With around 98% of Luxembourgers using the internet, the national legislature has taken strict measures to protect user privacy. This blog walks you through the Luxembourg cookie consent requirements and assists your business in achieving compliance. 

What is the cookie law of Luxembourg?

Luxembourg has transposed GDPR principles and the e-privacy directive into their national laws through the law of 2018  and the law of 2015

Moreover, the Luxembourg Data Protection Authority(CNPD) has issued a cookie guide to help businesses better understand the regulations. These guidelines require explicit user consent for deploying non-essential cookies on devices.

What is the scope of the Luxembourg cookie guidelines?

The CNPD cookie guidelines apply to all websites or online services that install cookies or tracking technologies on user devices and collect information from Luxembourgers.

What are the Luxembourg cookie consent requirements?

Luxembourg has strict laws regulating cookie use. Both European and national laws require consent and transparency when deploying cookies on user devices. 

Do all cookies require consent?

Prior consent is necessary only for non-essential cookies. So, what are essential cookies? Let’s find out.

The cookies used for the following purposes are essential under the law and, therefore, can be deployed without user consent.

  • Solely for the transmission of a communication over an electronic communications network;
  • Strictly necessary to provide an information society service requested by the user.

Cookies used for the following purposes are deemed essential:

  • Storing user preferences/service personalization such as language and display.
  • Storing user’s consent preference.
  • Solely for user authentication.
  • To save shopping cart content.
  • Security purposes include fraud prevention, detecting multiple authentications, and exclusive use by site operators.

Essential cookies are not a free ticket to not respect user privacy. You would still have to provide information regarding using essential cookies through a cookie banner.  Additionally, if you collect personal data from users, provide GDPR-aligned information in your privacy policy/cookie policy.

The Luxembourg cookie guidelines require online services to obtain explicit user consent before deploying non-essential cookies on user devices. 

Examples of non-essential cookies include those used for:

  • Advertising purposes
  • Social media integration
  • Analytic purposes
  • Tracking user behavior
  • Profiling
  • Geolocation

Consent is necessary for deploying analytical cookies on user devices unless it is necessary to provide the requested service. The following conditions bind this exemption:

  • The collected data is not shared with third parties or cross-referenced with other processing.
  • The data is not used to track a user’s online activity.
  • The controller uses the collected data only for his use and to create anonymous statistics.

What are the Luxembourg DPA’s guidelines on cookie consent?

The CNPD insists on following these guidelines while using non-essential cookies:

  • Consent must be obtained through clear affirmative action. 
  • Do not use pre-checked boxes to obtain consent.
  • Implied consent through continued scrolling the website or other inaction is unacceptable.
  • Avoid the use of cookie walls.
  • Do not use dark patterns or deceptive designs to favor the acceptance of cookies.
  • Rejecting cookies must be as easy as accepting them.
  • Consent must be obtained after providing information to the users.
  • There should be a free choice, whether to accept or reject without coercion, deception or negative consequences.
  • Obtain specific consent for each purpose (granular consent).
  • Provide convenient consent withdrawal mechanisms.
  • Consent, once given, must be renewed after a reasonable period (12 months).
  • Maintain consent records to demonstrate compliance.

What are the information requirements under the Luxembourg cookie guidelines?

Consent and transparency must go hand-in-hand when it comes to cookies. The CNPD provides a two-layer information practice for businesses to follow.

First layer 

The first layer is where the user decides whether to accept or reject non-essential cookies. It is usually provided through a cookie banner or cookie pop-up. You do not need to stuff a lot of information here.

The Luxembourg cookie guide requires that the following information be provided:

  • What cookies are used?
  • What are the purposes for which they are used?
  • The identity of the controller deploying cookies
  • How to accept or reject cookies?
  • The right to withdraw consent and how to exercise them
  • The consequences of rejecting the cookies
  • A link to the second level of information

Second layer 

This is commonly referred to as cookie policy and is detailed. Sometimes, the information is provided within the privacy policy as a separate section.

The second layer of information must contain the following:

  • Information about the cookies used and a detailed description of their specific purposes.
  • List of all the entities who have control over the data.
  • Categories of data collected by the cookies.
  • Recipients of the collected data.
  • Cookie duration and the retention period of collected data.
  • Any potential international transfer, if applicable.
  • The existence of automated decision-making, if applicable.

Checklist for Luxembourg cookie consent requirements

  • Obtain explicit user consent for non-essential cookies.
  • Provide clear information to users.
  • Obtain consent through affirmative action.
  • Offer convenient consent withdrawal mechanisms. 
  • Pre-checked boxes or continued scrolling must not be considered consent.
  • Do not use cookie walls or dark patterns.
  • Obtain specific consent for each purpose.
  • Keep consent records to demonstrate compliance.
  • Users must be able to exercise their free choice to accept or reject cookies.
  • Do not implement any techniques to favor the accept button.

How can CookieYes help you achieve compliance?

The DPA recommends in its guide that the best way to ensure cookie compliance is to use a consent management platform like CookieYes.

Why CookieYes is the best solution?

  • Customizable consent banner with clear Accept/Reject buttons
  • Granular consent control
  • Convenient consent withdrawal
  • Consent logs for compliance
  • Language customization
  • Scan sites to detect and block third-party cookies until consent is given
  • Google-certified CMP and IAB TCF v2.2 compliant
  • Creates cookie policy 

FAQ on Luxembourg cookie consent requirements

What are cookies?

Cookies are small files placed on devices connected to the internet, such as smartphones or computers, to collect and store information about the user. They perform various functions, such as saving user preferences and serving functional purposes. Additionally, they are used for advertising, analytical purposes, and more.

Do you need consent for cookies?

Consent is mandatory for deploying non-essential cookies, such as those used for tracking, profiling, and advertising on user devices.

What is CNPD?

CNPD is the Data Protection Authority of the Grand Duchy of Luxembourg and ensures the country’s personal data protection.