Cookies remain a critical area of focus under data protection laws. Recent decisions by the Belgian Data Protection Authority (“Gegevensbeschermingsautoriteit / Autorité de protection des données”, or Belgian DPA for short) have highlighted the importance of proper cookie banner implementation and the significant consequences of non-compliance. Here’s an overview of the latest Belgian DPA decisions.
Evaluating the importance of cookies
In 2023, the Belgian DPA made cookies a cross-cutting priority, rolling out tools like the Cookie Checklist to help organisations ensure compliance with the General Data Protection Regulation (GDPR). In 2024, the Belgian DPA imposed fines on Mediahuis and RTL Belgium for violations related to deceptive cookie banners. These cases underline the authorities’ determination to enforce cookie-related compliance.
Belgian DPA decisions under scrutiny
The Mediahuis case (113/2024)
In its decision on 6 September 2024, the Belgian DPA addressed complaints about cookie banners on Mediahuis-operated news websites, including Gazet van Antwerpen and Het Nieuwsblad. The investigation revealed multiple violations of GDPR principles:
- No “reject all” option: The first layer of the cookie banner lacked an option for users to reject all cookies, making it easier to accept cookies than to refuse them. The Belgian DPA ruled that this practice violated the GDPR's requirement that consent must be freely given, specific, informed, and unambiguous.
- Misleading design: The cookie banners employed so-called “deceptive design patterns” by visually emphasising the “agree and close” button using bright, eye-catching colours, subtly pressurising users into clicking it. The DPA found this approach violated the GDPR’s fairness principle, rendering any consent obtained through such means invalid. Mediahuis was instructed to ensure that the “reject all” and “accept all” options were presented with equal prominence.
- Difficult consent withdrawal: At the time of the complaint, withdrawing consent required multiple steps, while accepting cookies was a one-click process. The DPA emphasised that withdrawing consent must be as simple and straightforward as giving it.
- Illegitimate reliance on legitimate interest: Mediahuis attempted to justify the placement of non-essential cookies, such as analytical cookies, under the legal basis of legitimate interest. The Belgian DPA rejected this argument, reiterating that legitimate interest cannot be used as a fallback legal basis when valid consent is absent.
In its ruling, the Belgian DPA ordered Mediahuis to revise its cookie banners by adding a “reject all” button and removing misleading design elements. Non-compliance within 45 days would result in a fine of €25,000 per day per website. The full ruling can be accessed here in its original language. Since the decision, Mediahuis has complied with the Belgian DPA’s ruling, updating cookie banners across all its relevant news websites.
The RTL Belgium case (131/2024)
In a similar decision on 11 October 2024, the Belgian DPA found RTL Belgium’s cookie banner non-compliant with GDPR standards. The cookie banner failed to present an “reject all” button on the first layer, while prominently highlighting the "accept all" button with a bright colour.
Although RTL had implemented a consent withdrawal option accessible at the bottom of its webpages, the Belgian DPA insisted that cookie banners must prioritise user clarity and accessibility at the decision point itself. RTL was ordered to redesign its banners to meet these requirements. Since the decision, RTL has adjusted its banners to meet the stipulated requirements. The full decision can be accessed in the original language here.
Key considerations and future developments
These rulings emphasise several key points:
- GDPR mandates that consent be freely given, specific, informed, unambiguous and easily withdrawn. Users must have the same ease of rejecting cookies as accepting them.
- Misleading design choices, like emphasising the “accept all” button with bright colours, are unacceptable and undermine the validity of consent. Cookie banners must be designed to inform, not manipulate. Misleading designs can lead to sanctions.
- Both companies faced the prospect of significant penalties if their non-compliance was not rectified, demonstrating that cookie compliance is not merely a legal formality but a serious regulatory obligation.
The landscape of cookie compliance is undergoing significant shifts as companies explore new approaches to meet regulatory requirements and user expectations. According to the Dutch technology website Tweakers, DPG Media is currently piloting a "pay-or-okay" model on a small scale across select websites in Belgium and the Netherlands, such as De Morgen and Het Parool. This model gives users the option to accept cookies or pay a subscription fee to browse without them. During the test phase, no payments are being collected; users choosing the payment option are redirected to a cookie-free experience with a message explaining the trial.
The "pay-or-okay" model is not entirely new, as similar systems have been adopted by various European media organisations. However, these approaches have drawn scrutiny. The European Data Protection Board has raised concerns, highlighting the necessity of providing "equivalent alternative services" for users who decline cookies. In a precedent-setting ruling involving Meta, the European Court of Justice allowed for reasonable fees for such alternatives but emphasised that user rights must remain a priority.
DPG Media's test reflects the industry's ongoing efforts to navigate complex regulatory landscapes while exploring models that respect user choice and maintain compliance. Whether these experiments will lead to broader implementation remains uncertain, underscoring the delicate balance between innovation and regulation.
Stay ahead
The recent actions of the Belgian DPA underscore the critical importance of cookie compliance as a key enforcement priority. Organisations must ensure their cookie banners are designed to be user-friendly, transparent, and fully compliant with GDPR standards. In addition, the design and operation of a cookie banner is equally as important as the information provided about the use of the cookies, which must be complete, accurate and clear. Such transparency is essential to meet legal requirements for obtaining valid user consent. Need assistance auditing your cookie banners, reviewing cookie policies or ensuring GDPR compliance? Our privacy and data protection team is here to help you navigate the regulatory landscape.
Cookies remain a critical area of focus under data protection laws. Recent decisions by the Belgian Data Protection Authority (“Gegevensbeschermingsautoriteit / Autorité de protection des données”, or Belgian DPA for short) have highlighted the importance of proper cookie banner implementation and the significant consequences of non-compliance. Here’s an overview of the latest Belgian DPA decisions.
Evaluating the importance of cookies
In 2023, the Belgian DPA made cookies a cross-cutting priority, rolling out tools like the Cookie Checklist to help organisations ensure compliance with the General Data Protection Regulation (GDPR). In 2024, the Belgian DPA imposed fines on Mediahuis and RTL Belgium for violations related to deceptive cookie banners. These cases underline the authorities’ determination to enforce cookie-related compliance.
Belgian DPA decisions under scrutiny
The Mediahuis case (113/2024)
In its decision on 6 September 2024, the Belgian DPA addressed complaints about cookie banners on Mediahuis-operated news websites, including Gazet van Antwerpen and Het Nieuwsblad. The investigation revealed multiple violations of GDPR principles:
- No “reject all” option: The first layer of the cookie banner lacked an option for users to reject all cookies, making it easier to accept cookies than to refuse them. The Belgian DPA ruled that this practice violated the GDPR's requirement that consent must be freely given, specific, informed, and unambiguous.
- Misleading design: The cookie banners employed so-called “deceptive design patterns” by visually emphasising the “agree and close” button using bright, eye-catching colours, subtly pressurising users into clicking it. The DPA found this approach violated the GDPR’s fairness principle, rendering any consent obtained through such means invalid. Mediahuis was instructed to ensure that the “reject all” and “accept all” options were presented with equal prominence.
- Difficult consent withdrawal: At the time of the complaint, withdrawing consent required multiple steps, while accepting cookies was a one-click process. The DPA emphasised that withdrawing consent must be as simple and straightforward as giving it.
- Illegitimate reliance on legitimate interest: Mediahuis attempted to justify the placement of non-essential cookies, such as analytical cookies, under the legal basis of legitimate interest. The Belgian DPA rejected this argument, reiterating that legitimate interest cannot be used as a fallback legal basis when valid consent is absent.
In its ruling, the Belgian DPA ordered Mediahuis to revise its cookie banners by adding a “reject all” button and removing misleading design elements. Non-compliance within 45 days would result in a fine of €25,000 per day per website. The full ruling can be accessed here in its original language. Since the decision, Mediahuis has complied with the Belgian DPA’s ruling, updating cookie banners across all its relevant news websites.
The RTL Belgium case (131/2024)
In a similar decision on 11 October 2024, the Belgian DPA found RTL Belgium’s cookie banner non-compliant with GDPR standards. The cookie banner failed to present an “reject all” button on the first layer, while prominently highlighting the "accept all" button with a bright colour.
Although RTL had implemented a consent withdrawal option accessible at the bottom of its webpages, the Belgian DPA insisted that cookie banners must prioritise user clarity and accessibility at the decision point itself. RTL was ordered to redesign its banners to meet these requirements. Since the decision, RTL has adjusted its banners to meet the stipulated requirements. The full decision can be accessed in the original language here.
Key considerations and future developments
These rulings emphasise several key points:
- GDPR mandates that consent be freely given, specific, informed, unambiguous and easily withdrawn. Users must have the same ease of rejecting cookies as accepting them.
- Misleading design choices, like emphasising the “accept all” button with bright colours, are unacceptable and undermine the validity of consent. Cookie banners must be designed to inform, not manipulate. Misleading designs can lead to sanctions.
- Both companies faced the prospect of significant penalties if their non-compliance was not rectified, demonstrating that cookie compliance is not merely a legal formality but a serious regulatory obligation.
The landscape of cookie compliance is undergoing significant shifts as companies explore new approaches to meet regulatory requirements and user expectations. According to the Dutch technology website Tweakers, DPG Media is currently piloting a "pay-or-okay" model on a small scale across select websites in Belgium and the Netherlands, such as De Morgen and Het Parool. This model gives users the option to accept cookies or pay a subscription fee to browse without them. During the test phase, no payments are being collected; users choosing the payment option are redirected to a cookie-free experience with a message explaining the trial.
The "pay-or-okay" model is not entirely new, as similar systems have been adopted by various European media organisations. However, these approaches have drawn scrutiny. The European Data Protection Board has raised concerns, highlighting the necessity of providing "equivalent alternative services" for users who decline cookies. In a precedent-setting ruling involving Meta, the European Court of Justice allowed for reasonable fees for such alternatives but emphasised that user rights must remain a priority.
DPG Media's test reflects the industry's ongoing efforts to navigate complex regulatory landscapes while exploring models that respect user choice and maintain compliance. Whether these experiments will lead to broader implementation remains uncertain, underscoring the delicate balance between innovation and regulation.
Stay ahead
The recent actions of the Belgian DPA underscore the critical importance of cookie compliance as a key enforcement priority. Organisations must ensure their cookie banners are designed to be user-friendly, transparent, and fully compliant with GDPR standards. In addition, the design and operation of a cookie banner is equally as important as the information provided about the use of the cookies, which must be complete, accurate and clear. Such transparency is essential to meet legal requirements for obtaining valid user consent. Need assistance auditing your cookie banners, reviewing cookie policies or ensuring GDPR compliance? Our privacy and data protection team is here to help you navigate the regulatory landscape.