Forget fortune cookies; let’s talk about the cookies that live on your computers. These small files are double-edged swords, offering a range of benefits for both users and websites but raising privacy concerns. However, Belgium takes privacy concerns seriously, and that includes how businesses handle user data through cookies. This guide walks you through the Belgian cookie consent requirements and compliance strategies.

What is the cookie law in Belgium?

Belgium has integrated the GDPR and e-privacy directive into its national legislation through a few laws. The Data Privacy Act of 2018 implements GDPR principles, and the Electronic Communications Act of 2015 implements the e-privacy law. 

Furthermore, The Belgium Data Protection Authority (BDPA) has issued guidelines for using cookies to help businesses acquaint themselves with the law. These guidelines emphasize the need for transparency and consent to deploy cookies on user devices

What is the scope of the Belgian cookie guidelines?

The Belgian cookie guidelines apply to all websites and other online services that use cookies or similar tracking technologies and collect information from Belgian users.

What are the Belgian cookie consent requirements?

The Belgium DPA published a cookie checklist on October 20, 2023, to assist businesses in understanding Belgium’s cookie consent requirements. These requirements align with the guidelines issued by the European Data Protection Board.

According to these guidelines, user consent is necessary for deploying cookies on user devices. However, the law also carves out an exemption for essential cookies:

  • Technically necessary cookies, such as those used for load balancing;
  • Strictly necessary functional cookies such as for saving language preference, consent choice, or shopping cart.

Additionally, the BDPA insists on strict cookie categorization to avoid malpractice. It also requires websites to avoid using a single cookie for multiple purposes.

To understand better, let us take a closer look at the consent requirements as prescribed by the BDPA:

  • Obtain free, specific, informed, and unambiguous consent before deploying non-essential cookies such as those for tracking on user devices.
  • Do not use cookie walls.
  • Do not provide an “Accept all cookies” button without a “Reject all non-essential cookies” button in the same layer.
  • Do not use deceptive designs that favour the acceptance of cookies.
  • The users must be able to give consent for specific purposes separately(granular consent).
  • Continuing to scroll the website, closing the cookie consent message/banner or any other form of inactivity should not be considered user consent.
  • Do not use pre-checked boxes to obtain consent.
  • Cookie consent should not be deemed consent to any other legal documents, such as privacy policies or general terms.
  • Preset browser settings cannot be considered valid consent.
  • Implement a convenient consent withdrawal mechanism.

Cookie categorization requirements

The guidelines insist on categorizing cookies carefully, based on their specific purposes. Cookies used for the controller’s own advertising/profiling and for third-party advertising shall be considered for different purposes, and consent be obtained separately.

Similarly, cookies used to share, like, or follow on social networks must be categorized differently from those used for personalized advertising.

Cookie retention requirements 

Cookies cannot be stored on browsers indefinitely. Therefore, limit the retention of cookies to the time required to fulfil the disclosed purpose.

The essential cookies used for storing user’s cookie preferences shall not be kept for more than a limited period, preferably 6 months. In other words, cookie consent is only valid for up to 6 months. 

Furthermore, the guidelines also require the retention of numbered cookie policy versions with their dates. Also, keep records of the adaptations made to cookie banners to demonstrate how they have evolved over time.

What are the information requirements under the Belgian cookie guidelines?

The cookie guide issued by the Belgium DPA also highlights the information practices that entities must observe while using cookies.

  • Provide in the first layer, the following information, along with the information about each purpose for which the business seeks user consent:
    • Identity of the controller who deploys cookies on user devices and the number of partners hyperlinked to the full list, if applicable.
    • The method by which cookies can be accepted or rejected by the user.
    • The consequences of rejecting cookies.
    • Information on the right and methods to withdraw consent.
  • In another layer, provide detailed information on all cookies used, including categories, purposes, retention periods, and who has access to the collected information.

Checklist for Belgian cookie consent compliance

  • User consent is necessary for deploying non-essential cookies on user devices.
  • Strict categorization of cookies is required to obtain separate consent for different purposes.
  • Cookie consent must be obtained freely, specifically, and unambiguously after providing the required information.
  • Avoid using cookie walls, deceptive designs, or pre-checked boxes to obtain consent.
  • Cookie consent should not be bundled with other legal documents.
  • Implement a convenient consent withdrawal mechanism.
  • Limit the retention period of essential cookies used for remembering consent preferences.
  • Provide clear and detailed information about the cookies used and the methods to accept or reject them.
  • Do not infer consent from browser pre-settings.
  • Provide information to users on using cookies, their right to withdraw, etc.

How can CookieYes help achieve Belgian cookie compliance?

Businesses operating in Belgium or serving Belgian residents, as well as those monitoring their behaviour, are advised to establish a robust consent management system. One effective solution is to implement a cookie consent management platform such as CookieYes.

Why CookieYes is the best solution?

  • Customizable consent banner with clear Accept/Reject buttons
  • Option to add close button
  • Granular consent options
  • Convenient consent withdrawal
  • Consent logs for compliance
  • Language customization
  • Scan sites to detect and block third-party cookies until consent is given
  • Google-certified CMP and IAB TCF v2.2 compliant
  • Creates cookie policy   

FAQ on Belgian cookie consent requirements

What are cookies?

Cookies are small files placed on devices connected to the internet, such as smartphones or computers, to collect and store information about the user. They perform various functions, such as saving user preferences and serving functional purposes. Additionally, they are used for advertising, analytical purposes, and more.

Do I need to publish a cookie policy?

Yes. If you deploy or read cookies, you must publish a cookie policy on your website or online services. It must contain the identity of the controller, cookie categories and their purposes, cookie retention period, how they can delete cookies from their devices, etc. 

What is the EU rule on cookies?

The EU cookie law requires websites to obtain explicit consent from users before deploying non-essential cookies or similar technologies on a user’s device.

How do you prove cookie consent?

Cookie consent can be proved by demonstrating that you have obtained valid consent from users before deploying cookies on their devices and collecting information. This can be easily achieved using the consent log feature of CookieYes.