On May 25th, the Belgian Supervisory Authority (“GBA”) announced that it had imposed a fine of EUR 50,000 on a Belgium-based news media company for using cookies on its websites without complying with applicable cookie law requirements. The GBA decided to sanction the company mainly because although the company had obtained consent from website visitors to place cookies on their devices, the consent did not meet all the requirements of the GDPR. This is the GBA’s first enforcement action relating to cookie use following a thematic investigation by the GBA into the management of cookies on the most popular news media sites in Belgium.
Cookies are “mini-files” that can be used to collect or store information on devices of website users. Under EU cookie law, companies responsible for websites that place or otherwise use cookies must obtain website visitors’ prior consent, unless the cookies are strictly necessary (to provide a service that was expressly requested or for the website’s proper functioning).
In its decision, the GBA recalls that in order to be valid under the GDPR, consent must meet strict conditions. In particular, cookie consent must be:
- Informed – the website publisher must clearly inform visitors about any cookies placed, their purpose, ;
- Unambiguous – consent must be the result of a clear affirmative act. Continuing to navigate a website is not considered an unambiguous indication of the user’s wish to consent;
- Freely given – website users should not suffer negative consequences if they refuse to consent; and
- Specific – users can only consent to a well-defined data processing activity, which means that they should have the possibility to consent to the use of certain types of cookies only.
The GBA found that in the case of the news media company not all elements of valid consent were present. In particular, the GBA took issue with the fact that:
- Approximately sixty different types of cookies (which were not strictly necessary) were placed on website users’ devices, prior to obtaining consent;
- The company was negligent in providing (sufficient) information about its use of cookies to website users;
- The boxes for obtaining cookie consent were already pre-checked; and
- The company did not provide users with the possibility to withdraw their consent as easily as it had been given.
The GBA also pointed out that “statistical” cookies (which, among other things, are used for purposes of verifying how many people visit a website) can in principle not be considered as “strictly necessary”, and their use is therefore also subject to prior consent.
The GBA therefore decided to impose a fine of EUR 50,000, which the company may appeal.
The case is the result of an intensive investigation by the GBA into the use of cookies on the most popular websites of news media in Belgium, which started in 2019 and in which the GBA ended up examining 20 different websites. The GBA is currently considering whether to initiate enforcement action against other news media companies whose cookie use was also investigated.
It is interesting that in its press release the GBA emphasizes that it would like to continue to enforce compliance in a more proactive manner – rather than reacting to complaints – by launching sectoral and thematic investigations. However, in order to be able to do that, the Belgian Parliament would have to ensure that the GBA is provided with “sufficient resources and staff”.
The statement echoes the concerns that the GBA voiced last March in its opinion on a preliminary draft law amending the Act of December 3rd, 2017 that establishes the GBA. The GBA is concerned that the draft law may jeopardize both the efficient functioning and independence of the GBA, and that it fails to address the GBA’s need for additional resources. The GDPR requires that every Supervisory Authority must have the necessary resources to perform its tasks. However, the GBA claims that its requests for additional human and financial resources, substantiated by the Belgian Court of Audit and an external study, have so far been largely ignored by the Belgian Parliament. According to the GBA, it currently has only 45.9 case handlers (FTEs) to carry out the 21 different tasks assigned by the GDPR, and the gap with its European counterparts (i.e., Supervisory Authorities in other EU Member States) is widening.
It is hoped that the Belgian government will take the GBA’s concerns into account and avoid exposing the Supervisory Authority to structural problems that could undermine its ability to perform its tasks, including initiating compliance investigations and infringement procedures.