Rossel Group (sudinfo) – €50,000 Fine (Belgium, 2022)

On 16 January 2019, the executive-committee of the Belgian DPA (GBA) started an investigation on the placement of cookies on Belgian media websites. The controller is Rossel & Cie, the owner of the websites of Le Soir, Sudinfo and Sudpresse éditions digitales. The investigation revealed the following potential violations. First of all, the placement of cookies that were not strictly necessary - including statistical and social-network cookies - prior to consent of the data subject. The controller does not dispute this. However, it argues that the method used for the investigation was not reliable to establish a violation. Furthermore, that the statistical cookies placed do not require prior consent. As for the social-network cookies, the controller argued that it had a legitimate interest for the processing activities. Second, the qualification of 'further browsing' as consent. The cookie-banner disappears if the user continues scrolling on the website. The controller argues that this is active behaviour that meets the active consent requirement of Planet 49. Third, pre-ticked boxes to grant consent for third-party-cookies. Forth, an incomplete and poorly accessible cookie policy. Sixth, unjustified retention periods for the storage of cookies. Lastly, revoking consent was impossible. The DPA held that the controller violated Article 6(1)(a) by placing not strictly necessary cookies without obtaining prior consent. The DPA noted that statistical cookies also require consent under the current legal framework. Furthermore, the controller did not provide any evidence for the legitimate interest regarding the social-network cookies. However, the DPA will take into account that the controller now (allegedly) has another legal basis for the social-network and analytical cookies. Regarding the qualification of 'further browsing' as consent, the DPA stated that this can be seen as active behaviour as referred to in Planet 49 in specific situations. However the act of