On December 17, 2019, the Belgian Supervisory Authority (“SA”) imposed a fine of € 15,000 on an SME operating a legal information website that welcomes approximately 35,000 unique visitors a month.  Interestingly, in the apparent absence of any actual complaints submitted to the SA, it carried out this enforcement action on its own initiative.

In a 43-page decision, the SA explained that the company in question was fined because:

  • It provided insufficient information about the cookies deployed on the website (e.g., the list of cookies used, their purpose, the identity of third parties concerned, and the lifespan of the cookies) and did not properly identify the controller.  Moreover, the cookie policy was only available in English, whereas the website targeted Dutch and French-speaking readers;
  • The website did not obtain opt-in consent for certain types of cookies used, including first-party analytics cookies.  Although the SA acknowledged the legal uncertainty surrounding this issue, in particular with the pending ePrivacy Regulation still in draft form, it nevertheless decided to apply the rules in the strictest possible way in this case;
  • Although an improved version of the website did seek consent, the consent obtained was not sufficiently granular. According to the SA, users should be able to consent to different categories of cookies used for different non-essential purposes.  While consent on a per-cookie level is not required, the SA said it would welcome such a development; and
  • There was no easy way for users to withdraw consent.

In press reports, the SA confirmed that its intent in this enforcement action was to set an example, pointing to the exemplary role that a legal information website should play and recognizing that most websites are unlikely to be complying with the rules as enforced by the SA in this case.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.