Executive-committee of the Belgian DPA (GBA) v. Roularta Media Group

€50.000 in fines

Excerpt

The Belgian DPA fined Roularta, for several violations regarding the use of cookies such as placing unnecessary cookies, placing statistical cookies without obtaining consent, using pre-ticked boxes to grant consent for cookies from partners, providing false and inadequate information in their privacy policy, and making it impossible to revoke consent.

Our analysis

The Belgian DPA began investigating Roularta Media Group's use of cookies on Belgian media websites. The investigation uncovered several potential violations of data protection laws, including the preselection of unnecessary cookies before the data subject's consent, the placement of statistical cookies without consent, pre-ticked boxes to grant consent for cookies from partners, hidden information in their privacy policy, unjustified retention periods for the storage of cookies, and the inability to revoke consent. The controller argued that statistical cookies are necessary for the business model of the website and do not process personal data, thus making GDPR inapplicable. They also argued that the personal data for statistical cookies was anonymised, and there were no adequate guidelines provided by the Belgian DPA for companies to comply with GDPR. 
The DPA found that cookies can only be placed without prior consent when they are strictly necessary for communication transmission or explicitly requested by the user. The controller violated Article 6(1)(a) of GDPR by placing unnecessary cookies without prior consent. The DPA noted that statistical cookies also require prior consent and revealed IP-addresses to the controller, making them indirectly identifiable, and thus GDPR applicable. The pre-ticked boxes for cookies from partner companies cannot constitute lawful consent, violating Article 6(1)(a). The disclaimer for third-party cookies violated the principle of accountability, and the privacy policy contained false, incomplete, and insufficient information, violating Article 12(1). The controller also violated Article 5(1)(e) by not proactively defining criteria for the storage of cookies. The inability to withdraw consent violated Article 7(3). The DPA held that the absence of guidelines is not a valid excuse for violating data protection legislation, as it is the controller's responsibility to comply with the law. Numerous guidelines for compliance with GDPR already exist.

Outcome

The DPA determined that it is the responsibility of the controller to comply with the law, and the DPA noted that numerous guidelines for companies to ensure compliance with the GDPR already exist. As a result of a violation of data protection legislation, the DPA fined the controller €50,000 and ordered the controller to bring its processing of personal data into compliance with the GDPR within 3 months.

Parties

Executive-committee of the Belgian DPA (GBA) and Roularta Media Group

Case number

85/2022

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us