Belgian GBA Cookie Enforcement: What They Check on Your Website

The Gegevensbeschermingsautoriteit (GBA) has been actively enforcing cookie rules on Belgian websites. If you run a business website in Belgium, your cookie setup is subject to scrutiny under both the Wet van 13 juni 2005 betreffende de elektronische communicatie (Art. 129) and the GDPR.

Here is what the GBA actually checks and how to fix your setup before a warning turns into a fine.

What the GBA has been doing

The GBA has moved from guidance to enforcement on cookie consent. In its Aanbeveling 01/2020, it laid out how cookie consent must work under Belgian law. Since then, the GBA has followed through with real enforcement actions.

The most prominent Belgian cookie case is the Mediahuis decision, where the GBA imposed a dwangsom (penalty payment) for non-compliant cookie practices on one of Belgium's largest media groups. The IAB Europe transparency and consent framework case, decided in February 2022, also originated with the GBA and had EU-wide consequences. The GBA found that the TCF consent string itself constituted personal data and that IAB Europe was acting as a data controller, which led to a EUR 250,000 fine.

These are not theoretical threats. The GBA checks websites, receives complaints and acts on them.

What the GBA checks on your website

GBA cookie enforcement focuses on a few specific areas.

Cookies before consent. When someone visits your site for the first time, do cookies get placed before they click "accept"? Many cookie banners load Google Analytics, Facebook Pixel or marketing cookies the moment the page loads. The banner shows up, but the tracking already started. That violates Art. 129 of the Wet van 13 juni 2005.

Reject must be as easy as accept. If your cookie banner has a big green "Accept all" button but hides the reject option behind a settings menu, that is not valid consent. The GBA requires that refusing cookies is just as easy as accepting them. One click to accept means one click to reject. Our guide on what your cookie banner must look like covers all the design and legal requirements in detail.

Pre-checked boxes. If your cookie settings page shows checkboxes that are already ticked, that violates the GDPR. Consent must be an active choice. The user has to check the box themselves. The CJEU confirmed this in the Planet49 ruling (C-673/17), which applies directly in Belgium.

Cookie walls. Some websites block access until you accept cookies. The GBA considers this coercive and not freely given consent. There are limited exceptions, but for most business websites, cookie walls do not hold up.

Dark patterns in banner design. Using colours, sizing or wording that push users toward accepting is something the GBA now specifically flags. A tiny grey "reject" link next to an oversized "Accept all" button counts as a dark pattern.

Who has been fined in Belgium

The GBA has issued several notable enforcement actions.

The Mediahuis dwangsom is the clearest Belgian cookie case. The GBA found non-compliant cookie consent practices and imposed a penalty payment to force compliance.

The IAB Europe case (EUR 250,000 fine, February 2022) started at the GBA and reshaped how the entire AdTech industry handles consent across Europe.

Beyond Belgium, France's CNIL fined Google EUR 150 million and Facebook EUR 60 million for cookie consent violations in 2022. While those are tech giants, the legal standard under the ePrivacy Directive is the same for a Belgian restaurant website. The rules do not have a size exception.

Under the Wet van 13 juni 2005, cookie violations can lead to administrative fines. For GDPR violations related to cookie data processing, fines can reach EUR 20 million or 4% of annual worldwide turnover. For a small business, realistic amounts are much lower, but even a EUR 5,000 to EUR 25,000 fine is painful for a small operation. We have documented real GDPR fines for small businesses with actual case amounts.

How to check your cookie setup

You can check most of this yourself in about 10 minutes.

Step 1: Open your website in a private/incognito window. This gives you a fresh session with no existing cookies.

Step 2: Before clicking anything on the cookie banner, check what cookies are set. In Chrome, press F12, go to the Application tab and look under Cookies. If you see tracking cookies from Google, Facebook, Hotjar or similar services, your site is placing cookies before consent. That is the number one violation the GBA catches.

Step 3: Look at your cookie banner. Is there a clear "Reject" or "Deny" button that is equally visible as the "Accept" button? If reject is hidden behind "Manage preferences" or "Cookie settings," you have a problem.

Step 4: If your banner has settings, check the default state. Are any non-functional cookie categories pre-selected? They should not be.

Step 5: Click reject and check again. After rejecting, are tracking cookies still present? Some cookie banners do not actually block cookies when you reject. They just record your preference and do nothing with it.

You can also run a free scan on your website that checks cookie behaviour automatically, including what fires before consent.

How to fix your cookie banner

If your check revealed problems, here is what to do.

Switch to a consent-first setup. Your cookie management tool (Cookiebot, CookieYes, Complianz or whatever you use) needs to block all non-functional cookies and scripts until consent is given. Most tools have this feature, but it is often not enabled by default. Look for settings called "auto-blocking" or "prior blocking."

Add a visible reject button. Your banner needs a clear reject option at the same level as accept. Not behind a submenu. Not in smaller text. Same visual weight. Many cookie tools let you configure this in their dashboard.

Uncheck all default selections. Go into your cookie tool settings and make sure no optional categories are pre-selected in the preferences panel.

Remove cookie walls. If your site blocks content until cookies are accepted, change it. Let users browse with only functional cookies active.

Test after changes. Open an incognito window again and repeat the check. Click reject and verify that tracking cookies do not appear.

What to do if the GBA contacts you

Do not ignore it. A warning or request from the GBA will include a deadline.

Fix your cookie setup before the deadline. Document what you changed and when. If the GBA follows up, you want to show that you took action promptly.

If you are unsure whether your fix is sufficient, get your website scanned by an independent tool. Do not just trust your cookie plugin's "compliant" badge.

Keep the correspondence and your documentation. If the GBA does a follow-up check and finds you have fixed the issues, that is usually the end of it.

The bigger picture

Cookie enforcement in Belgium is part of a broader EU trend. The GBA coordinates with other European data protection authorities through the European Data Protection Board (EDPB). Enforcement waves are increasingly synchronised across borders.

This is not a one-time campaign. It is a shift toward consistent enforcement. Getting your cookie setup right now saves you from repeat problems later.

Your cookie banner is also the first thing visitors see on your site. A sloppy or manipulative consent setup damages trust before someone even reads your content. And cookies are just one piece of the puzzle. GDPR also requires you to keep your website secure, which most businesses overlook entirely.

---

Check your website now. Scan your website for cookie issues and more. Free, takes 2 minutes.

---

Frequently asked questions

Does the GBA only check Belgian websites?

The GBA focuses on websites targeting Belgian users. If your site targets Belgian consumers or your business is registered in Belgium, you are in scope regardless of where your server is hosted.

Are functional cookies affected by these rules?

No. Cookies that are strictly necessary for your website to function (shopping cart, login session, language preference) do not require consent. The rules apply to analytics, marketing and tracking cookies.

My cookie plugin says I am compliant. Is that enough?

Not necessarily. Many cookie plugins have compliant settings available but do not enable them by default. The GBA checks actual behaviour, not what your plugin dashboard says. Test it yourself in an incognito window.

Can I just remove my cookie banner entirely?

Only if your website genuinely does not use any non-functional cookies. No Google Analytics, no Facebook Pixel, no embedded YouTube videos, no third-party fonts loaded from external servers. If you strip all of that out, you might not need a banner. But most business websites use at least one of these.

What if my web designer set up the cookie banner?

You are still responsible for your own website. But if your web designer configured something incorrectly, talk to them about fixing it. Many web designers will update the setup at no extra cost since it is a configuration change, not a rebuild.