Executive-committee of the Belgian DPA (GBA) v. Rossel & Cie

€50,000 in fines

Excerpt

Groupe Rossel & Cie, a press group, was found to have unlawfully obtained user consent for the management of non-essential cookies on its websites through the ‘further browsing’ technique, which unlawfully coupled the users' expression of cookie consent with the choice to continue to the website.

Our analysis

Groupe Rossel, a Belgian press group, was found to have committed several violations by the Belgian DPA in their management of non-essential cookies on several of its websites. The DPA’s inspection service found that Groupe Rossel had used non-essential cookies before obtaining valid consent from website users, including cookies placed by third-party domains, violating Article 6(1)(a) of the GDPR. The company had also unlawfully obtained user consent by using the ‘further browsing’ technique [involves presenting visitors with a message that asks for their consent to use cookies or other tracking tools, but makes it seem like they have no other choice if they want to continue using the website. The message typically displays a button with text like “continue browsing” or “agree” to nudge visitors into giving consent] and coupling users’ expression of cookie consent with the choice to continue to the website, contrary to Articles 4(11) and 7(1) of the GDPR. Additionally, Groupe Rossel had placed further cookies on its websites without an appropriate justification after user consent had been withdrawn, violating Article 7(3) of the GDPR, which requires the user to provide consent through a clear and affirmative action.
The company’s cookie policy on relevant websites was also incomplete and not sufficiently accessible, in violation of Articles 12(1), 13, and 14 of the GDPR. The lack of essential information, such as the names of all third-party partners, prevented users from making an informed decision about their data. Groupe Rossel disputed some of the findings, including the placement of statistical and social-network cookies prior to consent, the qualification of ‘further browsing’ as consent, and the use of pre-ticked boxes to grant consent for third-party cookies. The company was also found to have unjustified retention periods for the storage of cookies, and revoking consent was impossible.

Outcome

Groupe Rossel was fined €50,000 by the Belgian DPA for violating GDPR, and was ordered to publish the decision on its website. The DPA also instructed the company to bring its personal data processing practices into compliance within three months.

Parties

Rossel Group (sudinfo), Rossel Group (le soir); Rossel & Cie

Case number

DOS-2020-02998

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us