gdprcookiescompliancebelgium

GDPR & cookie compliance in 2026: a practical guide for Belgian websites

What the Belgian Data Protection Authority (GBA / APD) really expects from websites in 2026: valid consent, cookie walls, privacy policies, and the fines that are now actually being issued. Includes a practical checklist.

Author: Nicolas Robinet Lees in het Nederlands

Eight years after GDPR came into force, Belgian enforcement has finally become concrete. Where the Belgian Data Protection Authority (GBA / APD) mostly issued warnings in the early years, since 2024 we’ve seen a clear shift towards actual fines, including for smaller Belgian businesses. Time, in other words, to take your website seriously.

This guide summarises what the GBA expects in 2026, the mistakes we most commonly see on Belgian SME sites, and how to fix them without needing a law firm.

Disclaimer: this is not legal advice. We’re web developers working with these rules every day, not lawyers. For complex cases (healthcare, financial services, large data volumes), a DPO or specialised privacy lawyer is irreplaceable.

Where Belgian enforcement stands in 2026

In 2024 and 2025 the GBA published a series of decisions on cookies and tracking pixels that set the tone for current practice:

  • Consent must genuinely be an active action. Pre-ticked boxes, “OK”-only banners without a real choice, or “continued browsing = consent” are not accepted.
  • The “reject” button must be as prominent as the “accept” button. Many sites still have a big green “Accept all” and a hidden link to “Manage preferences”. This has been flagged by the GBA as non-compliant since late 2023.
  • Tracking pixels from Meta, TikTok or LinkedIn require consent just like Google Analytics. No exceptions.
  • Fines for SMEs are now realistic. Amounts between €5,000 and €50,000 have been imposed in the past two years on Belgian businesses with a few dozen employees.

The EU is also working on a simplified cookie consent regime (“cookie pledge”, and possibly an ePrivacy regulation revision later). Until that is finalised, the current rules continue to apply.

GDPR (Articles 4 and 7) states that consent must be freely given, specific, informed and unambiguous. Concretely for a website:

  1. Free: the visitor mustn’t suffer for refusing. A site that becomes unusable without cookies, when the site is essentially an information site, does not qualify.
  2. Specific: per purpose (analytics, marketing, social media) consent must be givable and refusable separately. A single big “yes” button for everything is not enough.
  3. Informed: the visitor must know which cookies or trackers will be set, by whom, and what they do, before giving consent.
  4. Unambiguous: an active action. Not: “by continuing to browse, you agree”. Instead: a click on a button specifically intended for consent.

Not all cookies require consent. The standard breakdown:

Cookies that ensure basic site functionality: session cookies, shopping cart, login state, language choice. You may set these without prior consent, provided they are technically necessary.

Cookies that improve experience but aren’t strictly necessary: remembering preferences, embedded YouTube videos, chat widgets. The GBA leans towards “ask for consent” unless the cookie is genuinely essential (e.g., a live chat that’s the core of your service).

Google Analytics, Plausible (cookie mode), Matomo (cookie mode), Microsoft Clarity. All require consent.

One exception is sometimes mentioned: a server-side analytics setup without cookies and without personal data (e.g., anonymised IP, no fingerprinting) can, under strict conditions, run without consent. The French CNIL has published a list of analytics tools that may be used this way, the Belgian GBA follows that line in practice.

Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Google Ads remarketing, Hotjar, all retargeting. No exceptions, active consent always required.

A “cookie wall” is a banner that completely blocks your site until consent is given. The GBA and EDPB rejected this principle in 2020 as incompatible with “free consent”, except for some specific cases (e.g., news sites running a “pay or accept” model). For a normal Belgian SME, a cookie wall is not an option.

What is allowed: a passive banner at the top or bottom with clear options (Accept / Reject / Preferences) that doesn’t block your site.

What must be in your privacy policy?

A correct privacy policy contains at minimum:

  • Who the controller is (you or your business, with address and VAT number)
  • What personal data you collect (name, email, IP, behavioural data, etc.)
  • What you use it for (contact, newsletter, statistics, advertising)
  • On what legal basis (consent, legitimate interest, contract execution, legal obligation)
  • How long you keep it
  • Who you share it with (hosting provider, mailing service, payment processor, …)
  • Whether data transfers outside the EU happen (crucial for Google, Meta, US-based tools)
  • The user’s rights (access, correction, deletion, objection, portability)
  • Contact details of your DPO if you have one
  • A reference to the GBA for complaints

Our own privacy policy is a workable example for an SME.

Practical checklist for your Belgian website

  • Cookie banner present on every page, before any non-essential cookie is set
  • “Accept” and “Reject” equally prominent (same colour, size, position)
  • Granular choice: users can refuse analytics but accept marketing (or vice versa)
  • No tracking scripts loaded before consent. No Google Analytics, Meta Pixel or similar before the visitor clicks “Accept”
  • Consent revocable: a link or icon allowing visitors to change their choice
  • Privacy policy complete and accessible from every page (footer)
  • Cookie policy: a separate page with an up-to-date overview of all cookies your site sets
  • DPAs signed with all your processors (hosting, mailing, CRM, analytics)
  • Non-EU transfers documented: for every US-based tool (Google, Meta, Webflow, Mailchimp) you need a valid legal basis (DPF, SCCs)
  • Record of processing activities (Article 30 GDPR), mandatory for businesses with 250+ employees, strongly recommended for everyone
  • Data-breach procedure, what do you do if hacked? You have 72 hours to notify the GBA
  • Consent logs retained, can you prove a specific user gave consent at a specific moment?

We’ve worked with most tools over the years. Our take:

  • Cookiebot, Danish, GDPR-native, auto-scans your site, pricing around €10-€60/month depending on size. Our go-to for mid-sized SMEs.
  • Iubenda, Italian, also generates privacy policies. Solid alternative.
  • Cookie Notice & Compliance (WordPress plugin), free, does what it should for small sites but manual cookie categorisation.
  • CookieYes, good free tier up to 25,000 sessions per month.
  • OneTrust / Usercentrics, enterprise-grade, overkill for most SMEs.
  • A custom build, for sites with very few external scripts, a custom cookie banner in 200 lines of code is often the cleanest answer.

On our own site we use a self-built cookie banner, deliberately minimal because we use almost no external trackers ourselves.

Frequently asked questions

Do I need a DPO (Data Protection Officer)? Required if you systematically process large volumes of personal data (Article 37 GDPR). For most SMEs a DPO is not mandatory, but it is advisable for sectors like healthcare, HR services, or marketing.

What if I don’t use analytics? Then you don’t need consent for analytics. But if you also don’t use embedded YouTube, Google Maps or social media pixels, you can in theory run without a cookie banner. Realistically, that’s rare.

What about server-side Google Analytics? A server-side setup avoids browser cookies, but data transfer to Google in the US remains an issue. Since the EU-US Data Privacy Framework (DPF) there is a valid legal basis, but you must explicitly disclose it in your privacy policy.

What about embedded YouTube or Vimeo? YouTube sets cookies as soon as the player loads. Use the “youtube-nocookie.com” variant, or load the embed only after consent. Vimeo has a “Do Not Track” mode that is more privacy-respectful.

What are the fines? Theoretically a GDPR fine can reach 4% of global annual turnover. In Belgian SME practice we see amounts between €5,000 and €50,000 for systematic violations. The GBA is enforcing more strictly each year.

In closing

GDPR compliance isn’t a one-off project, it’s an ongoing discipline. The good news: if your website is built with privacy-by-design in mind, the practical burden is much lighter than it seems.

We build every site with a working cookie consent integration, a correct privacy policy, and a register of DPAs. Book a free review if you’re curious whether your current site is in order, we’ll take a look free and without obligation.

← Back to all articles