Cookie compliance sits at the intersection of two legal frameworks: the ePrivacy Directive (implemented in Belgium by Article 129 of the Electronic Communications Act) and the GDPR. The ePrivacy rules govern access to and storage of information on a user's device, including cookies, tracking pixels, local storage, and similar technologies. The GDPR governs the processing of personal data that results from or enables that access. Both frameworks must be satisfied: ePrivacy compliance does not substitute for GDPR compliance where the cookies enable personal data processing, and GDPR compliance does not satisfy the ePrivacy requirement to obtain prior consent for non-essential cookies.
The practical consequence is that the design of a cookie consent mechanism is simultaneously a legal compliance exercise under ePrivacy rules, a consent management exercise under GDPR, and an interface design decision that affects user experience and conversion rates. The tension between compliant consent and frictionless user experience is real but not intractable: regulators and courts across the EU have drawn increasingly precise lines about what is and is not acceptable, providing clearer guidance for website operators than existed in the early years of GDPR enforcement.
The ePrivacy rule is that prior, freely given, specific, informed, and unambiguous consent is required before storing information on or accessing information from a user's device, subject to one exception. The exception covers technically strictly necessary cookies: cookies that are strictly necessary for a service explicitly requested by the user. These cookies do not require consent and should not be presented to users as a consent choice, because the user's access to the service depends on them.
Everything else requires consent. Analytics cookies (whether first-party or third-party), advertising cookies, social media tracking pixels, session recording tools, A/B testing cookies, personalisation cookies, and any other technology that stores or accesses information on the user's device for any purpose beyond strict technical necessity requires valid prior consent. The category of strictly necessary is interpreted narrowly: convenience features, analytics, and security-enhancing cookies that are not strictly necessary for service delivery do not fall within the exception.
Valid consent under the GDPR requires that it be freely given, specific, informed, and unambiguous. For cookies, the Court of Justice of the EU's Planet49 judgment (C-673/17) established that pre-ticked boxes do not constitute valid consent. The German Federal Court of Justice confirmed this for German law, and supervisory authorities across the EU have extended this to cookie consent walls, implied consent, and consent through continued use of the website. Consent must be an active, affirmative action.
The Belgian Data Protection Authority (DPA) has been active in this area, including through its investigation into the IAB Europe Transparency and Consent Framework (TCF), which resulted in a finding that the TCF as implemented did not provide a valid legal basis for the processing of personal data in the online advertising ecosystem. The DPA's enforcement in this area signals that Belgium is not a permissive jurisdiction for online tracking.
Consent must also be as easy to withdraw as to give. A consent mechanism that offers a single-click accept but requires navigation through multiple menus to withdraw consent does not meet the GDPR's standard. Cookie management interfaces must allow users to withdraw consent for individual categories or all categories in a single, accessible action.
Consent Management Platforms (CMPs) are technical systems that implement the consent layer on websites: they present the consent interface, record consent choices, and communicate consent signals to the downstream technologies that depend on consent. Selecting and configuring a CMP that produces valid consent requires attention to the consent interface design (no dark patterns, no pre-ticked boxes, reject option as prominent as accept), the consent record (timestamp, version of privacy notice presented, consent choices made), and the technical implementation (cookies not set before consent is obtained, consent signals correctly communicated to all dependent technologies).
Possibly, but with significant constraints. The EDPB's Opinion 08/2024 on consent-or-pay models in the context of large online platforms concluded that such models are generally not compatible with GDPR consent requirements for large platforms, because the alternative to consent is not meaningful if the subscription fee is not affordable or reasonable. For smaller websites, the analysis is less settled, but the principle that consent must be freely given (without detriment to users who decline) means that consent-or-pay models require careful legal assessment before implementation.
Yes. Google Analytics is an analytics cookie that collects data about user behaviour and transmits it to Google's servers. It is not strictly necessary for the delivery of the website service. Prior consent is required before setting the Google Analytics cookie. Where Google Analytics is used without prior consent, the website is in breach of both ePrivacy rules and the GDPR. Several supervisory authorities, including the French CNIL, Austrian DSB, and others, have issued decisions finding that Google Analytics transfers personal data to the US in breach of GDPR international transfer rules, creating a double compliance problem.
Yes. Website operators are responsible for the cookies and tracking technologies loaded on their websites, including those loaded by third-party scripts. A website that embeds a social media share button, a chat widget, or an advertising tag is responsible for the cookies those technologies set. A cookie audit (systematic scanning of the website to identify all cookies set and their purposes) is a necessary first step in cookie compliance and should be repeated after any material changes to the website's technology stack.
The GDPR does not specify a maximum consent duration for cookies, but supervisory authorities and the EDPB have indicated that consent becomes stale and should be renewed after a period that is proportionate to the sensitivity of the data and the nature of the processing. In practice, most cookie CMPs are configured to re-present the consent interface after 12 months. Where significant changes are made to the purposes of cookies or the categories of data processed, consent should be re-collected regardless of the time elapsed.
%402x.svg){kind=icon}
%402x.svg){kind=small}
%402x.svg){kind=icon}
