On December 17, 2019, the Belgian Supervisory Authority (“SA”) imposed a fine of € 15,000 on an SME operating a legal information website that welcomes approximately 35,000 unique visitors a month.  Interestingly, in the apparent absence of any actual complaints submitted to the SA, it carried out this enforcement action on its own initiative.

In a 43-page decision, the SA explained that the company in question was fined because:

  • It provided insufficient information about the cookies deployed on the website (e.g., the list of cookies used, their purpose, the identity of third parties concerned, and the lifespan of the cookies) and did not properly identify the controller.  Moreover, the cookie policy was only available in English, whereas the website targeted Dutch and French-speaking readers;
  • The website did not obtain opt-in consent for certain types of cookies used, including first-party analytics cookies.  Although the SA acknowledged the legal uncertainty surrounding this issue, in particular with the pending ePrivacy Regulation still in draft form, it nevertheless decided to apply the rules in the strictest possible way in this case;
  • Although an improved version of the website did seek consent, the consent obtained was not sufficiently granular. According to the SA, users should be able to consent to different categories of cookies used for different non-essential purposes.  While consent on a per-cookie level is not required, the SA said it would welcome such a development; and
  • There was no easy way for users to withdraw consent.

In press reports, the SA confirmed that its intent in this enforcement action was to set an example, pointing to the exemplary role that a legal information website should play and recognizing that most websites are unlikely to be complying with the rules as enforced by the SA in this case.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.