Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Belgium. Sectoral rules (healthcare, banking, employment) are touched only where they intersect with the analytics layer.
Applicable laws
The legal framework that governs personal data processing here.
National addons
Country-specific statutes layered on the EU baseline.
- Art 7-10 Special-category data — Belgian-specific permissions (employment, social security, health)
- Art 8 Child consent age — 13 (Belgium opted below GDPR's 16 default)
- Art 221-230 Criminal sanctions — fines up to €160,000 + imprisonment for serious GDPR breaches
- Art 4 Public-sector exemption from administrative fines (controversial — APD cannot fine federal/regional authorities)
- Art 129 Storage / read access on terminal equipment requires prior, informed consent — analytics/marketing never qualify as strictly necessary
- Art 145 Sanctions — administrative fines and criminal penalties for breach
- Livre VI Art VI.110 Email/SMS marketing — prior express opt-in required
- Livre XII Art XII.13 Soft opt-in — narrow exception for existing-customer + similar products + opt-out at every contact
Regulators
Supervisory authorities that interpret and enforce privacy law here.
State / Land DPAs · 3 authorities
| Land / state | Authority | Note | |
|---|---|---|---|
| Flemish region | VTC (subsidiary) | Flemish Toezichtcommissie — supervisory role for Flemish public sector, not a DPA in GDPR sense | site ↗ |
| Walloon region | APD competent | No separate regional DPA — APD competent | site ↗ |
| Brussels region | APD competent | No separate regional DPA — APD competent | site ↗ |
Coordination body
- 2022-02-02 · IAB Europe TCF v2 — APD declared the IAB Europe Transparency & Consent Framework non-compliant — €250,000 fine + 6-month action plan. TC String constitutes personal data; IAB Europe is joint controller for the consent layer.
- 2024-03-07 · CJEU C-604/22 — IAB Europe — Court of Justice confirmed APD's analysis: TC String is personal data and IAB Europe is a joint controller. Definitive validation of the 2022 ruling.
- 2023-12 · Cookie banner enforcement — APD published guidance reinforcing equal-prominence reject button + no pre-ticked boxes + no dark patterns. Active sweeps against non-compliant banners on Belgian-targeted sites.
Notable enforcement
Belgium's APD has a distinct enforcement profile — it punches above its weight on adtech and cookie-banner architecture rather than chasing headline fines against US tech giants. The IAB Europe TCF ruling (Feb 2022, €250K) is the most consequential single Belgian decision — it reshaped the entire EU adtech consent layer and was definitively validated by CJEU C-604/22 in March 2024. APD also runs active sweeps on Belgian-targeted cookie banners. Public-sector immunity from administrative fines (Art 4 of the 2018 law) remains controversial and limits APD's reach against government bodies.
-
IAB Europe APD · Art 5, 6, 24, 25 stood-confirmed-by-cjeu
Transparency & Consent Framework v2 declared non-compliant: TC String is personal data, IAB Europe is joint controller, consent layer fails GDPR + ePrivacy Art 5(3). 6-month action plan imposed. Confirmed by CJEU C-604/22 (7 March 2024).
-
Roularta Media APD · Art 6, 7 stood
Cookie placement and direct-marketing without valid consent on Belgian news titles. Reference case for APD cookie-banner enforcement methodology.
-
Family Service APD · Art 5, 6, 7 stood
Pre-ticked consent boxes and unlawful sharing of contact data with commercial partners. Decision n° 75/2020 — early reference case for APD direct-marketing enforcement.
GA4 status
GA4 is usable in Belgium only with prior, explicit, granular consent under Loi du 13 juin 2005 Art 129 (ePrivacy transposition). After EU-US DPF (Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. APD aligns with EDPB consensus and has not banned GA4 — but actively scrutinizes the consent layer (descended from the IAB Europe TCF ruling).
| DPA | Stance |
|---|---|
| APD | Aligned with EDPB — opt-in baseline. Post-DPF acceptable but consent layer must be airtight (no pre-ticks, equal-prominence reject, no dark patterns). |
| BIPT | Co-competent on cookie layer via Loi 2005 Art 129 — focuses on telecom-sector deployments. |
Cross-border transfers + Schrems II
APD is moderate on transfers — aligned with EDPB consensus. Post-DPF (10 Jul 2023) the APD accepts adequacy for DPF-certified US importers. For non-DPF transfers, Schrems II logic still applies — Transfer Impact Assessment + supplementary measures required. The APD has not pursued the aggressive TIA-policing posture of LfDI BW (Germany) or CNIL (France); enforcement focus has been the consent layer (TCF, banners) rather than transfers.
EU 2021/914 SCCs remain the fallback when DPF certification is absent or revoked. APD scrutiny of Module 2 (controller-processor) is in line with EDPB guidance — no Belgium-specific overlay.
Employee data
Key thresholds
Vendor signals
Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.
Analytics tools · 12 · 6 green · 5 yellow · 1 red
| Vendor | Status | Rationale |
|---|---|---|
| GREEN | Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII). | |
| GREEN | Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config. | |
| GREEN | EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany. | |
| GREEN | German-hosted, cookieless, GDPR-aligned by design. | |
| GREEN | EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required. | |
| GREEN | Open-source, cookieless, fully self-hostable. Default-green when self-hosted. | |
| YELLOW | Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation. | |
| YELLOW | EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain. | |
| YELLOW | Default config sends data to US infrastructure. Needs Consent Mode v2 + IP anonymization + DPF active + signed DPA + reject-all banner. Server-side EU proxy moves to green. | |
| YELLOW | EU residency available on paid plans; default cloud is US. Identifies users by default — needs config. | |
| YELLOW | EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green. | |
| RED | Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization. |
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
| Vendor | Status | Rationale |
|---|---|---|
| GREEN | Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate. | |
| GREEN | Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan. | |
| GREEN | Open-source, self-hosted. No managed updates — site owner maintains vendor list. | |
| GREEN | GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults. | |
| GREEN | German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites. |
Tag managers · 1 · 0 green · 1 yellow · 0 red
| Vendor | Status | Rationale |
|---|---|---|
| YELLOW | Container only — verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended. |
Session replay · 3 · 0 green · 0 yellow · 3 red
| Vendor | Status | Rationale |
|---|---|---|
| RED | Full session capture — highest-risk category. Explicit consent + DPIA + strict retention. | |
| RED | Session replay — high-risk processing per EDPB Guidelines 3/2019. DPIA + explicit consent required. Cannot run pre-consent. | |
| RED | Session replay + Microsoft tracking. DPIA + explicit consent required. |
Ad pixels · 3 · 0 green · 0 yellow · 3 red
| Vendor | Status | Rationale |
|---|---|---|
| RED | Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set. | |
| RED | Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem. | |
| RED | PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required. |
Server-side · 3 · 2 green · 1 yellow · 0 red
| Vendor | Status | Rationale |
|---|---|---|
| GREEN | EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic. | |
| GREEN | EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings. | |
| YELLOW | "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing. |
Compare with neighbors
Side-by-side rule comparison.
Common questions
Is Google Analytics legal in Belgium in 2026?
What is the IAB Europe TCF ruling and why does it matter?
Does my privacy notice need to be in 3 languages?
What is CCT 81 and does it affect analytics on internal tools?
What is the child consent age in Belgium?
Do I need a DPO in Belgium?
Who is the Belgian DPA?
Is 'legitimate interest' a valid basis for analytics in Belgium?
Do I need a Belgian Article 27 representative?
Can I rely on the IAB TCF v2.2 for my CMP?
// EDITORIAL · NOT LEGAL ADVICE This page summarises Belgium's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.