Belgian Data Protection Authority fines legal website €15,000

On December 17, 2019, the Belgian Data Protection Authority ("DPA") made a groundbreaking decision on the use of cookies in the framework of the GDPR. To set an example for other websites, it imposed a fine of €15,000 on the legal website Jubel.be, equivalent to approximately 10% of annual profits. This decision will have an important impact on the use of cookies on websites in the future, since (i) the DPA further limits cookies that can be placed without consent of the user; (ii) it demonstrates that nearly all websites to date are not compliant with the rules applicable to cookies; and (iii) the DPA will effectively enforce these rules.

Since the entry into force of the GDPR and from an enforcement perspective, the obligations on cookies depend on the type of cookie, i.e.:

  • Strictly necessary cookies: these cookies are essential to use the website and its features, such as accessing secure areas of the site (e.g. cookies that allow web shops to hold your chosen items in your shopping cart while you are purchasing online). For strictly necessary cookies, the website owner is obliged to inform the visitor of their existence and function but does not have to obtain explicit consent.
  • All other cookies (e.g. cookies that allow a website to remember the choices you have made in the past on preferred language, your user name and password). Cookies that are not strictly necessary to use the website can only be placed on a website when a visitor has given his express consent for the use thereof.

The key takeaway from the decision of the DPA is that most analytical cookies, i.e. cookies that are used to monitor the activities of the visitors on the website and to improve access and user experience, are not strictly necessary and therefore need explicit consent insofar as they are exclusively beneficial to the website and not to the visitor.

Please find below a brief analysis of analytical cookies as personal data, the necessity of analytical cookies and the issues faced by websites in this regard.

Analytical cookies are personal data

In its decision, the DPA starts by stating that analytical cookies are personal data.

Until this decision, it was assumed that analytical cookies did not pose any privacy concern since they only keep a record of how long, when and on which pages someone is surfing, but not who is visiting the website (e.g. the commonly used Google Analytics only records the last three digits of the IP addresses). As a result, it was assumed that the anonymity of the user was guaranteed and the information recorded in the analytical cookies should not be regarded as personal data.

However, the DPA has now confirmed that the specific information recorded in the analytical cookies on the website Jubel.be does not fall under anonymous collection of data since, even if the data were to be anonymized in the end, there is no guarantee that all personal data had been anonymized at the start of processing.

Analytical cookies are generally not strictly necessary and require explicit consent

Since, in light of this decision, information stored in the analytical cookies will most likely be considered as personal data, a website has to obtain explicit consent from the visitor for the use of these cookies on the website. The website must disable the analytical cookie until explicit consent has been obtained.

Jubel.be argued that their analytical cookies did not require explicit consent of the visitor to the website because they were strictly necessary for the functioning of the website in accordance with the ePrivacy Directive. The ePrivacy Directive states that consent is not required for cookies that are (i) necessary for the communication or (ii) the provision of a service that the user of the website has explicitly requested, on the condition that the user of the website is notified about the use of these cookies on the website, that those cookies will not be saved for longer than strictly necessary and can be deleted by the user himself.

The DPA did not follow this argumentation and stated that strictly necessary cookies are cookies that are beneficial to the user, and not just to the website, which was not the case for these analytical cookies. Consequently, Jubel.be should have obtained explicit consent.

The DPA does not exclude, however, that some analytical cookies can be qualified as strictly necessary for supplying a(n) (informative) service requested by the visitor of the website, e.g. to detect navigation problems. In this case, explicit consent would not be necessary and the analytical cookies could be used insofar as the website owner has informed the visitor of their existence and function.

Most websites are not compliant – expect active enforcement

Given that the cookie policy discussion is relatively new, most website owners were unaware of the specific rules applicable to cookies used on their websites. As a consequence, up to 80% of websites that are currently on the Internet are not entirely GDPR or cookie-compliant.

The Belgian DPA has been the first to fine a company for a non-compliant use of cookies, but it is to be expected that the data protection authorities in other member states will soon follow suit. Every website owner should therefore review its cookie policy and make sure that it is in line with the latest (interpretation of) the applicable regulations.

Do not hesitate to reach out if you would like the Brussels office of Dentons Europe LLP to perform a preliminary check of your website on compliancy with the rules on cookies and the GDPR to avoid any unnecessary fines!

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.