Cookie Consent and Analytics in Belgium: What Belgian Website Owners Need to Know in 2026

Eight million Belgians trust a single app with their legal identity, banking, and document signing. But when those same people visit a Belgian news site, they face dark-pattern cookie banners designed to trick them into tracking consent. Belgium solved digital identity. It has not solved a simple yes/no question about cookies. The difference: identity verification serves the user. Cookie consent serves the advertiser.

Belgium's privacy paradox

Brussels is where the GDPR was written. The European Commission, the European Data Protection Board, and the European Data Protection Supervisor are all headquartered there. The GDPR is the most-copied regulation in history: dozens of countries worldwide have enacted laws modelled on it. Privacy law, as a global export, was made in Belgium.

Belgium also has 96.3% internet penetration, 1.7 million .be domains, and an e-commerce market that hit EUR 17.4 billion in 2024. It scores above the EU average on the Digital Economy and Society Index. The Belgian National Internet Exchange (BNIX), founded in 1995, was one of the first in Europe. Before it existed, Belgian internet traffic between local providers was routed through the United States.

And then there is itsme, Belgium's digital identity app. Eight million users, 594 million identity actions in 2025, over 80% of the adult population. Belgians sign legally binding mortgage documents on their phones. They authenticate bank transactions with a fingerprint. They file their taxes.

Yet Belgium's data protection authority spent three years in an independence crisis, its landmark cookie ruling keeps getting overturned on procedural grounds, and its biggest news sites needed the threat of EUR 25,000/day fines before they would add a "Reject" button to their cookie banners.

The APD: a regulator that reformed itself

The Autorité de protection des données (APD in French, Gegevensbeschermingsautoriteit or GBA in Dutch) is Belgium's data protection authority. It has 84 staff (up from 68 in 2023), a budget of EUR 15.1 million, and offices in Brussels.

The APD's recent history is turbulent. In June 2021, the European Commission launched infringement proceedings against Belgium, arguing the DPA lacked the "complete independence" required by GDPR Article 52. The core issue: Frank Robben, a member of the DPA's Knowledge Centre, simultaneously served as general administrator of the Crossroads Bank for Social Security, head of the eHealth platform, and CEO of Smals, the government's main IT service provider. He was designing government data systems while sitting on the body supposed to regulate them.

In November 2021, the European Commission escalated to a reasoned opinion, giving Belgium two months to fix the situation or face the EU Court of Justice. Director Alexandra Jaspar resigned in December 2021, stating that Chairman David Stevens "does everything possible not to defend the privacy of citizens" and that the DPA was "infiltrated by people who work for the government." In July 2022, parliament dismissed Stevens.

The reformed APD processed 837 complaints and 1,455 data breach notifications in 2024. Inspection cases jumped 83% from 86 to 157. The Strategic Plan 2026-2028 explicitly targets ad-tech platforms, data brokers, and children's data for proactive enforcement.

The legal framework: no exemptions

Cookie consent in Belgium was originally governed by Article 129 of the Electronic Communications Act (2005). In January 2022, that provision was transferred to Article 10/2 of the Law of 30 July 2018 (the Belgian Privacy Act). The rules did not change, only their location in the statute books. Like the Netherlands, Belgium operates a two-layer framework: Article 10/2 governs device access (can you set a cookie?), and the GDPR governs data processing (how can you use the data?).

The critical difference: Belgium has no analytics exemption.

The Netherlands allows first-party analytics cookies without consent if they meet strict conditions. France's CNIL exempts certain analytics tools from consent. Germany has a narrow exception for server-side log analysis. Belgium requires consent for everything.

This is not for lack of trying. In 2020, seven Belgian industry associations, FeWeb, UBA, BAM, SafeShops, ACC, Cube, and UMA, jointly lobbied the GBA to allow analytics cookies without consent, arguing Belgium's strict position causes "serious competitive disadvantage" compared to its neighbours. The GBA refused. Its FAQ page explicitly states: analytics cookies require consent. No exceptions.

The other rules are equally strict. Cookie walls are banned. Legitimate interest cannot bypass consent for analytics. Consent is valid for six months maximum. Pre-ticked boxes, scroll-as-consent, and implied consent are all prohibited.

Cookieless analytics bypass Article 10/2 entirely. No device access means no consent trigger. The analytics exemption debate becomes irrelevant when there is nothing to exempt.

Cookie consent: what Belgium requires

The APD published an official cookie checklist in October 2023 that codifies its expectations. The requirements are specific.

First layer (what visitors see immediately): "Accept All" and "Reject All" buttons must be equally prominent. Same size, same colour weight, same visual hierarchy. The controller's identity, the purposes of each cookie category, and the number of third parties must be clearly stated.

Second layer (behind "Manage preferences"): granular consent per cookie category, with purpose, duration, and recipients listed for each. Only 2.18% of users ever visit this second layer. Hiding the reject option there is functionally a dark pattern.

Withdrawal: consent withdrawal must be as easy as giving consent, available free of charge, and accessible from every page.

One detail stands out. The APD's own website, dataprotectionauthority.be, uses Plausible (a privacy-first analytics tool) and still asks for consent before tracking. The regulator does not consider even privacy-friendly analytics exempt.

The IAB TCF ruling: Belgium's biggest contribution to European privacy

On February 2, 2022, the APD declared the IAB Transparency & Consent Framework non-compliant with the GDPR and fined IAB Europe EUR 250,000. The TCF is the system behind cookie consent popups on roughly 80% of European websites. The Belgian DPA found that the TC String, the encoded record of a user's consent preferences, constitutes personal data, and that IAB Europe is a joint controller for its processing.

Hielke Hijmans, chairman of the APD's Litigation Chamber, stated: "People are invited to give consent, whereas most of them don't know that their profiles are being sold a great number of times a day in order to expose them to personalised ads."

The case has been through four rounds of rulings and is still not resolved.

The practical impact: 80% of CMPs failed audits on basic requirements like disclosing TC String storage duration. 53% lacked equally easy consent withdrawal. The system designed to make cookie consent work was itself non-compliant. Belgium pointed that out. The rest of Europe is still sorting out the consequences.

Google Analytics in Belgium

Unlike Austria, France, and Italy, Belgium has never formally banned Google Analytics.

The closest case is APD Decision 112/2024 (Roularta Media Group / flair.be). A noyb-represented complainant challenged the use of Google Analytics on flair.be. The APD's Inspection Service documented 11 categories of GDPR violations, including unlawful US data transfers, analytics cookies misclassified as "necessary," and missing pseudonymization. The DPA dismissed the complaint on procedural grounds: noyb had "artificially created" standing by instructing a trainee to visit the site as part of a pre-designed complaint project.

In June 2025, the Belgian DPA dismissed 16 more noyb complaints (targeting Honda, Mastercard, Coca-Cola, and others) for "abusive use of the right to lodge complaints." Belgium is the only EU country to have dismissed noyb complaints on this basis.

GA4 is not banned. But it absolutely requires consent. The EU-US Data Privacy Framework (July 2023) resolved the data transfer question. Google is DPF-certified. The remaining obligation is the cookie. GA4 sets _ga and _ga_<container-id> cookies that are classified as non-essential under Article 10/2. Without valid prior consent, those cookies cannot fire. Most Belgian websites lose the majority of their analytics data because visitors decline consent.

For the full EU-wide picture, see our overview: Is Google Analytics Legal in 2026?

Notable enforcement actions

Cookie enforcement in Belgium escalated sharply after noyb filed complaints against 15 Belgian news websites in July 2023. The APD initially tried a settlement approach, letting sites pay EUR 10,000 with no compliance requirement. Noyb publicly called this out: "It seems that in Belgium you can just pay a fee to avoid compliance with the GDPR." After noyb challenged the settlements, the APD converted them into binding legal orders.

The Jubel.be fine in 2019 was Belgium's first cookie-specific fine, targeting a small legal news site with roughly 35,000 monthly visitors. The message: enforcement applies to businesses of every size.

A newer development: DPG Media (Belgium's largest media group, owner of HLN and De Morgen) began testing a "pay or consent" model in December 2024. Visitors either accept tracking cookies or pay EUR 4/month for cookie-free browsing. The EDPB has expressed reservations, stating that "controllers should take care at all times to avoid transforming the fundamental right to data protection into a feature that individuals have to pay to enjoy."

Belgium vs. the Netherlands

If you read our Netherlands guide, the contrast is striking. Two neighbouring countries, similar populations, similar digital maturity, very different approaches to analytics enforcement.

The resource gap is enormous. The Dutch AP has roughly 4x the staff and 4x the budget despite the Netherlands having only 50% more population. Belgium compensates with creative enforcement (daily penalty payments instead of one-time fines) but cannot match the Netherlands' systematic scanning approach.

The analytics exemption is the practical difference that matters most. In the Netherlands, a cookieless analytics tool that meets the AP's conditions runs without consent. In Belgium, the same tool technically still needs consent if it uses any form of device access. The cookieless approach works the same way in both countries: no cookies, no device access, no consent required.

What's coming

Three developments will shape Belgian cookie law in the near term.

The Digital Omnibus (proposed November 2025). The European Commission proposes moving cookie rules from the ePrivacy Directive into the GDPR. A new Article 88a(3)(c) would create an EU-wide exemption for audience measurement, as long as data is aggregated, first-party only, and not shared. This would override Belgium's strict position. Google Analytics would almost certainly not qualify: its cross-site data flows and advertising integration fall outside the exemption. Privacy-first analytics tools would. Earliest practical impact: 2027-2028.

The APD's strategic shift. The 2026-2028 Strategic Plan moves the APD from reactive complaint handling to proactive enforcement targeting ad-tech, data brokers, healthcare, and children's data. In practice, this means individual DPO questions will no longer be answered systematically. The APD is no longer a help desk.

The unresolved IAB TCF case. The APD must now issue a new decision on corrective measures with narrower scope, following the January 2026 annulment. How it handles this will signal whether the reformed DPA can avoid the procedural errors that have plagued the case since 2022.

What this means for your website

If you run a website targeting Belgian visitors, the picture is clear but not hopeless.

The rules are strict. Every analytics cookie needs consent. Cookie walls are banned. Reject must be as easy as Accept. Dark patterns are explicitly prohibited. Consent expires after six months.

The enforcement is real. Daily penalty threats of EUR 25,000-40,000 per website are not theoretical. Mediahuis and RTL Belgium both complied rather than face accumulating fines. The APD is pivoting from complaint-driven to proactive enforcement.

The data loss is significant. Belgium has unique conditions that amplify the problem. Here is what happens to 1,000 Belgian visitors when you use cookie-based analytics.

Cookieless analytics bypass Article 10/2 entirely. No cookies means no device access. No device access means no consent trigger. The entire compliance burden disappears. Clickport tracks every visitor from day one, with no consent banner, no data sent to third parties, and no dependence on a legal framework that could change again by 2028.

Belgium's rules are strict. But they only apply to tools that touch the device. Skip the device, skip the rules.

Start your free 30-day trial. No credit card required.

Frequently asked questions

Do I need a cookie banner in Belgium?

Only if you use non-essential cookies. If your website sets analytics, advertising, or social media cookies, you need a GDPR-compliant cookie banner with equally prominent Accept and Reject buttons on the first layer. If you use cookieless analytics and no other non-essential cookies, no banner is required for analytics.

Are analytics cookies exempt from consent in Belgium?

No. Belgium is one of the strictest countries in Europe on this point. Unlike the Netherlands, France, and Germany, Belgium has no analytics exemption. The APD requires consent for all analytics cookies, including first-party, privacy-friendly tools.

Is Google Analytics legal in Belgium?

GA4 is not banned. The Belgian DPA has never issued a formal ruling against Google Analytics. However, GA4 sets non-essential cookies that require prior opt-in consent under Article 10/2. Without valid consent, those cookies cannot fire. The EU-US Data Privacy Framework covers the data transfer question.

What happens if my cookie banner lacks a "Reject All" button?

The APD has imposed daily penalties of EUR 25,000-40,000 per website for this violation. Mediahuis (four news sites) and RTL Belgium were both ordered to add equally prominent reject buttons. Both complied.

How long is cookie consent valid in Belgium?

The APD's cookie checklist suggests a maximum of six months for preference-storing cookies. After that, you must re-collect consent. This is shorter than many other EU countries.

Can I use a cookie wall in Belgium?

No. Cookie walls are explicitly prohibited. The APD's 2023 checklist states: "Do not use cookie walls." Consent must be freely given, which means access to your website cannot depend on accepting tracking cookies.

Will the Digital Omnibus change Belgium's cookie rules?

The proposed Digital Omnibus includes an EU-wide analytics exemption that would override Belgium's strict position for qualifying tools. Google Analytics would likely not qualify due to its cross-site data flows. Privacy-first analytics tools would. Adoption is not expected before 2027. Since the Omnibus is a Regulation (not a Directive), it would apply directly without national transposition, likely by 2027-2028.

What analytics tools work without consent in Belgium?

Any analytics tool that does not access the visitor's device (no cookies, no localStorage, no fingerprinting) falls outside the scope of Article 10/2. Clickport, Plausible, and Fathom all offer cookieless modes. The APD's own website uses Plausible.