Menu

Cookie fine imposed by Belgian DPA

gavel on coins

On 17 December 2019, the Belgian Data Protection Authority (DPA) imposed an administrative fine of 15.000 EUR on a company that manages a website with legal news and information.[1] The website has about 35.000 monthly visitors including many lawyers, law students and paralegals. It is the first decision that is published by the DPA regarding an online platform.

The investigation was initiated by the DPA’s inspection service which concluded that several breaches were made by the company on the provisions of the General Data Protection Regulation (GDPR) and the provisions of the ePrivacy regulation.

The main findings of the DPA’s inspection service related to the following items:

  1. Cookie requirements

Cookies are small pieces of data that are sent from a website and stored on a visitor’s computer through his web browser. These pieces of data are used to keep track of the visitor’s online activity and to store information about the user’s website interaction.

Initially, the company’s website made use of cookies without asking for a valid consent. Subsequently, the company’s website did ask its users for consent, however, by using a cookie banner with pre-ticked boxes. Therefore, the visitors needed to untick the boxes (i.e. opt-out) in case they wanted to disable the cookies. This practice has already been found unlawful by the European Court of Justice in the past as it does not qualify as an ‘active consent’ (i.e. active action such as ticking the box).[2] Furthermore, there was no possibility for the data subject to easily withdraw his/her consent.

  1. Information requirement

The information to be provided to the visitors of the website, i.e. where personal data is collected directly from the data subject, was found to be incomplete. Among other things, the data controller’s identity and contact information as well as the data subjects’ rights and the retention period for personal data collected by the cookies were not specified.

  1. Transparency

The information concerning the processing of personal data was not found to be adequately transparent. In practice, the company’s website is directed at Dutch and French-speaking data subjects. However, the company’s privacy policy was initially only available in English. Furthermore, the policy made reference to the privacy legislation of the USA which does not apply to European citizens. Lastly, the policy (incorrectly) stated that IP-addresses do not qualify as personal data. 

The DPA has stated that the company’s website fulfills a role function with respect to GDPR compliance, given its main objective is providing legal news and information. With its 15.000 EUR fine, the DPA has taken a clear position that all website providers have to respect the applicable privacy (and cookie) legislation.

 

If you have any questions regarding your privacy policy and/or the use of cookies on your company’s website, please do not hesitate to contact our experts.

 

[1] DPA Decision 17 December 2019 n° 12/2019, www.gegevensbeschermingsautoriteit.be. Please note that the website provider can still appeal the DPA’s decision.

[2] CJEU 1 October 2019 n° C-673/17, Planet 49, www.curia.europa.eu.

Belgian Data Protection Authority General Data Protection Regulation (GDPR) Cookies

Latest News

Koen Selleslags
New partner at KPMG Law: welcome Koen Selleslags!
laptop on desk
Financial Regulatory Update: February 2024

Contact us

Share this

How can we help?

Discover our expertise

All expertise