By Patrick van Eecke and Mathieu Le Boudec
In accordance with the opt-in rule, introduced by the revised ePrivacy Directive in 2009 and transposed into Belgian law by an amendment of the Act on Electronic Communications in 2012, cookies (and similar technologies) can only be stored and accessed on a user’s device after having obtained the informed consent of this user.
However, in two cases cookies are exempted from this informed consent requirement:
- when the cookies are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- when they are strictly necessary in order to provide the user with a service s/he has explicitly requested.
These rules have not always been easy to implement in practice and therefore this recent recommendation may provide useful guidance to website owners and other stakeholders.
Below some key points of the recommendation relating to (1) the information obligation, (2) the consent requirement and (3) the exemptions have been summarized.
1. Information obligation
The information should cover the following elements:
- the purposes for which the different types of cookies are stored or accessed;
- the categories of saved information;
- the storage terms;
- how to erase the information;
- means to object to the processing;
- the communications, if any, to third parties.
2. Obtaining consent
The Privacy Commission calls for a granular approach, giving users the possibility to accept all or only certain types of cookies. Moreover, users should be able to change their choices at all times.
Consent can be given through an affirmative action of the user (e.g. clicking or checking a box) from which the consent can be inferred unambiguously.
It is explicitly stated that “further browsing” can qualify as a valid consent provided that:
- the notice has to state explicitly that further browsing on the website can be construed as consent;
- the notice remains visible as long as the user has not continued browsing the website.
However, a lack of action cannot be interpreted as a valid consent.
Once consent has been obtained it is not required to ask the user’s consent again for the storing of a cookie with the same purpose and originating from the same provider. However, the validity of the consent should be limited in time, especially when the consent was obtained implicitly or relates to tracking cookies.
The Privacy Commission advises against the use of pop-ups due to their obtrusive nature and provides several examples of means to validly obtain consent from visitors such as banners (provided an affirmative action of the visitor is required in order to proceed his/her visit of the website) and tick boxes.
The recommendation also sheds some light on the exemptions by illustrating the two categories with examples and by giving examples of non-exempted cookies. Unless stated otherwise all these examples relate to session cookies.
Examples of cookies exempted according to the first criterion (i.e. cookies that are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network) are:
- cookies used to detect to origin of the users and how they visit a website, provided they are analyzed anonymously. However, it should be noted that the Privacy Commission explicitly states that first party analytic cookies do not fall within the scope of this exemption;
- load balancing session cookies provided they are only analyzed anonymously.
The following cookies are exempted according to the second criterion (i.e. strictly necessary cookies for providing a service the user has explicitly requested):
- user input cookies;
- authentication cookies that are necessary for authenticated services;
- user centric security cookies, e.g. the data necessary for securing a service the user has explicitly requested;
- multimedia content player cookies;
- user interface customization cookies, for the duration of a session (or slightly more if additional information is provided).
Finally, the Privacy Commission explicitly states that no exemption exists for the following types of cookies:
- tracking cookies of social network plug-ins;
- advertising cookies.
It is important to note that apart from the abovementioned cookie rules the general rules of the Privacy Act (e.g. regarding the purpose limitation principle, the transfer of personal data to third countries, the data subject’s rights, etc.) will generally also apply taking into account the fact that most cookies constitute personal data.
For more information, please contact Patrick.VanEecke@dlapiper.com or Mathieu.LeBoudec@dlapiper.com.