When looking at the action undertaken in other European countries, you might argue that cookies have not been a real priority for the Belgian regulators in the past. Not in the least because it took the European Commission to initiate infringement proceedings before the Belgian legislator decided to transpose the EU cookie consent rules. But also because of the fact that compliance with the cookie consent rules was not high on the agenda of neither the Belgian data protection authority nor the Telco regulator.
In the absence of any guidance or enforcement action, many website operators did not implement any measures, whereas the more compliance driven ones had to look abroad for inspiration on how to tackle this issue.
It seems this is now about to change. Last month, the Belgian Data Protection Authority published a draft recommendation with regard to the use of cookies and launched a public consultation about it.
Starting off with a short recap of (i) the evolution of cookie use throughout history and (ii) the different types of cookies that exist, the draft recommendation examines in detail the legal framework and the different purposes for which cookies can be used as well as the different actors and their particular role (e.g. the internet user, the owner of a website, the website administrator, etc.).
As for the consent requirement, the draft recommendation repeats the position adopted by the Working Party 29, indicating that a user must give his or her specific, informed, unambiguous and freely given consent before the processing of personal data commences.
One of the questions that are often raised is whether it is possible to rely on implied consent. In the draft recommendation, the Belgian DPA expressly confirms that implied consent may be acceptable provided it is unambiguous. We welcome the fact that the Belgian DPA expressly confirms that an implied consent mechanism may be compliant with the cookie consent rules; However, it should be noted that the Belgian DPA continues to say that it will be difficult to qualify the total inactivity of the user as an implied consent.
It is indeed clear that many websites currently don’t pass the test of unambiguously given implied consent. As we have pointed out in the past, a proper implied consent mechanism should give the user a real choice rather than simply informing him or her about the fact that the website uses cookies
The draft recommendation also contains a helpful list of cookies that are exempt from prior consent (session cookies, cookies with regard to the change of user interface, cookies focused on user security, etc.).
Other points that are covered in the draft recommendation relate to:
- that users have the opportunity to accept certain cookies and refuse others and that they should be able to change their choices in a later stage;
- that the refusal of cookies should not have negative consequences for the user (e.g. completely impossible for the user to access a website);
- that each website should provide information relating to the identity of the data controller, details of the different categories of cookies and which information is stored, retention period, to whom users can address their rights to, how to delete cookies, the applicable formalities to withdraw consent, etc.
Finally, the draft recommendation also provides examples of cookie policies.
As mentioned, this is not yet the final position of the the Belgian DPA and it has invited all stakeholders to communicate their feedback and suggestions to the text. All opinions, comments or other suggestions should be addressed to the Belgian DPA by mail (Drukpersstraat 35, 1000 Brussel/Rue de la Presse 35, 1000 Bruxelles) or by e-mail (commission@privcaycommission.be).
This public consultation shall be closed on 31 July 2014, after which the Belgian DPA will evaluate all statements and publish a final recommendation.
Tim Van Canneyt and Aagje De Graeve