What should your cookie banner look like after the new Mediahuis DPA decision in Belgium?

Blog
On September 6th 2024, the Belgian Data Protection Authority (Belgian DPA) released a new decision following a complaint. This decision highlights the ongoing importance of cookie banners, consent mechanisms and the GDPR.
This blog post delves into the key elements of the new decision and its implications for digital marketers, particularly in terms of your cookie banner design and usage.
Table of Contents

The Core of the Decision: Compliance with GDPR

Organizations must ensure that users are given a genuine choice when it comes to accepting or rejecting cookies that aren’t strictly necessary for the website’s functionality.

In this new decision, The Belgian Data Protection Authority (Belgian DPA) concluded that the cookie banners on 4 press websites (De Standaard, Het Belang van Limburg, Het Nieuwsblad, Gazet van Antwerpen) were not compliant with GDPR regulations. 

The non-compliance stemmed from several factors that are common issues for many businesses and marketers.

The Importance of Genuine Consent

One of the fundamental pillars of GDPR is obtaining valid consent from users before placing cookies that aren’t strictly necessary for website functionality.  

In this case, the cookie banners on the 4 websites failed to provide users with an easy and clear option to refuse cookies from the outset. Instead, users were often nudged towards accepting cookies through “deceptive design patterns” (dark patterns, you can read more about them in this blog post).

The “Accept” button was prominently highlighted, while the option to refuse cookies was hidden or harder to access.
The Belgium DPA determined that this setup did not meet the requirements for informed, specific, and freely given consent. 

As a digital marketer and website owner, you should note that merely providing a way to reject cookies after additional steps or levels of interaction isn’t enough.

Your website or app visitors need to be presented with the option to refuse cookies on the same level as the option to accept them, from the very first interaction with the cookie banner.

Looking to streamline your compliance with the latest privacy regulations while optimizing your marketing results?

With Cookie Information’s Consent Management platform, you can gather valid user consents effortlessly. Our platform includes a customizable consent banner for your website and supports Google Consent Mode v2. Try it free for 14 days.

So what does this DPA decision teach us about the design of your cookie banner?

1. The "Reject All" Button Must Be Visible

One of the clearest messages from this decision is that cookie banners must have a “Reject All” button that is just as accessible and obvious as the “Accept All” button. 

This requirement ensures that users are genuinely able to make a choice, without being unduly influenced by the design or layout of the cookie banner. 

For marketers, this means reviewing your cookie banners to ensure that users can refuse cookies with the same ease as they can accept them.

2. Deceptive Design Patterns are No Longer Tolerated

The use of deceptive design patterns, such as making the “Accept All” button more visually appealing by using brighter colors or larger fonts, is another practice the DPA condemned. 

This decision settles it in the EU: Digital marketers should be aware that designs which subtly push users towards one option over another, especially when it comes to cookie consent, will not pass the scrutiny of regulatory authorities.

The aim is to ensure that users’ consent is based on an informed decision, free from manipulation or pressure.

3. Withdrawing Consent Should Be Simple

One of the issues highlighted in the decision was the difficulty users faced when trying to withdraw their consent after it was initially given.  

While it was easy for users to accept cookies with a single click, withdrawing consent required multiple steps. This imbalance violates GDPR’s stipulation that users should be able to withdraw their consent as easily as they give it. 

For digital marketers, this emphasizes the need to create a seamless process for both accepting and withdrawing consent, ensuring transparency and ease of use.

4. Legitimate Interest Cannot Be Used for Marketing Cookies

The DPA also addressed the improper use of legitimate interest as a basis for placing marketing cookies. 

Some businesses have tried to rely on legitimate interest as a way to circumvent the need for explicit consent when placing cookies that are used for analytical or marketing purposes. 

The decision reaffirmed that cookies used for marketing or any purpose beyond the strict functioning of the website require explicit consent from the user.
Legitimate interest cannot be used as a fallback in these cases. 

What are the consequences of not complying with the cookie regulations?

The consequences of failing to comply with cookie regulations can be significant. 

In this decision, the DPA imposed financial penalties, with the threat of daily fines of €25,000 for each day of continued non-compliance. Mediahaus had 45 days after the notification to come into compliance with this decision.

Additionally, the reputational damage from being publicly named as a non-compliant organization can be substantial, especially in industries where trust and transparency are critical.

Apart from the fines, the public nature of these decisions can harm your brand’s reputation, resulting in a loss of trust among your users.
Recently, we have seen new examples of these DPA crackdowns: Including several of Sweden’s IMY Meta Pixel Decisions.

(Read more about the Meta Pixel Decisions:
8 Million fine for Meta Pixel use in the EU: Is your digital marketing setup compliant with Sweden’s new decision?)

As a digital marketer: What should you do now?

In light of this decision, you should take several steps to ensure that your cookie practices are compliant on your website:
  1. Review your cookie banner
    Ensure that the option to refuse cookies is as prominent as the option to accept them. The design should not favor one option over the other, and there should be no deceptive design elements that push users towards accepting cookies.

  2. Make Consent Withdrawal Easy
    Users must be able to withdraw their consent as easily as they give it. This means allowing users to change their cookie preferences in just one or two clicks, rather than making them go through a lengthy process.

  3. Obtain Explicit Consent for Non-Essential Cookies
    Legitimate interest cannot be used as a fallback for placing cookies that track user behavior or serve marketing purposes. Always seek explicit consent for these types of cookies.

  4. Avoid Financial Penalties
    Ensure your cookie practices are fully aligned with GDPR to avoid costly penalties and public criticism.

  5. Follow Best Practices
    Regulators often provide guidelines and checklists that businesses can follow to stay compliant. We have for instance developed this cookie consent checklist so you can more easily make your cookie banner comply with the GDPR.

Stay compliant with evolving privacy rules and boost your marketing results effortlessly.

Cookie Information’s Consent Management platform simplifies consent collection with a user-friendly website banner, including integration with Google Consent Mode v2 for streamlined consent tracking.