That’s the way the (Belgian) cookie crumbles – Belgian Data Protection Authority imposes a fine for the unlawful use of website cookies

In December 2019, a Belgian legal information company received an early Christmas present from the Belgian Data Protection Authority, namely a €15,000 fine for an insufficient cookie policy and consent mechanism on the company’s website.

18 Feb 2020 3 min read Technology, Media and Telecommunications Article

The decision comes after the Belgian Data Protection Authority (Belgian DPA), on its own initiative, commenced an investigation into the offending company’s cookie policy and mechanisms on its legal information website. In summary, the Belgian DPA made the following findings:

  • the offending company’s website did not contain sufficient information pertaining to both the types of cookies and the number of cookies which it deployed on its website;
  • although the website users were primarily Dutch and French-speaking persons, the information on the company’s website pertaining to the company’s cookies was only available in English;
  • the company’s website did not contain an appropriate consent mechanism in terms of which the requisite consents for certain types of cookies which were used on the website could be obtained; and
  • the website did not contain a simple mechanism in terms of which the website users could withdraw their consent to the use of cookies.

In view of the fact that the above decision was handed down pursuant to European data protection laws, it becomes necessary, from a South African law perspective, to consider the extent to which a South African website owner could potentially be held liable by the South African Information Regulator for a failure to implement and maintain an appropriate cookie policy and consent mechanism on its website. In this regard, it is relevant to note that the South African Protection of Personal Information Act 4 of 2013 (POPIA) does not contain express provisions which specifically regulate the use of cookies by South African website owners.

Notwithstanding the above, and considering the principle-based nature of POPIA, the following sections of POPIA will have a bearing on the data protection liability of website owners in relation to website cookies:

  • section 11 of POPIA lists consent as a lawful basis upon which personal information may be processed. From a consent perspective, therefore, website owners utilising cookies on their websites should note that the utilisation of cookies (which collect the personal information of website users) constitutes the ‘processing of personal information’ under POPIA. Accordingly, website owners will need to ensure that appropriate consent mechanisms, which correctly facilitate a website user’s giving and withdrawal of consent to the relevant cookies, be built into their website(s); and
  • section 19 of POPIA requires responsible parties to take appropriate and reasonable technical and organisational measures in order to prevent the unlawful processing of personal information. From an organisational security perspective, website owners must ensure that their cookie policies and statements which appear on their websites are, inter alia: (i) drafted clearly and concisely; (ii) drafted in plain and understandable language; (iii) specifically tailored to the website owner’s business and processing activities; and (iv) sufficiently detailed with regard to the cookies which are used on their websites.

Although POPIA is not yet fully in force and will only commence on a date to be determined by the President by proclamation in the Government Gazette, website owners are reminded that the office of the Information Regulator has already been established by the coming into effect of sections 39–54 of POPIA. In this regard, the Information Regulator has, on occasion, proactively engaged companies in order to assist them in bringing their processing activities in line with the provisions of POPIA. In view of this practice, and in view of the impending commencement of the operative provisions of POPIA, website owners are advised to take measures to bring their website cookie policies, statements and consent mechanisms in line with the provisions of POPIA sooner rather than later.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.