Contact us directly via email, phone or facsimile. If you have a specific legal issue to discuss, please give us a call and our attorneys will be available to assist you.
Access to websites or apps having to click on a cookies banner or any other type of “yes button” has become extremely common. We have all already faced the situation, at least once, where you have no other option but to agree to cookies in to access online content.
Rules on cookies are often misunderstood: the Luxembourg Data Protection Authority (the “CNPD”) has just issued new guidelines!
Is your website compliant?
Check the below guidelines and don’t hesitate to contact us, should you need any further assistance, we will be very pleased to assist you.
Do you use:
The guidelines issued by the CNPD targets:
The 2005 Law contains a general prohibition to listen to, intercept or store communications and related traffic data.
However, the 2005 Law also specifies important exceptions to this prohibition, in particular for the storage and access to cookies and similar technologies on a user’s terminal where:
With regard to the second exception, the CNPD recalls the principles set out by the European Court of Justice in its Planet49 judgment and in particular that the consent and information in relation to cookies should be interpreted in light of the provisions of Regulation (EU) 2016/679 of 27 April 2016 (the “GDPR”). For example, consent relating to cookies must be given by a clear affirmative act, which is not the case for pre-ticked boxes on a website.
2. Interpretation of the CNPD on non-essential cookies
Non-essential cookies may only be used if the user has been clearly and completely informed on their storage and access, according to the applicable legislation.
The CNPD guidelines set out precise details on how such information must be provided.
As the use of such cookies involves personal data processing, such information should also be compliant with the requirements of articles 12 and 13 of the GDPR.
Therefore, the CNPD recommends proceeding on two levels:
A first simplified level of information given via a cookie banner. At this stage, the website may simply inform the user about:
A second exhaustive level of information accessible by link in the cookie banner. It should include, in particular:
b. Conditions on consent
Non-essential cookies may only be used with the consent of the user.
With the Planet49 decision of the CJUE, consent should be interpreted in accordance with the requirements of the GDPR, namely:
According to the CNPD, consent shall be valid for a duration of 12 months, after which new consent must be sought.
3. Interpretation of the CNPD on essential cookies
The use of essential cookies is in principle not subject to any special conditions under current legislation.
However, the CNPD recommends, at the very least, informing users about what a cookie is and the purpose of its use. Such information may be provided by a cookie banner.
Where the cookie is only essential for a specific functionality of an app or a website, the CNPD recommends only storing or accessing the relevant cookie where the user specifically requests to benefit from the functionality.
It is to be noted that the use of essential cookies may also be subject to the provisions of the GDPR if such use involves processing of personal data. In this case, all the conditions of the GDPR shall apply, such as the obligation to provide information on personal data processing resulting from the use of the cookies, according to articles 12 and 13 of the GDPR.
4. Cookies Management
The CNPD specifies that the controller should always be able to demonstrate that it obtained a valid consent from the user. The controller should therefore keep information about the session in which consent was given. Regarding the validity of the consent, proof thereof may be obtained through means such as:
The use of consent management platforms offered by third parties is permitted, but it should be noted that such third parties, where they process personal data on behalf of the controller, would be considered as processor and should have a valid data processing agreement according to article 28 of the GDPR.