Cookie Consent Requirements in Luxembourg 

With around 98% of Luxembourgers using the internet, the national legislature has taken strict measures to protect user privacy. This blog walks you through the Luxembourg cookie consent requirements and assists your business in achieving compliance. 

Luxembourg has transposed GDPR principles and the e-privacy directive into their national laws through the law of 2018  and the law of 2015. 

Moreover, the Luxembourg Data Protection Authority(CNPD) has issued a cookie guide to help businesses better understand the regulations. These guidelines require explicit user consent for deploying non-essential cookies on devices.

The CNPD cookie guidelines apply to all websites or online services that install cookies or tracking technologies on user devices and collect information from Luxembourgers.

Luxembourg has strict laws regulating cookie use. Both European and national laws require consent and transparency when deploying cookies on user devices. 

Do all cookies require consent?

Prior consent is necessary only for non-essential cookies. So, what are essential cookies? Let’s find out.

The cookies used for the following purposes are essential under the law and, therefore, can be deployed without user consent.

• Solely for the transmission of a communication over an electronic communications network;
• Strictly necessary to provide an information society service requested by the user.

Essential cookies are not a free ticket to not respect user privacy. You would still have to provide information regarding using essential cookies through a cookie banner.  Additionally, if you collect personal data from users, provide GDPR-aligned information in your privacy policy/cookie policy.

The Luxembourg cookie guidelines require online services to obtain explicit user consent before deploying non-essential cookies on user devices. 

Consent is necessary for deploying analytical cookies on user devices unless it is necessary to provide the requested service. The following conditions bind this exemption:

• The collected data is not shared with third parties or cross-referenced with other processing.
• The data is not used to track a user’s online activity.
• The controller uses the collected data only for his use and to create anonymous statistics.

What are the Luxembourg DPA’s guidelines on cookie consent?

The CNPD insists on following these guidelines while using non-essential cookies:

• Consent must be obtained through clear affirmative action. 
• Do not use pre-checked boxes to obtain consent.
• Implied consent through continued scrolling the website or other inaction is unacceptable.
• Avoid the use of cookie walls.
• Do not use dark patterns or deceptive designs to favor the acceptance of cookies.
• Rejecting cookies must be as easy as accepting them.
• Consent must be obtained after providing information to the users.
• There should be a free choice, whether to accept or reject without coercion, deception or negative consequences.
• Obtain specific consent for each purpose (granular consent).
• Provide convenient consent withdrawal mechanisms.
• Consent, once given, must be renewed after a reasonable period (12 months).
• Maintain consent records to demonstrate compliance.

Consent and transparency must go hand-in-hand when it comes to cookies. The CNPD provides a two-layer information practice for businesses to follow.

First layer 

The first layer is where the user decides whether to accept or reject non-essential cookies. It is usually provided through a cookie banner or cookie pop-up. You do not need to stuff a lot of information here.

The Luxembourg cookie guide requires that the following information be provided:

• What cookies are used?
• What are the purposes for which they are used?
• The identity of the controller deploying cookies
• How to accept or reject cookies?
• The right to withdraw consent and how to exercise them
• The consequences of rejecting the cookies
• A link to the second level of information

Second layer 

This is commonly referred to as cookie policy and is detailed. Sometimes, the information is provided within the privacy policy as a separate section.

The second layer of information must contain the following:

• Information about the cookies used and a detailed description of their specific purposes.
• List of all the entities who have control over the data.
• Categories of data collected by the cookies.
• Recipients of the collected data.
• Cookie duration and the retention period of collected data.
• Any potential international transfer, if applicable.
• The existence of automated decision-making, if applicable.

• Obtain explicit user consent for non-essential cookies.
• Provide clear information to users.
• Obtain consent through affirmative action.
• Offer convenient consent withdrawal mechanisms. 
• Pre-checked boxes or continued scrolling must not be considered consent.
• Do not use cookie walls or dark patterns.
• Obtain specific consent for each purpose.
• Keep consent records to demonstrate compliance.
• Users must be able to exercise their free choice to accept or reject cookies.
• Do not implement any techniques to favor the accept button.

The DPA recommends in its guide that the best way to ensure cookie compliance is to use a consent management platform like CookieYes.