On October 11, 2024, the Belgian Data Protection Authority (Belgian DPA) issued its Decision No. 131/2024 in which it imposed a fine of €40,000 a day on RTL Belgium AS for violations of the General Data Protection Regulation (GDPR), following a complaint from none of your business (NOYB).

Background to the decision

On July 19, 2023, the Belgian DPA received a complaint from NOYB alleging that several elements of RTL Belgium's website's cookie banners violated the GDPR. The Belgian DPA noted that this complaint stemmed from a project initiated at NOYB to verify certain websites belonging to large Belgian press conglomerates.

Findings of the Belgian DPA

The Belgian DPA found that RTL Belgium failed to display both an 'accept all' and a 'reject all' button on the first layer of its cookie banner. Only the 'accept all' button was displayed. The Belgian DPA concluded that by doing this RTL Belgium not only makes it less visible to the persons concerned the possibility of refusing cookies but also makes it materially more difficult to refuse them, given that a greater number of actions is required. Additionally, this practice encourages persons to accept the storage of cookies. The Belgian DPA also highlighted that, in RTL Belgium's case, this encouragement to accept cookies was not justified as it did not benefit the persons concerned.

The Belgian DPA noted that requiring a data controller to make it as easy to refuse cookies as it is to accept them constitutes a concrete application of the conditions of validity of consent as defined by Article 6(1)(a) of the GDPR.

Furthermore, the Belgian DPA found that RTL Belgium used misleading colors in its cookie banner, directing users towards the choice of consenting to cookies by highlighting the 'accept all' button.

In all, the Belgian DPA concluded that RTL Belgium violated Articles 5(1)(a) and 6(1)(a) of the GDPR.

Outcomes

In light of the above, the Belgian DPA decided that RTL Belgium shall:

• add a button to its cookie banner allowing the refusal of all cookies in a single click on every layer in which the 'accept all' button also appears; and
• use colors in its cookie banner that are not manifestly misleading, in a way that the button to 'accept all' cookies and the one to 'refuse all' cookies are displayed at least equivalently.

In addition, the Belgian DPA imposed a fine of €40,000 on RTL Belgium for each day of delay in complying with the Belgian DPA's decision.

You can read the decision, only available in French, here.