Belgian Supervisory Authority Sanctions News Media Company for Violating Cookie Rules | Alston and bird

May 25e, the Belgian Supervisory Authority (“GBA”) announced that it had fined a Belgian-based press company EUR 50,000 for using cookies on its websites without complying with the applicable requirements of the cookie law. The GBA decided to sanction the company primarily because although the company obtained consent from website visitors to place cookies on their devices, the consent did not meet all GDPR requirements. This is the first enforcement action by the GBA relating to the use of cookies following a thematic investigation by the GBA into the management of cookies on the most popular news media sites in Belgium.

Cookies are “mini-files” that can be used to collect or store information on Website users’ devices. Under EU cookie law, companies responsible for websites that place or use cookies must obtain the prior consent of website visitors, unless the cookies are strictly necessary (to provide a service expressly requested or to proper functioning of the website).

In its decision, the GBA recalls that to be valid under the GDPR, the consent must meet strict conditions. In particular, consent to cookies must be:

  • Informed – the site editor must clearly inform visitors of any cookies that may be deposited, of their purpose, ;
  • Unambiguous – consent must be the result of a clear affirmative act. Continued navigation on a website is not considered an unequivocal indication of the user’s willingness to consent;
  • Freely given – users of the website should not suffer any negative consequences if they refuse to give consent; and
  • Specific – users can only consent to a well-defined data processing activity, which means that they must be given the option to consent to the use of certain types of cookies only.

The GBA found that in the case of the media company, not all elements of valid consent were present. In particular, the GBA disputed that:

  • About sixty different types of cookies (which were not strictly necessary) were placed on the terminals of site users, prior to obtaining their consent;
  • The company has been negligent in providing (sufficient) information about its use of cookies to users of the site;
  • The boxes for obtaining cookie consent were already pre-checked; and
  • The company did not offer users the option to withdraw their consent as easily as it was given.

The GBA also pointed out that “statistical” cookies (which, among other things, are used for the purpose of checking the number of people visiting a website) cannot in principle be considered “strictly necessary”, and their use is therefore also subject to prior consent.

The GBA has therefore decided to impose a fine of 50,000 euros, which the company can appeal against.

The case is the result of an intensive investigation by the GBA into the use of cookies on the most popular news media websites in Belgium, which began in 2019 and in which the GBA ended up looking at 20 different websites. The GBA is currently considering taking enforcement action against other news media companies whose use of cookies has also been investigated.

Interestingly, in its press release, the GBA stresses that it wants to continue to enforce compliance more proactively – rather than reacting to complaints – by launching sector and thematic investigations. However, to be able to do so, the Belgian Parliament would have to ensure that the GBA is endowed with “sufficient resources and personnel”.

The statement echoes concerns that the GBA expressed last March in its opinion on a draft law amending the law of December 3rd, 2017 which establishes the GBA. The GBA is concerned that the Bill will undermine both the effective functioning and independence of the GBA, and fail to address the GBA’s need for additional resources. The GDPR requires each Supervisory Authority to have the necessary resources to carry out its missions. However, the GBA says its requests for additional human and financial resources, backed up by the Belgian Court of Auditors and an external study, have so far been largely ignored by the Belgian Parliament. According to the GBA, it currently has only 45.9 case handlers (FTEs) to carry out the 21 different tasks assigned by the GDPR, and the gap with its European counterparts (that’s to say., supervisory authorities in other EU Member States) is expanding.

It is hoped that the Belgian government will take into account the concerns of the GBA and avoid exposing the Supervisory Authority to structural problems that could affect its ability to carry out its tasks, including the initiation of compliance investigations. and infringement procedures.

[View source.]