By Frederik Ringoot and Gilles Hachez
The Belgian Data Protection Authority issued a fine of 1% of the annual turnover of the company for not acting in compliance with the cookie rules, despite the corrective actions undertaken by the company. The DPA confirmed that by issuing this sanction, it wanted to set an example, warning all companies that cookie compliance is a “must have”.
The decision of the DPA is noteworthy for a number of reasons:
- The DPA started this procedure on its own initiative, and not on the basis of complaint from a data subject.
- The company was fined despite cooperating with the DPA and resolving most issues.
- A consent per individual cookie is not required. A consent per type of cookie suffices but a consent choice per individual cookie is recommended:
- The DPA states it should be as easy to withdraw consent as to give consent. In this regard, some practical questions arise:
- It is unclear if cookie statements/policies that refer a visitor to its browser settings as a manner of refusal or withdrawal of consent to the placement of cookies, fulfil such “easiness-requirement”.
- It is unclear whether the “further browsing” principle (“by further browsing on this website, you provide your consent”-banners) is still considered as a valid consent mechanism by the DPA.
- The criteria used by the DPA for calculating the fine are not distilled yet.
- For instance, it did not specify whether the fact that it found several infringements played a role for the purpose of calculating the fine, nor to what extent the cooperation of the company or the extent of data processing activities impacted this calculation.
- The mechanisms and drivers behind the calculation of the fine indeed remain unclear, and it remains difficult to know whether the DPA follows a concrete formula or methodology when calculating such fine, or whether it determines fines rather arbitrarily, on a case-by-case basis.
A few tips for starting off the new year
The following points are worth paying particular attention to:
- Be proactive: don’t await an investigation from the DPA
- once the DPA starts an investigation, it rarely lets go. In this case, it even issued a fine despite the corrective measures taken by and the cooperation of the company
- Use adequate and accurate policies, notices and banners. These should be:
- Clearly written
- In the adequate language (tailored to the audience of your website)
- Accurate and corresponding to the reality
- With reference to the correct applicable law and supervisory authority
- Tailored to your activities, and not a standard template found on the internet
- Detailing all necessary information (incl. all necessary information related to cookies as listed in the Planet 49 CJEU decision)
- Easily accessible
- Use an adequate consent mechanism (especially for cookies)
- Pre-checked boxes (opt-out) are not allowed
- A granular consent mechanism is recommended: per type of cookie in first instance, and even with a consent mechanism per cookie
- Consent withdrawal should be as easy as giving consent, and website visitors should be informed about this procedure for withdrawal of consent beforehand
- Know your website and data processing activities
- Data controllers should know which data are being processed, which cookies are placed on a website, etc. (which can be difficult to follow with third-party cookies)
- Software can be useful, but should not be relied on exclusively to map the cookies placed on a website
For any further information, please contact the authors or any other DLA Piper data protection lawyer.