During these days we’re launching our cookie law solution in version 2 for our international users (English, French, Spanish, Portuguese, German, Russian, soon Dutch). Our Italian version has been in beta since early May this year. For this reason you are going to read more and more about cookies on this blog as well.
In Italy, the cookie law is starting to get real since the 2nd of June this year, Belgium has also released their guidance on cookie rules this year. And this is what we’re going to write about. You can find the whole document in Dutch/French on the site of the Belgian data commissioner. The document is 75 pages long and talks about the most important things that you will know when handling cookies and Belgian users.
The document is quite interesting and adds recommendations for each category of involved people like the advertiser/the website admin/the host of the website/the visitor or user. Here’s an overview for the most important details:
About the information obligation in Belgium
Inform users about your use of cookies when they come to your website. Frequent and good solutions are banners in the header of the page. Below find some details as provided by the Belgian privacy authority:
- Users must be provided with a clear, comprehensible and visible notice about the use of cookies by the website. This banner (whatever kind of banner or notice you choose) must then provide a link to a more detailed actual cookie policy. In the words of the “recommandation”:
(…) doit fournir un avertissement clair, compréhensible et visible concernant l’utilisation des cookies.
- The cookie policy should be accessible and referred to at every page of a website.
(…) faire figurer l’information complète relative à la politique d’utilisation des cookies dans une rubrique dédiée de son site, accessible depuis chaque page et référencée de manière visible
- The information should cover the following elements:
- the purposes for which the different types of cookies are stored or accessed (“les finalités des inscriptions et/ou des accès pour chaque type de cookie ou catégorie de finalités de ces cookies “);
- the categories of saved information (“les catégories d’informations stockées“);
- times and terms of conservation (“les durées de conservation des informations“);
- ways to erase the information (“les modalités pour l’effacement des informations“);
- means to object to the processing (“les moyens de s’opposer au traitement“);
- the communications to third parties, if they are happening, and what kind of information is being shared (“les éventuelles communications à des tiers et les informations qui leur sont communiquées“).
About obtaining consent for cookies in Belgium
The Belgian Commission for the protection of privacy suggests a granular approach, giving users the possibility to accept all or only a certain type of cookies. What’s more, users should be able to change their choices at all times.
L’utilisateur devrait avoir l’opportunité de choisir librement entre l’option d’accepter certains ou tous les cookies ou de refuser tous ou certains cookies et de conserver la possibilité de changer les paramètres relatifs aux cookies ultérieurement
Consent can be given through an 1) affirmative action of the user (e.g. clicking or checking a box), or through 2) further browsing and therefore implied consent.
Regarding the affirmative action (“clicking, checking a box”)
The privacy authority is explicit about affirmative action with “clicking or checking a box“. They then continue that other active activities may also be valid consent if the user can conclude without a doubt that he is consenting:
Ce choix sera effectué soit par une action positive de l’utilisateur (ex. : cliquer, cocher une case) soit par tout autre comportement actif dont un responsable du traitement peut conclure de manière indubitable qu’elle signifie le consentement. Le consentement doit être spécifique pour les finalités dont l’utilisateur est explicitement informé.
Regarding implied consent
It is explicitly stated that “further browsing” may be valid consent by the user if:
- the notice regarding the use of cookies is clearly visible on the homepage and cannot be missed (“suffisamment visible et claire sur la page d’accueil, de telle façon qu’elle ne peut pas être manquée“);
- the notice has to state explicitly that further browsing on the website can be construed as consent (“indiquer explicitement et de manière bien visible que la poursuite de la navigation sur le site peut être considérée comme un consentement“);
- the notice remains visible as long as the user has not continued browsing the website (“reste visible tant que l’utilisateur n’a pas poursuivi sa navigation“).
It’s easily understandable, as the authority points out, that a lack of action cannot be interpreted as valid consent.
After the consent
- When consent has been given, it’s not necessary to ask the user again if he consents to the storing of a cookie with the same purpose from the same provider;
- Consent should be limited in time, this is more true for consent that was obtained implicitly or such that relates to tracking cookies;
- Users should at all times be able to withdraw their consent. After the withdrawal cookies and data collected through the cookies should be deleted from the browsers or devices by the data controller. If that’s not possible, a clear way must be highlighted so the users can do so themselves.
Exemptions
Some cookies that aren’t a privacy threat can be exempt from the prior consent and notification. There are two criterions for this exemption to take hold:
- 1st criterion and examples (cookies that are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network)
- cookies that detect where the user is coming from and how they browse a site, if they are anonymised.
- performance and load balancing cookies, if they are anonymised.
- 2nd criterion and examples (strictly necessary cookies for providing a service the user has explicitly requested)
- cookies that save certain information like user inputs;
- cookies that handle authentication;
- cookies that handle user security, for example the data necessary for securing a service the user has explicitly requested;
- cookies that handle multimedia content with a technical purpose;
- cookies that handle user interface customizations, for the duration of a session (or slightly more if additional information is provided, like language settings for example).
For what it’s worth, the privacy authority also mentions cases that are never exempt “Cas concrets de non-exemption”:
- tracking cookies employed by social networks
- advertising cookies
Prior consent/blocking of certain cookies
The above non-exemptions, highlight one last important point to make. When you work with such cookies you’ll want to make sure that cookies which are subject to consent, such as social network buttons and advertising banners, do not appear automatically on the homepage. This means they need to be blocked in some way priorly.
We are working to make our solution also perfectly compatible with these rules.