On December 17, 2019, the Belgian Supervisory Authority (“SA”) imposed a fine of € 15,000 on an SME operating a legal information website that welcomes approximately 35,000 unique visitors a month. Interestingly, in the apparent absence of any actual complaints submitted to the SA, it carried out this enforcement action on its own initiative.
In a 43-page decision, the SA explained that the company in question was fined because:
- It provided insufficient information about the cookies deployed on the website (e.g., the list of cookies used, their purpose, the identity of third parties concerned, and the lifespan of the cookies) and did not properly identify the controller. Moreover, the cookie policy was only available in English, whereas the website targeted Dutch and French-speaking readers;
- The website did not obtain opt-in consent for certain types of cookies used, including first-party analytics cookies. Although the SA acknowledged the legal uncertainty surrounding this issue, in particular with the pending ePrivacy Regulation still in draft form, it nevertheless decided to apply the rules in the strictest possible way in this case;
- Although an improved version of the website did seek consent, the consent obtained was not sufficiently granular. According to the SA, users should be able to consent to different categories of cookies used for different non-essential purposes. While consent on a per-cookie level is not required, the SA said it would welcome such a development; and
- There was no easy way for users to withdraw consent.
In press reports, the SA confirmed that its intent in this enforcement action was to set an example, pointing to the exemplary role that a legal information website should play and recognizing that most websites are unlikely to be complying with the rules as enforced by the SA in this case.