may provide useful guidance to website owners and other stakeholders.
Below some key points of the recommendation relating to (1) the information obligation, (2) the consent requirement and (3) the exemptions have been summarized.
1. Information obligation
Users should be provided with a clear, comprehensible and visible notice on the use of cookies. This notice should provide a link to a more detailed cookie policy.
The cookie policy should be accessible and referred to at every page of a website.
The information should cover the following elements:
- the purposes for which the different types of cookies are stored or accessed;
- the categories of saved information;
- the storage terms;
- how to erase the information;
- means to object to the processing;
- the communications, if any, to third parties.
The Privacy Commission stresses that in case the data controller does not respect his cookie policy it may be subject to sanctions based on the Privacy Act and consumer legislation.
2. Obtaining consent
The Privacy Commission calls for a granular approach, giving users the possibility to accept all or only certain types of cookies. Moreover, users should be able to change their choices at all times.
Consent can be given through an affirmative action of the user (e.g. clicking or checking a box) from which the consent can be inferred unambiguously.
It is explicitly stated that "further browsing" can qualify as a valid consent provided that:
- the notice regarding the use of cookies is clearly visible on the homepage in such a manner that it cannot be missed;
- the notice has to state explicitly that further browsing on the website can be construed as consent;
- the notice remains visible as long as the user has not continued browsing the website.
However, a lack of action cannot be interpreted as a valid consent.
Once consent has been obtained it is not required to ask the user's consent again for the storing of a cookie with the same purpose and originating from the same provider. However, the validity of the consent should be limited in time, especially when the consent was obtained implicitly or relates to tracking cookies.
The Privacy Commission advises against the use of pop-ups due to their obtrusive nature and provides several examples of means to validly obtain consent from visitors such as banners (provided an affirmative action of the visitor is required in order to proceed his/her visit of the website) and tick boxes.
Visitors should at all times be able to easily withdraw their consent. Upon withdrawal the cookies and data collected through the cookies shall be deleted from the devices of the users by the data controller. In case this is not possible, the privacy policy of the data controller should clearly describe how the user can delete the information himself.
3. Exemptions
The recommendation also sheds some light on the exemptions by illustrating the two categories with examples and by giving examples of non-exempted cookies. Unless stated otherwise all these examples relate to session cookies.
Examples of cookies exempted according to the first criterion (i.e. cookies that are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network) are:
- cookies used to detect to origin of the users and how they visit a website, provided they are analyzed anonymously. However, it should be noted that the Privacy Commission explicitly states that first party analytic cookies do not fall within the scope of this exemption;
- load balancing session cookies provided they are only analyzed anonymously.
The following cookies are exempted according to the second criterion (i.e. strictly necessary cookies for providing a service the user has explicitly requested):
- user input cookies;
- authentication cookies that are necessary for authenticated services;
- user centric security cookies, e.g. the data necessary for securing a service the user has explicitly requested;
- multimedia content player cookies;
- user interface customization cookies, for the duration of a session (or slightly more if additional information is provided).
Finally, the Privacy Commission explicitly states that no exemption exists for the following types of cookies:
- tracking cookies of social network plug-ins;
- advertising cookies.
It is important to note that apart from the abovementioned cookie rules the general rules of the Privacy Act (e.g. regarding the purpose limitation principle, the transfer of personal data to third countries, the data subject's rights, etc.) will generally also apply taking into account the fact that most cookies constitute personal data.