Ms. X, represented by noyb - European Center for Digital Rights – Complaint Upheld (Belgium, 2023)

Complaint Upheld
Autorité de Protection des Données30 November 2023Belgium
final
ePrivacy
Complaint Upheld

A complaint against Radio Télévision Belge de la Communauté Française (Rtbf) led to the Belgian data protection authority upholding concerns about misleading cookie banners. The authority found that the website did not provide an easy way for users to refuse cookies and made it harder to withdraw consent than to accept it. This case highlights the need for clear and fair cookie consent practices.

What happened

The Belgian authority upheld a complaint about Rtbf's cookie banners that misled users regarding consent options.

Who was affected

Website visitors who interacted with Rtbf's cookie banners were affected.

What the authority found

The authority decided that Rtbf's cookie consent practices violated the ePrivacy Directive by not allowing easy refusal of cookies.

Why this matters

This ruling emphasizes the importance of transparent and user-friendly cookie consent mechanisms for all websites.

GDPR Articles Cited

AI-verified

Art. 5(3) ePrivacy Directive GDPR
View original scraped data
Art. 5(3) ePrivacy Directive

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data
Article 10(2)(2) Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data
Article 95 Belgian Law establishing the national data protection authority (LCA)

Entities Involved

Ms. X, represented by noyb - European Center for Digital Rights
RADIO TÉLÉVISION BELGE DE LA COMMUNAUTÉ FRANÇAISE
Source verified 9 April 2026
articles corrected
national law identified
Belgium enforcementAutorité de Protection des Données actionsAll Ms. X, represented by noyb - European Center for Digital Rights actions
Full Legal Summary
Detailed

On 18 July 2023, a data subject filed a complaint with the Belgian DPA against Radio Télévision Belge de la Communauté Française (Rtbf - the controller) for their misleading cookie banners. Specifically, the complainant alleged four practices on the website: that there was no “refuse” option on the first level of information in the cookie banner, the presence of misleading button colours, that it was not as easy to withdraw consent as to give it and that the controller referred to legitimate interest. On 21 September 2023, the DPA started the discussions on a settlement proposal. After receiving the proposal on 20 October 2023, the complainant requested six changes to the proposal, including more explicit rules on the appearance of the cookie banners as well as their location, an injunction of the controller to cease unlawful treatment, and a fine under the Article 83(1) GDPR. Considering the facts of the case and the changes requested by the complainant, the DPA rejected all the changes; arguing it would not change the outcome of the settlement and that the fine was only possible if the case was tried on its merits, which is not the case in a settlement proposal. Indeed, the complaint was settled through a settlement decision provided in [https://www.autoriteprotectiondonnees.be/publications/loi-organique-de-l-apd.pdf Article 95(1)(2) LCA], the Belgian national law establishing the national data protection authority. With regards to the first request, the DPA held that a "refuse all" button does not need to be added to the first layer together with the "accept and close" button since this would not lead to a concrete result. Secondly, the DPA held that it was true that both buttons mentioned above were equally visually attractive. However, generally, controllers should not display 'less (visually) attractive' options. Next, the DPA considered the complainant's argument that it is a data subject's right under [https://eur-lex.europa.eu/legal-content/EN/ALL/?ur

Outcome

Complaint Upheld

A data subject complaint that was upheld by the DPA.

Violations (4)

No Reject Button
critical

Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.

Art. 7 GDPR

Reject Harder Than Accept
critical

Refusing cookies requires more clicks or steps than accepting them, or the reject option is less visually prominent.

Art. 7 GDPR

Misleading Banner Messaging
critical

The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).

Art. 7 GDPR

Cannot Withdraw Cookie Consent
critical

No accessible mechanism exists for users to withdraw previously given cookie consent.

Art. 7(3) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Ms. X, represented by noyb - European Center for Digital Rights in BE

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

CNIL

2019 · Court of Justice of the European Union

Details

Decision Date

30 November 2023

Authority

Autorité de Protection des Données

GDPRhub ID

gdprhub-7609

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified
Cookie relevance: 100%

Cite as: Cookie Fines. Ms. X, represented by noyb - European Center for Digital Rights - Belgium (2023). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: