Cookie Banner Requirements for Belgium: What English-Speaking Businesses Need to Know

Your Belgian website visitors expect to see a cookie banner when they arrive. But get it wrong, and you're not just annoying them—you're breaking the law. The Belgian Data Protection Authority (GBA/APD) has been aggressive about enforcing cookie rules, handing out fines to companies that hide their reject button or use dark patterns to manipulate consent. This guide covers exactly what your cookie banner needs to do in Belgium.

Why Belgium's Cookie Rules Are Stricter Than You Think

Belgium isn't just following generic GDPR rules. The Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données—GBA/APD) has a reputation for tough enforcement. In 2022, the GBA ruled that the industry's standard cookie framework—the IAB Europe Transparency & Consent Framework—violated GDPR. That ruling rippled across European websites, but it hit Belgium first and hardest.

The GBA has fined multiple companies for cookie dark patterns: making the reject button smaller than accept, hiding the reject option, or making it harder to reject than to consent. They also cracked down on pre-ticked boxes and consent walls that force visitors to accept all cookies to enter the site.

The legal basis is straightforward:

• Loi du 13 juin 2005 / Wet 13 juni 2005 (Belgium's ePrivacy law implementing the EU ePrivacy Directive 2002/58/EC)
• GDPR Article 4(11) on valid consent (see full GDPR text)
• GDPR Article 7(4) on clear consent before processing

The Basic Rule: Equal Prominence, No Dark Patterns

The GBA's most important rule: your reject button must be equally prominent as your accept button. This isn't negotiable.

What "equally prominent" means:

• Same font size
• Same color contrast
• Same button size
• Same position (e.g., both on the same row, or both equally visible in a stack)
• Same number of clicks to execute the action

If your banner says "Accept all" in green and "Customize" in tiny gray text with three more clicks to actually reject, the GBA will fine you. If your website pre-ticks all categories except one, that's dark pattern behavior.

The Reject Button Must Exist

You cannot rely on a close button (X) as your reject button. Many Belgian websites tried this—put a small X in the corner and claim visitors could close the banner. The GBA said: not acceptable. Visitors should be able to reject all cookies with one clear, prominent action, just as they can accept all.

What Your Banner Must Include

1. Clear Disclosure: What Cookies You're Using and Why

Before asking for consent, tell visitors what cookies you're placing on their device and what you'll do with the data.

Required information:

• The name of each cookie or cookie category
• The purpose (e.g., "Analytics to measure page traffic," "Marketing to show you ads for our products")
• The duration (how long the cookie stays on the device)
• Whether the data goes to third parties and where (e.g., "Google Analytics processing in the US")

You don't need to list every single cookie if they serve the same purpose, but you can't be vague. "Various cookies for analytics" doesn't cut it. Say "Google Analytics, which measures page views and user behavior; data processed by Google in the US."

2. Distinguish Between Necessary and Optional Cookies

Necessary cookies (e.g., session cookies, security tokens) don't require consent under GDPR. Optional cookies (analytics, marketing, preference) do.

Structure your banner so visitors can:

• Accept all cookies (which consent to necessary + optional)
• Reject all optional cookies (but accept necessary ones automatically)
• Customize and choose individual categories (e.g., "Analytics yes, Marketing no")

The GBA expects this granular choice. If your banner forces an all-or-nothing decision, you're forcing a consent wall, which is prohibited.

3. No Pre-Ticked Boxes

Active consent only. If your banner loads with "Necessary," "Analytics," and "Marketing" all already checked, that's illegal. The visitor hasn't actually consented—the cookie banner has decided for them.

Conversely, you can and should pre-tick "Necessary" cookies if they're genuinely necessary for site function (login, security, language preference). But everything optional must be unticked by default.

4. Easily Withdrawable Consent

GDPR says consent must be as easy to withdraw as it is to give. This means:

• A settings menu or preference center accessible from every page (usually in the footer or header)
• A way for visitors to change their mind after closing the initial banner
• No need to accept again just to change their preferences

If your banner only appears once and can't be accessed again, the GBA will flag it.

Language Considerations in Belgium

Belgium is linguistically split: Dutch speakers in Flanders, French speakers in Wallonia, and German speakers in a small eastern region. Brussels is bilingual (Dutch/French).

If your website serves multiple language audiences:

• Provide the cookie banner in the language the visitor is using
• Don't require visitors to switch language just to understand your cookies
• Ensure the translation is accurate (don't rely on auto-translate for legal text)

The GBA has noted that language barriers can prevent informed consent. If a Walloon French speaker visits a Dutch-only cookie banner, they haven't given informed consent in their language.

Data Transfers and US Processors

If you use Google Analytics, Google Ads, or any tool that sends data to the US, you must disclose this clearly. The GBA cares about data transfers because GDPR allows transfers to countries with "adequacy decisions" (like most of the EU), but the US doesn't have one. Transfers require specific safeguards like Standard Contractual Clauses (SCCs).

In your banner, be explicit:

• "Google Analytics processes data in the United States. Google has adopted Standard Contractual Clauses to protect your data."
• Link to Google's data processing terms or DPA
• If using other US-based tools, apply the same transparency

Practical Steps to Comply

Step 1: Audit Your Current Banner

If you already have one, check:

• Is the reject button the same size and color as accept?
• Can visitors reject without multiple clicks?
• Are purposes clearly explained, not vague?
• Can visitors customize individual categories?
• Is there a preferences menu they can access later?
• Are boxes pre-ticked? (They shouldn't be except "Necessary")
• Does it explain data transfers (e.g., to the US)?

Step 2: Choose a Compliant Cookie Management Platform

Not all cookie consent managers (CMPs) are equal in Belgium. The GBA has criticized some popular CMPs for enabling dark patterns. Look for platforms that:

• Enforce equal prominence between buttons
• Don't allow pre-ticked optional categories
• Provide a persistent preference center
• Offer clear disclosure templates
• Include translations for multiple languages

Examples: Cookiebot, OneTrust, TrustBox, Osano, CookieLaw. Review their GDPR compliance documentation specifically for Belgium.

Step 3: Draft Clear Cookie Categories

Create simple, non-technical descriptions:

• Necessary: "These cookies keep you logged in, remember your language choice, and protect against security threats."
• Analytics: "These help us understand which pages you visit and how long you stay, so we can improve our website."
• Marketing: "These show you ads for our products on other websites based on what you've viewed here."
• Preferences: "These remember your choices, like timezone or currency, so you don't have to enter them again."

Step 4: Document Your Data Flows

Map out:

• Which tools you use (Google Analytics, Meta Pixel, email marketing platform, etc.)
• Where each tool processes data
• How long data is kept
• What legal basis you're using (consent, legitimate interest, contract, etc.)

This helps you write accurate cookie disclosures and prepares you if the GBA asks questions.

Step 5: Create a Persistent Preference Center

Add a "Cookie Settings" or "Privacy Settings" link in your footer. This page should allow visitors to:

• See all cookie categories and their purposes again
• Change their consent choices
• Withdraw consent entirely
• Download a copy of their preferences

Common Mistakes to Avoid

1. "Accept" in green, "Reject" in gray — Even a slight color difference signals manipulation. Make them genuinely equal.
2. Hiding the settings link — If visitors have to hunt for your preference center, it's not easily accessible.
3. Assuming youtube-nocookie.com is enough — Using YouTube's no-cookie embed still requires consent if you're collecting analytics about visitor interaction.
4. Translating carelessly — A poorly translated cookie banner confuses non-Dutch and non-French speakers, which the GBA views as a consent problem.
5. Using "legitimate interest" as a catch-all — The GBA is skeptical of marketing cookies on legitimate interest. Consent is safer.

Penalties for Getting It Wrong

The GBA has authority to fine companies up to €1.2 million or 2% of global revenue, whichever is higher, under GDPR. For intentional violations or repeated infringements, fines go to 4% of revenue. A cookie dark pattern isn't the worst GDPR violation, but the GBA has shown it will pursue them.

More practically, the GBA also accepts complaints from individual visitors. A single well-documented complaint about your cookie banner can trigger an investigation.

Summary and Checklist

Before launching your cookie banner, confirm:

• Reject button is equal in prominence to accept
• No pre-ticked boxes for optional cookies
• Clear explanation of each cookie category and purpose
• Granular choice (not all-or-nothing)
• Data transfer disclosures (especially for US-based tools)
• Preference center accessible from every page
• Banner available in Dutch, French (and German if relevant)
• Easy withdrawal of consent
• No language barriers to understanding consent

The GBA doesn't expect perfection, but it does expect respect for visitor choice and transparency. A banner that makes rejecting as easy as accepting, explains clearly what you're doing with data, and lets visitors change their mind later meets the standard. Keep it straightforward, avoid any design tricks, and you'll stay compliant.

For specific guidance, consult the Gegevensbeschermingsautoriteit (GBA) or Autorité de protection des données (APD) at www.autoriteprotectiondonnees.be—they publish decision summaries in English.