Belgian Cookie Banner Rules: GBA Checks and Fines

Your Belgian website visitors expect a cookie banner when they arrive. Get it wrong and you are not just annoying them. You are breaking the law. The Belgian Data Protection Authority (GBA/APD) has been active in enforcing cookie rules. It has fined companies that hide their reject button or use dark patterns to push consent. This guide covers exactly what your cookie banner needs to do in Belgium. Run a free check on your site to see whether your banner already meets the rules.

Why Belgium's Cookie Rules Are Stricter Than You Think

Belgium does not just follow generic GDPR rules. The Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données, GBA/APD) has a reputation for tough enforcement. In 2022 the GBA ruled that the IAB Europe Transparency and Consent Framework violated GDPR. That ruling rippled across European websites. It hit Belgium first and hardest.

The GBA has fined multiple companies for cookie dark patterns. Examples include making the reject button smaller than accept, hiding the reject option entirely or making it harder to reject than to consent. The regulator also cracked down on pre-ticked boxes and consent walls that force visitors to accept all cookies to enter the site.

The legal basis is straightforward:

• Wet van 13 juni 2005 / Loi du 13 juin 2005 (Belgium's ePrivacy law implementing the EU ePrivacy Directive 2002/58/EC)
• GBA Aanbeveling 01/2020 on cookies and other tracking devices (see GBA publications)
• GDPR Article 4(11) on valid consent (see full GDPR text)
• GDPR Article 7(4) on clear consent before processing

The Basic Rule: Equal Prominence, No Dark Patterns

The GBA's most important rule is simple. Your reject button must be equally prominent as your accept button. This is not negotiable.

What "equally prominent" means:

• Same font size
• Same colour contrast
• Same button size
• Same position (for example both on the same row or both equally visible in a stack)
• Same number of clicks to execute the action

If your banner shows "Accept all" in green and "Customize" in tiny grey text with three more clicks to actually reject, the GBA will fine you. If your website pre-ticks all categories except one, that is dark pattern behaviour.

The Reject Button Must Exist

You cannot rely on a close button (X) as your reject button. Many Belgian websites tried this. They put a small X in the corner and claimed visitors could close the banner. The GBA said: not acceptable. Visitors should be able to reject all cookies with one clear, prominent action, just as they can accept all.

Which Language Does Your Banner Need?

Belgium is split across three official languages. English-speaking businesses serving Belgian customers still need to plan for Dutch, French or German depending on where their visitors live.

<div className="my-6 overflow-hidden rounded-lg border border-slate-200"> <table className="w-full text-sm"> <thead className="bg-slate-50"> <tr> <th className="px-4 py-2 text-left font-semibold">Region</th> <th className="px-4 py-2 text-left font-semibold">Official language(s)</th> <th className="px-4 py-2 text-left font-semibold">Banner expectation</th> </tr> </thead> <tbody className="divide-y divide-slate-200"> <tr> <td className="px-4 py-2 font-medium">Flanders</td> <td className="px-4 py-2">Dutch</td> <td className="px-4 py-2">Dutch banner served by default for visitors landing on Dutch pages.</td> </tr> <tr> <td className="px-4 py-2 font-medium">Wallonia</td> <td className="px-4 py-2">French</td> <td className="px-4 py-2">French banner served by default for visitors landing on French pages.</td> </tr> <tr> <td className="px-4 py-2 font-medium">Brussels</td> <td className="px-4 py-2">Dutch and French</td> <td className="px-4 py-2">Match the page language the visitor selected. Offer both versions.</td> </tr> <tr> <td className="px-4 py-2 font-medium">East Cantons</td> <td className="px-4 py-2">German</td> <td className="px-4 py-2">German banner for the small eastern German-speaking community if you target it.</td> </tr> </tbody> </table> </div>

The GBA has noted that language barriers can prevent informed consent. If a Walloon French speaker visits a Dutch-only cookie banner, that visitor has not given informed consent in their language. Auto-translate widgets are not a substitute for a properly localised banner.

What Your Banner Must Include

1. Clear Disclosure: What Cookies You Are Using and Why

Before asking for consent, tell visitors what cookies you are placing on their device and what you will do with the data.

Required information:

• The name of each cookie or cookie category
• The purpose (for example "Analytics to measure page traffic" or "Marketing to show ads for our products")
• The duration (how long the cookie stays on the device)
• Whether the data goes to third parties and where (for example "Google Analytics processing in the US")

You do not need to list every single cookie if they serve the same purpose, but you cannot be vague. "Various cookies for analytics" does not cut it. Say "Google Analytics, which measures page views and user behaviour. Data is processed by Google in the US."

2. Distinguish Between Necessary and Optional Cookies

Necessary cookies (for example session cookies and security tokens) do not require consent under GDPR. Optional cookies (analytics, marketing, preference) do.

Structure your banner so visitors can:

• Accept all cookies (which consents to necessary plus optional)
• Reject all optional cookies (but accept necessary ones automatically)
• Customize and choose individual categories (for example "Analytics yes, Marketing no")

The GBA expects this granular choice. If your banner forces an all-or-nothing decision, you are forcing a consent wall. That is prohibited.

3. No Pre-Ticked Boxes

Active consent only. If your banner loads with "Necessary," "Analytics" and "Marketing" all already checked, that is illegal. The visitor has not actually consented. The cookie banner has decided for them.

You can and should pre-tick "Necessary" cookies if they are genuinely necessary for site function (login, security, language preference). Everything optional must be unticked by default. The CJEU confirmed this in the Planet49 (C-673/17) ruling, which applies directly in Belgium.

4. Easily Withdrawable Consent

GDPR says consent must be as easy to withdraw as it is to give. This means:

• A settings menu or preference centre accessible from every page (usually in the footer or header)
• A way for visitors to change their mind after closing the initial banner
• No need to accept again just to change their preferences

If your banner only appears once and cannot be accessed again, the GBA will flag it.

Compliance Checklist at a Glance

<div className="my-6 overflow-hidden rounded-lg border border-slate-200"> <table className="w-full text-sm"> <thead className="bg-slate-50"> <tr> <th className="px-4 py-2 text-left font-semibold">Element</th> <th className="px-4 py-2 text-left font-semibold">Must do</th> <th className="px-4 py-2 text-left font-semibold">Must not do</th> </tr> </thead> <tbody className="divide-y divide-slate-200"> <tr> <td className="px-4 py-2 font-medium">Reject button</td> <td className="px-4 py-2">Same size, colour weight, position as accept.</td> <td className="px-4 py-2">Hide it behind "Settings" or use a grey link.</td> </tr> <tr> <td className="px-4 py-2 font-medium">Pre-ticked boxes</td> <td className="px-4 py-2">Leave optional categories unticked.</td> <td className="px-4 py-2">Pre-tick analytics or marketing.</td> </tr> <tr> <td className="px-4 py-2 font-medium">Cookie list</td> <td className="px-4 py-2">Name each tool, purpose, duration, third party.</td> <td className="px-4 py-2">Use vague phrasing like "various cookies".</td> </tr> <tr> <td className="px-4 py-2 font-medium">Withdrawal</td> <td className="px-4 py-2">Provide a persistent "Cookie settings" link.</td> <td className="px-4 py-2">Force users to clear cookies to change their mind.</td> </tr> <tr> <td className="px-4 py-2 font-medium">Data transfers</td> <td className="px-4 py-2">Disclose US or non-EU processors plainly.</td> <td className="px-4 py-2">Hide them in a long policy with no banner mention.</td> </tr> </tbody> </table> </div>

Consent UI: Do This, Not That

<div className="my-6 grid gap-4 md:grid-cols-2"> <div className="rounded-lg border border-emerald-200 bg-emerald-50 p-4"> <div className="mb-2 flex items-center gap-2 text-emerald-700 font-semibold"> <svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <circle cx="10" cy="10" r="9" stroke="currentColor" strokeWidth="2" /> <path d="M6 10.5l2.5 2.5L14 7.5" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" /> </svg> <span>Do</span> </div> <ul className="list-disc space-y-1 pl-5 text-sm text-emerald-900"> <li>Place "Reject all" and "Accept all" side by side with the same visual weight.</li> <li>Leave optional categories unticked on first load.</li> <li>Show a persistent "Cookie settings" link in the footer.</li> <li>Match the banner language to the page language.</li> </ul> </div> <div className="rounded-lg border border-rose-200 bg-rose-50 p-4"> <div className="mb-2 flex items-center gap-2 text-rose-700 font-semibold"> <svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <circle cx="10" cy="10" r="9" stroke="currentColor" strokeWidth="2" /> <path d="M7 7l6 6M13 7l-6 6" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" /> </svg> <span>Do not</span> </div> <ul className="list-disc space-y-1 pl-5 text-sm text-rose-900"> <li>Use a green "Accept" with a tiny grey "Reject" link.</li> <li>Pre-tick analytics or marketing categories.</li> <li>Rely on a close (X) icon as the reject choice.</li> <li>Block content until cookies are accepted.</li> </ul> </div> </div>

Data Transfers and US Processors

If you use Google Analytics, Google Ads or any tool that sends data to the US, you must disclose this clearly. The GBA cares about data transfers because GDPR allows transfers to countries with adequacy decisions. The US does not have a clean adequacy status. Transfers require specific safeguards like Standard Contractual Clauses.

In your banner, be explicit:

• "Google Analytics processes data in the United States. Google has adopted Standard Contractual Clauses to protect your data."
• Link to Google's data processing terms or DPA
• Apply the same transparency to other US-based tools

Practical Steps to Comply

Step 1: Audit Your Current Banner

If you already have one, check:

• Is the reject button the same size and colour as accept?
• Can visitors reject without multiple clicks?
• Are purposes clearly explained, not vague?
• Can visitors customize individual categories?
• Is there a preferences menu they can access later?
• Are boxes pre-ticked? (They should not be, except "Necessary")
• Does it explain data transfers (for example to the US)?

You can also use our free scanner to spot the most common issues automatically.

Step 2: Choose a Compliant Cookie Management Platform

Not all cookie consent managers are equal in Belgium. The GBA has criticised several popular tools for enabling dark patterns. Look for platforms that:

• Enforce equal prominence between buttons
• Block pre-ticked optional categories
• Provide a persistent preference centre
• Offer clear disclosure templates
• Include translations for Dutch, French and German

Examples worth reviewing: Cookiebot, OneTrust, Osano and Complianz. Review their GDPR documentation specifically for Belgium.

Step 3: Draft Clear Cookie Categories

Create simple, non-technical descriptions:

• Necessary: "These cookies keep you logged in, remember your language choice and protect against security threats."
• Analytics: "These help us understand which pages you visit and how long you stay, so we can improve our website."
• Marketing: "These show you ads for our products on other websites based on what you have viewed here."
• Preferences: "These remember your choices, like timezone or currency, so you do not have to enter them again."

Step 4: Document Your Data Flows

Map out:

• Which tools you use (Google Analytics, Meta Pixel, email marketing platform)
• Where each tool processes data
• How long data is kept
• What legal basis you are using (consent, legitimate interest, contract)

This helps you write accurate cookie disclosures. It also prepares you if the GBA asks questions. Our Belgian GDPR checklist walks through the wider compliance picture in one page.

Step 5: Create a Persistent Preference Centre

Add a "Cookie Settings" or "Privacy Settings" link in your footer. This page should allow visitors to:

• See all cookie categories and their purposes again
• Change their consent choices
• Withdraw consent entirely
• Download a copy of their preferences

Common Mistakes to Avoid

1. "Accept" in green, "Reject" in grey. Even a slight colour difference signals manipulation. Make them genuinely equal.
2. Hiding the settings link. If visitors have to hunt for your preference centre, it is not easily accessible.
3. Assuming youtube-nocookie.com is enough. Using YouTube's no-cookie embed still requires consent if you collect analytics about visitor interaction.
4. Translating carelessly. A poorly translated banner confuses non-Dutch and non-French speakers, which the GBA views as a consent problem.
5. Using "legitimate interest" as a catch-all. The GBA is sceptical of marketing cookies on legitimate interest. Consent is safer.

Penalties for Getting It Wrong

The GBA has authority to fine companies up to EUR 20 million or 4% of global turnover, whichever is higher, under GDPR. For administrative fines under the Wet van 13 juni 2005, separate amounts apply.

Belgian enforcement is concrete. The Litigation Chamber fined Roularta Media Group EUR 50,000 in Decision 85/2022 for cookies set before consent and pre-ticked third-party boxes on Knack and Le Vif. The IAB Europe ruling in February 2022 led to a EUR 250,000 fine and reshaped how AdTech handles consent across Europe. Our deep dive on GBA cookie enforcement covers the case detail.

The GBA also accepts complaints from individual visitors. A single well-documented complaint about your cookie banner can trigger an investigation.

Summary and Checklist

Before launching your cookie banner, confirm:

• Reject button is equal in prominence to accept
• No pre-ticked boxes for optional cookies
• Clear explanation of each cookie category and purpose
• Granular choice rather than all-or-nothing
• Data transfer disclosures (especially for US-based tools)
• Preference centre accessible from every page
• Banner available in Dutch, French and German if relevant
• Easy withdrawal of consent
• No language barriers to understanding consent

The GBA does not expect perfection. It expects respect for visitor choice and transparency. A banner that makes rejecting as easy as accepting, explains clearly what you do with data and lets visitors change their mind later meets the standard. Keep it straightforward, avoid design tricks and you will stay compliant.

For specific guidance, consult the Gegevensbeschermingsautoriteit (GBA) or Autorité de protection des données (APD) at www.autoriteprotectiondonnees.be. They publish decision summaries in English.