The Belgian Data Protection Authority: APD/GBA
Belgium's supervisory authority for data protection is the Autorite de protection des donnees (APD), known in Dutch as the Gegevensbeschermingsautoriteit (GBA). The APD/GBA oversees both GDPR enforcement and cookie-specific rules within Belgian territory.
The authority has been particularly active on cookie compliance. Between 2019 and 2025, the APD issued a dozen cookie-related decisions, with fines typically ranging from EUR 1,500 to EUR 50,000. The agency also gained international attention for its landmark ruling against IAB Europe's Transparency and Consent Framework (TCF) in February 2022, which carried a EUR 250,000 fine.
Under its 2026-2028 Strategic Plan, the APD is shifting from reactive complaint handling toward proactive, systemic enforcement - meaning cookie audits may arrive without a complaint triggering them first.
Belgian Cookie Law: ePrivacy Transposition
Cookie consent in Belgium was originally governed by Article 129 of the Electronic Communications Act (Wet betreffende de elektronische communicatie, 13 June 2005), which transposed Article 5(3) of the EU ePrivacy Directive into Belgian law.
Following the Act of 21 December 2021, which transposed the European Electronic Communications Code, the cookie provisions moved from Article 129 to Article 10/2 of the Privacy Act (Wet van 30 juli 2018). The substantive requirements remained the same: storing or accessing information on a user's device requires prior, informed, freely given, specific, and unambiguous consent.
Exemptions from Consent
Two narrow exemptions apply. Cookies used solely to carry out a communication over an electronic network do not require consent. Cookies strictly necessary to provide a service explicitly requested by the user are also exempt.
Typical examples of exempt cookies include session identifiers like PHPSESSID, load-balancing cookies, and shopping cart cookies on e-commerce sites. Analytics cookies such as _ga, advertising cookies like _fbp, and social media widgets all require prior consent.
How Belgian Cookie Rules Relate to the GDPR
The ePrivacy rules and the GDPR work in tandem. Article 10/2 of the Privacy Act governs whether you may place a cookie on the device. The GDPR governs what you do with any personal data collected through that cookie. In practice, the consent standard is the same: it must meet the GDPR Article 7 requirements.
The APD applies both frameworks simultaneously. A cookie banner that fails to offer a genuine reject option violates ePrivacy rules on consent. If the cookies in question also collect personal data, GDPR consent requirements apply on top.
This dual framework means Belgian enforcement can draw on both sets of rules when issuing fines.
APD Enforcement: Dark Patterns and Cookie Banners
The APD has targeted deceptive cookie banner designs with increasing firmness. The most prominent case involved Mediahuis NV, operator of major Belgian news sites including De Standaard, Gazet van Antwerpen, Het Belang van Limburg, and Het Nieuwsblad.
In Decision 85/2022, the APD found Mediahuis used dark patterns on its cookie banners: no clear reject button on the first layer, misleading colour contrast between accept and manage buttons, and withdrawal of consent made deliberately harder than granting it. The APD imposed a penalty of EUR 25,000 per day per website for continued non-compliance, with an order to fix the banners within 45 days.
A follow-up decision in 2024 (Decision 37/2024) addressed similar issues at another media company, reprimanding it for highlighting the accept button in a contrasting colour while burying the reject option. These cases confirm a clear pattern: the APD treats dark patterns in cookie banners as consent violations.
What the APD Expects from Cookie Banners
| Requirement | APD Expectation |
|---|---|
| Reject option | A clear "Reject All" button on the first layer, equally prominent as "Accept All" |
| Button design | No misleading colours, sizes, or contrast to steer users toward acceptance |
| Granular choice | Users must be able to consent per cookie category (e.g. analytics, marketing) |
| Withdrawal | Withdrawing consent must be as easy as giving it |
| Pre-ticked boxes | Not permitted - consent must be an affirmative action |
| Cookie walls | Blocking access entirely unless cookies are accepted is not valid consent |
The IAB Europe TCF Case: A Belgian Landmark
Belgium became the centre of a Europe-wide debate when the APD ruled in February 2022 that IAB Europe's Transparency and Consent Framework violated the GDPR. The APD found that TC Strings - the encoded records of user consent preferences - constituted personal data and that IAB Europe acted as a joint controller.
The case went through multiple court proceedings. In May 2025, the Belgian Market Court confirmed that TC Strings are personal data but narrowed IAB Europe's controllership to its own processing of those strings, not to downstream processing by advertisers in the OpenRTB protocol.
In January 2026, IAB Europe won a further appeal: the Market Court annulled the APD's validation of IAB Europe's corrective action plan, finding it legally flawed. The APD must now issue a new decision reflecting the narrower scope of controllership. The TCF itself continues to operate, with version 2.3 rolling out across the ecosystem.
For website owners using a consent management platform that relies on the TCF, this saga underscores the importance of choosing a CMP that records and stores consent independently, rather than relying solely on a TC String.
Belgium Compared to Neighbouring EU Countries
Belgian cookie rules sit within the broader EU framework, but enforcement intensity and specific guidance vary by country. If your website targets visitors across the Benelux region or neighbouring states, compare the Belgian approach with these guides:
Cookie consent in the Netherlands - the Dutch AP has issued detailed cookie guidance and pursued enforcement against tracking walls.
Cookie consent in France - the CNIL has imposed some of the largest cookie-related fines in Europe, including multi-million euro penalties against major tech companies.
Cookie consent in Luxembourg - as a fellow Benelux state, Luxembourg's CNPD applies similar ePrivacy transposition rules.
Cookie consent in Germany - the TTDSG provides Germany's specific ePrivacy transposition, with the Federal Court (BGH) confirming opt-in consent requirements.
Compliance Checklist for Belgian Websites
Use this checklist to verify your site meets current APD expectations. Each item reflects either explicit guidance from the APD or requirements drawn from enforcement decisions.
Display a cookie banner before any non-essential cookies are set.
Include equally visible "Accept All" and "Reject All" buttons on the first layer.
Avoid colour contrast tricks, oversized accept buttons, or other dark patterns.
Offer granular, per-category consent (analytics, marketing, functional) on a second layer.
Do not use pre-ticked checkboxes.
Make withdrawing consent as straightforward as giving it - a persistent link or icon on every page.
Run a cookie scan to identify every cookie and tracker on your site.
Maintain a cookie policy listing each cookie's name, purpose, provider, type, and expiry.
Block non-essential scripts until consent is recorded.
If using Google Consent Mode v2, verify that default consent states are set to denied for Belgian visitors.
Frequently Asked Questions
Does Belgium require cookie consent for analytics cookies?
Yes. Analytics cookies such as _ga are not strictly necessary to deliver a service requested by the user, so they require prior opt-in consent under Article 10/2 of the Belgian Privacy Act and the GDPR.
Can I use a cookie wall on a Belgian website?
The APD considers cookie walls - where site access is blocked unless all cookies are accepted - incompatible with freely given consent. Consent obtained through a cookie wall is unlikely to be valid.
What fines has the Belgian APD issued for cookie violations?
Most APD cookie fines have ranged from EUR 1,500 to EUR 50,000. The Mediahuis case involved a penalty of EUR 25,000 per day per website for continued non-compliance with cookie banner requirements.
Is a reject button mandatory on Belgian cookie banners?
The APD has consistently enforced the requirement for a clear reject option on the first layer of the cookie banner, equally prominent as the accept button. Multiple enforcement decisions confirm this expectation.
How does the IAB TCF case affect my website in Belgium?
The Belgian Market Court narrowed IAB Europe's controllership in 2025-2026 rulings, but the case highlighted risks of relying solely on TC Strings for consent records. Using a CMP that stores consent independently provides stronger compliance evidence.
Which Belgian law governs cookie consent?
Cookie consent is now governed by Article 10/2 of the Belgian Privacy Act (Wet van 30 juli 2018), which replaced the former Article 129 of the Electronic Communications Act following a 2021 legislative reform. The GDPR applies alongside it for any personal data processing.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of Belgian and EU law.
