Belgian DPA imposes penalty on Mediahuis for illegal cookie banners
The Gegevensbeschermingsautoriteit (GBA) has imposed a conditional penalty on online publisher Mediahuis for a number of infringements in the use of cookie banners on four of its websites.
The Belgian data protection authority (DPA) received a number of complaints from a Dutch citizen, who was backed and represented by the Austrian privacy organization Noyb, regarding the unlawful use of cookie banners on the website of four media outlets.
He claimed that the cookie banners didn’t provide a ‘refuse all’ button in the first information level of the banner, so visitors can reject all cookies with one click of the mouse. He also argued that the banner contained misleading button colors to mislead visitors into accepting all cookies.
Additionally, the complainant stated that it’s easy to consent with cookies, but it’s almost impossible to withdraw the consent. Lastly, he stated that non-strictly necessary cookies may only be placed when a visitor consents, such as marketing cookies and third-party tracking cookies.
After careful consideration, the Belgian DPA agrees with the complainant. The General Data Protection Regulation (GDPR) states that non-strictly necessary cookies are only permitted on the condition that consent must be ‘freely given, specific, informed and unambiguous’ in order for people to make a well-informed decision.
The GBA says that’s not the case if ‘reject all’ and ‘accept all’ aren’t at the same information level. Furthermore, consent is also not unambiguous because users don’t know they can refuse cookies since this option is only offered at a subsequent information level.
In addition, the button colors have deceptive design patterns, because the ‘accept all’ button is the only button that uses striking colors, thereby encouraging users to click on this button. The ‘refuse all’ and ‘accept all’ buttons must be displayed in an equivalent manner.
Withdrawing consent was only possible after a number of clicks. Accepting all cookies, on the other hand, is far easier. This is a violation of the GDPR. In the meantime, Mediahuis has taken measures to remedy the situation.
Lastly, Mediahuis used ‘legitimate interest’ as a legal basis for placing both analytic and marketing cookies. The GBA, however, points out that Mediahuis can only place strictly necessary cookies on the basis of legitimate interest. For the placement of non-strictly necessary cookies, the publisher needs the user’s consent.
The Belgian DPA has ordered Mediahuis to make the necessary adjustments in order to comply with the GDPR within 45 days. If the cookie banners aren’t modified by then, the online publisher will receive a penalty of € 25,000 per day and per non-compliant press site.
Mediahuis is allowed to appeal the GBA’s decision, but hasn’t made an announcement whether it’s going to or not.
Your email address will not be published. Required fields are marked