The first GDPR fine for lack of compliance of cookies is issued in Belgium, where the regulator also sent a warning to the market.
The article below was initially published on DLA Piper Privacy Matters by my colleagues Patrick Van Eecke, Frederik Ringoot, and Gilles Hachez.
The Belgian Data Protection Authority issued a fine of 1% of the annual turnover of the company for not acting in compliance with the cookie rules, despite the corrective actions undertaken by the company. The DPA confirmed that by issuing this sanction, it wanted to set an example, warning all companies that cookie compliance is a “must-have”.
The main points on the GDPR fine on cookies in Belgium
The decision of the DPA is noteworthy for several reasons:
- The DPA started this procedure on its initiative, and not based on a complaint from a data subject;
- The company was fined despite cooperating with the DPA and resolving most issues;
- According to the Belgian data protection authority, a consent per individual cookie is not required. A consent per type of cookie suffices, but a consent choice per individual cookie is recommended;
- The DPA states it should be as easy to withdraw consent as to give consent. In this regard, it is unclear
- if cookie statements/policies that refer a visitor to its browser settings as a manner of refusal or withdrawal of consent to the placement of cookies, fulfill such “easiness-requirement”; and
- whether the “further browsing” principle (“by further browsing on this website, you provide your consent”-banners) is still considered as a valid consent mechanism by the DPA;
- The criteria used by the DPA for calculating the fine are not distilled yet. For instance, it did not specify whether the fact that it found several infringements played a role to calculate the fine nor to what extent the cooperation of the company or the scope of data processing activities impacted this calculation. The mechanisms and drivers behind the calculation of the fine indeed remain unclear, and it remains difficult to know whether the DPA follows a concrete formula or methodology when calculating such fine, or whether it determines fines somewhat arbitrarily, on a case-by-case basis.
My takeaways on the Belgian decision regarding cookies
There is no doubt that cookies are becoming a hot topic, and the focus on their compliance is expected to increase with the ePrivacy Regulation.
The recent decision of the European Court of Justice in the Planet49 case has requested to adopt an approach on cookies that is even stricter than the one previously validated by some data protection authority before the GDPR effective date. And the CNIL just launched a consultation on cookies and the risk of inconsistent approaches between EU jurisdictions is high.
In the current situation, a prudent approach to cookies is recommended, but it might have adverse effects on marketing activities.