Key takeaways from the Belgian DPA’s guidance and the FAQs include:
- identification of the (types of) cookies used;
- their purposes and duration;
- whether third-parties have access to such cookies;
- information about how to delete cookies;
- information about individuals’ data protection rights and the ability to lodge a complaint to the competent data protection authority; and
- information about any automated decision making, including profiling.
- Consent should be obtained for the use of all non-essential cookies. Cookies that are necessary to transmit a communication over an electronic communications network or to provide an information society service requested by the subscriber or user do not require consent. According to the Belgian DPA, audience measuring cookies are not exempt from the consent requirement under the current legal framework. The Belgian DPA also confirms in its guidance that consent is required for the use of social media plug-ins on a site or mobile app.
- Users must have the option to provide granular consent. In this respect, the Belgian DPA notes that in a first phase, consent can be provided per type of cookie. In a second phase, users should be able to express their consent per cookie (i.e., individually).
- Companies must be able to demonstrate that consent was collected, e.g., by using logs.
- Consent must be unambiguous and provided through a clear affirmative action. Merely continuing to browse a site or mobile app, or scroll down the page of a site or mobile app can no longer be considered valid consent. Similarly, consent cannot be deduced from the user’s browser settings.
- Consent should be easy to withdraw at any time.
- Cookie Lifespan: The lifespan of a cookie must be limited to what is necessary to achieve the cookie’s purpose and cookies should not have an unlimited lifespan. Where it is not possible to delete the cookie and related data within a reasonable time (e.g., because it is not technically possible), it should be clearly explained to users how they can delete those cookies themselves (such as via their browser settings). According to the Belgian DPA, cookies that are exempt from consent (i.e., necessary and functional cookies) must be deleted once the purpose for which they are used is achieved. Typically, this means that those cookies should be deleted at the end of the user’s session. If that is not the case, the data controller should determine the cookie’s lifespan taking into account users’ reasonable expectations (e.g., users that place items in their shopping baskets and that accidentally close their session would typically expect those items to still be in their basket a few minutes after closing the session). Users can also specifically ask that some of their information is memorized from one session to another, which requires the use of persistent cookies.