The Personal Data Authority (AP) will continue to focus on compliance with privacy rules around cookies in the coming year. In December, the regulator launched a campaign to raise awareness about the privacy risks of cookies. Last year, the AP also issued fines to Kruidvat and Coolblue, among others, for violating cookie rules.
In recent years, the AP has written to several organizations about their cookie policies. These often specifically ask about the effect of certain cookies, whether personal data are processed with them and on what basis this takes place. Not all of these requests for information have (yet) led to enforcement. However, this does underline the AP's continued focus on compliance with the cookie law.
An interesting case is also at play in Belgium. The Belgian privacy regulator the Data Protection Authority (GBA) has announced that it is taking up a complaint about DPG Media's cookies following a complaint by NOYB, the privacy organization of Max Schrems (which previously successfully took on Spotify and Meta).
To accommodate the AP's interpretation, here are some key take-aways for a website's cookie setup:
Offer a 'Refuse All' button on the first layer
The AP emphasizes that users should be able to refuse cookies as easily as accept them. This means - according to the AP - that a "Refuse All" button should be immediately visible on the first cookie consent banner screen.
Check which cookies you set before and after consent
Only functional cookies and cookies with low privacy implications can be set before consent. This also includes affiliate or performance cookies, provided they are only used to measure the effectiveness of an advertisement shown and determine which affiliate is entitled to a reward. And A/B test cookies can also be excluded, provided they are used purely to compare the effectiveness of certain variations of online expressions against each other.
Analytics cookies may also require consent
The AP also views the use of some analytics cookies as privacy-sensitive. Many organizations set analytics cookies before a user has given consent. But if those cookies have a unique identifier that allows users to be tracked over time and across multiple domains, the AP considers this to be more than a "minor" invasion of privacy and then finds that consent must also be sought for these cookies. This applies, for example, to visual website optimizer, hotjar and may also apply to Google Analytics. More information is in this earlier article from DMCC: Google Analytics and Consent.
