Following several noyb complaints from 2023, the Belgian data protection authority has ordered four major Belgian news sites to bring their cookie banners into GDPR compliance. Specifically, De Standaard, Het Nieuwsblad, Het Belang van Limburg and Gazet van Antwerpen must add a “reject” button to the first layer of their cookie banners. In addition, the news sites have been ordered to change the currently misleading colour scheme of the buttons used. If the controller (Mediahuis) failes to comply, it faces a penalty of €50,000 per day per website.
Settlements instead of enforcement. In July 2023, noyb filed complaints against a total of 15 Belgian news websites for using deceptive cookie banners. Although these companies had already been the subject of a DPA investigation in previous years and were found to have failed to comply with the GDPR, they were never ordered to change their unlawful cookie banners. Instead, the case was closed with a questionable “settlement” that was not foreseen under Belgian law. Under the terms of the settlement, Mediahuis agreed to pay €10,000 – but was never ordered to bring its cookie banners into compliance with EU data protection law.So the violations continued. The Belgian DPA didn’t even bother to explain why the cases were settled rather than followed by a formal order to comply.
noyb complaint required to have “settlement” enforced. With its latest decision, the Belgian authority has finally made a U-turn on its non-enforcement approach: four websites operated by Mediahuis, namely De Standaard, Het Nieuwsblad, Het Belang van Limburg and Gazet van Antwerpen must now bring their cookie banners into compliance. Most notably, the websites have been ordered to implement a “reject” button on the first layer of the banner. In addition, the authority found that the companies had used deceptive button colours to trick users into consenting to the use of cookies. The authority also stressed that the processing of personal data for analytical purposes cannot be considered “strictly necessary”, meaning that the use of analytical cookies always requires consent.
Maartje de Graaf, data protection lawyer at noyb: “We are pleased that the Belgian data protection authority is no longer letting companies get away with deceptive cookie banners that clearly nudge users to click the privacy invasive “accept all” button. This should be a warning to all website owners to stop hiding their “reject all” button in the second layer of their cookie banner, to stop using misleading schemes and to always ask for consent before setting cookies for analytical purposes.”
Potential eight-figure penalty. Mediahuis and the aforementioned news sites now have 45 days to comply with the DPA’s orders and bring their cookie banners into compliance with the GDPR. In the event of non-compliance, each website faces a penalty of €50,000 per day, which would add up to a daily penalty of €200,000, which could lead up to a maximum penalty of €10,000,000.
Belgian DPA also does a U-turn on absurd rejections. In a previous series of complaints by noyb, the Belgian DPA dismissed complaints on the basis of strange theories about allegedly “forced” complainants. In fact, even when complainants explicitly gave oral testimony that they wished to be represented by noyb, the Belgian DPA argued that noyb can't validly represent affiliated people in “model cases”. In this latest case, the Belgian DPA also seems to have done a U-turn on this narrative, claiming that in the present case, the noyb-affiliated individuals had in fact validly mandated noyb.
Max Schrems, Chairman of noyb: “We welcome that the Belgian DPA seems to be doing a U-turn on its absurd theory about representation. While the first line of cases was rejected based on made-up rules of admissibility, we now see that they are changing their tune. As long as this useless discussion is over, we welcome that.”
Update: In a similar case against RTL Belgium, the Belgian data protection authority also sided with noyb. The controller has to add a "refuse all" button to the first layer of its cookie banner and stop using deceptive colours and contrasts. In the event of non-compliance, RTL Belgium will have to pay a penalty of €40.000 per day with a maximum of €2 million.