RTL Belgium Cookie Banner Case: What To Learn From Decision 131/2024?

Up to €2 million in penalties – that’s what RTL Belgium narrowly avoided when Belgium’s DPA gave them 45 days to fix their cookie banners. Your Shopify store could be next if you’re doing the same thing.

In October 2024, Belgium’s Data Protection Authority made a decision that shook the ecommerce world. RTL Belgium – one of the country’s biggest media companies – got caught using design tricks on their cookie banner. The same tricks many online stores still use today without knowing they’re illegal. This isn’t another boring legal update you can ignore. If your store has EU customers, this case matters. It shows exactly what “compliant” looks like and what “non-compliant” costs.

Let’s break down what happened, why it happened, and what you need to fix on your Shopify store before regulators show up.

The Story Behind RTL Belgium Cookie Banner Trouble

RTL Belgium runs one of Belgium’s biggest news and entertainment websites with millions of monthly visitors. Like most sites, they used a cookie banner to ask for permission to track people.

Sounds normal, right? Except their banner was designed to manipulate users.

In early 2023, None of Your Business (NOYB) – a European privacy rights group – filed a complaint against RTL Belgium. NOYB has been cracking down on sneaky cookie banners across Europe, filing hundreds of complaints against sites that trick people into accepting cookies.

They spotted three big problems with RTL Belgium’s banner:

The “Accept All” button was big and bright on the first screen. The “Reject All” option was buried on a second page most people would never see. The colors weren’t fair. “Accept All” looked inviting with bright colors. Rejecting cookies looked dull and easy to miss.

Changing your mind later was way harder than accepting. Saying yes took one click. Withdrawing consent meant digging through multiple pages to find a hidden settings link.

NOYB called these “dark patterns” – design tricks that manipulate people into decisions they wouldn’t normally make.

What the Belgian DPA Decided

After investigating, Belgium’s Data Protection Authority issued Decision No. 131/2024 on October 11, 2024. They didn’t hold back.

EU cookie consent is governed by the ePrivacy Directive – Article 5(3) – which requires prior consent before non-essential cookies are dropped – and the GDPR – Articles 4(11) and 7 –  which defines what valid consent looks like. The DPA found RTL violated the GDPR standards for valid consent. Here’s what that means:

❌ Consent wasn’t real consent

When you push people toward “Accept,” you’re not giving them a real choice. GDPR requires saying “no” to be just as easy as saying “yes.”

❌ The design was deliberately manipulative

Those bright “Accept” buttons and dull reject options weren’t accidents. The DPA considered this manipulation invalidates any consent collected.

❌ Withdrawing consent was unreasonably hard

GDPR says people must withdraw consent as easily as they gave it. RTL Belgium forced users to navigate multiple pages hunting for buried options.

The penalty? The DPA warned RTL Belgium and told the company to fix its cookie banner within 45 days. If RTL did not make the changes in time, it would have had to pay a fine of €40,000 per day, up to a maximum of €2 million.

RTL fixed the banner before the deadline, so it did not have to pay any fine. However, the decision still became an important precedent that regulators now use when reviewing other cookie banners.

Here’s what store owners miss: these penalties apply equally regardless of company size. A solo Shopify entrepreneur faces the same requirements as a multinational corporation.

RTL Belgium has since fixed their banner. But this case sets a precedent regulators across Europe will follow when evaluating other websites – including yours. After years of focusing on data breaches, regulators are now actively targeting something as “minor” as cookie banner design. Every online business owner should pay attention.

What RTL Belgium Cookie Banner Did Wrong

Let’s get specific about the mistakes RTL Belgium made so you can spot them in your own setup.

No “Reject All” on the First Screen

When visitors landed on RTL’s site, they saw an obvious “Accept All” button. To refuse cookies, they had to click into settings, navigate to a second layer, and hunt for the reject option.

This creates “asymmetric friction.” Accepting took one click. Refusing took multiple clicks and effort. That imbalance violates GDPR’s requirement that consent must be freely given.

Manipulative Color Choices

The “Accept All” button used attractive, contrasting colors that grabbed attention. The “Settings” option was styled in muted tones that blended into the background.

This visual hierarchy pushed users toward acceptance. The DPA ruled this as deceptive practice that undermines genuine consent – even if the reject option technically existed. Subtle manipulation is still manipulation.

Difficult Consent Withdrawal

Once someone clicked “Accept All,” changing their mind was complicated. They had to scroll to the footer, find a tiny link, click through to settings, and figure out which toggles to adjust.

GDPR Article 7 is clear: withdrawing consent must be as easy as giving it. If accepting takes one click, withdrawing should too. RTL’s process failed badly.

No matter how sophisticated your consent platform is, if the design manipulates choices, you’re breaking the law.

Why This Case Matters for Your Online Store

You might think, “I’m not a Belgian media company. Why should I care?”

Here’s why: GDPR applies to any website that targets EU customers – meaning you ship to the EU, show EU currencies, market in EU languages, or otherwise offer goods/services to people in the EU. Most Shopify merchants who ship internationally fall into this category.

Belgium’s DPA has made cookie consent a clear enforcement priority. Other EU regulators are watching and likely to follow their lead.

Decision 131/2024’s logic applies directly to ecommerce: You need consent before tracking. If you use cookies for analytics, ads, or personalization – and most online stores do – you must get valid consent from EU visitors before those cookies activate.

Accepting can’t be easier than refusing. Both options need equal prominence, equal colors, equal visibility. Users must change their minds easily. A footer link to cookie settings works. Making people hunt through three pages of settings doesn’t.

What “Compliant” Actually Looks Like – A Visual Checklist

So what does a GDPR-compliant cookie banner actually look like after the RTL Belgium ruling and similar cases? Use this checklist when designing or reviewing your banner for EU users.

1. “Accept all” and “Reject all” should appear right away

• Users should see both options immediately on the first screen.
• Don’t hide “Reject all” inside a “Settings” page or behind multiple clicks.
• If the banner only shows a big “Accept all” button and a tiny “Manage settings” link, regulators may see that as unfair.

2. Both choices should feel equally easy

• The “Accept all” and “Reject all” buttons should look similar in size, color, contrast, and visibility.
• Avoid designs where the accept button is bright and obvious while the reject option looks faded or hard to notice.
• Regulators increasingly view these tactics as “dark patterns.”

3. Don’t place non-essential cookies before consent

• Analytics, advertising, tracking, and personalization cookies should stay blocked until the user clearly agrees.
• Simply scrolling the page or continuing to use the site is not enough for valid consent.
• Users need to take a clear action, like clicking a button.

4. Explain clearly why cookies are used

• Tell users what the cookies are actually for. For example, analytics, personalization, or advertising.
• Avoid vague phrases like “to improve your experience” without more detail.
• The cookie policy should always be visible and easy to access.

5. Granular controls are useful – but they don’t replace “Reject all”

• It’s good practice to let users customize cookie categories individually.
• But this should be an additional option, not a way to hide the rejected choice behind extra steps.

6. Users should be able to change their minds easily

• People should be able to update or withdraw consent anytime through a visible “Cookie settings” link or icon.
• Withdrawing consent should be just as simple as accepting it.

7. Optional cookies should be off by default

• Non-essential cookies should never be pre-enabled.
• Users must actively choose to turn them on.
• Pre-ticked boxes or “accepted unless disabled” setups generally do not meet GDPR standards.

Consentik Helps Keep Your Cookie Banner Compliant

If you’re reading this thinking, “I have a cookie banner, so I’m probably fine,” here’s the uncomfortable truth: most cookie consent solutions still use the same dark patterns that got RTL Belgium fined. Many Shopify apps and default cookie banners still:

• Show only an “Accept” button on the first screen
• Use bright colors for “Accept” and gray for “Reject”
• Make withdrawing consent harder than giving it
• Don’t properly block cookies before consent is given

You might have installed a cookie banner months ago and assumed it handles compliance. But if it was set up before Decision 131/2024, there’s a good chance it’s using design patterns that Belgian regulators just declared illegal.

Setting up a truly compliant cookie banner is complicated. You need to audit scripts, configure consent signals, design fair layouts, and update everything when laws change.

Consentik handles all of this automatically. Here’s what Consentik does:

✅ Fair banner design – “Accept All” and “Reject All” appear equally on the first screen. No hidden buttons. No manipulative colors.

✅ Actually blocks cookies – Unlike fake banners that still track you, Consentik blocks all cookies until users give real consent.

✅ Easy consent withdrawal – Users can change their mind with one click. Exactly as easy as accepting.

✅ Compliance scanner – Scans your site and tells you exactly what needs fixing.

✅ Works with your marketing tools – Integrates with Google Analytics, Google Ads, Facebook Pixel, and other tools you already use.

✅ Covers all privacy laws – Handles GDPR, CCPA, LGPD, and more. One tool for all regulations.

✅ Keeps proof of compliance – Automatically tracks and stores every consent choice in case regulators ask.

RTL Belgium learned that a bad cookie banner can cost millions. You don’t have to. Consentik gives you a legally compliant solution that follows Decision 131/2024’s rules – without technical headaches or legal risks.

If your store has EU customers and you’re not 100% sure your banner is legal, fix it now. The cost today is way less than €40,000 per day.

Take Action Today

Don’t wait for regulators to find your cookie banner broken. Check your setup today: add “Reject All” to the first screen, balance your button colors, and make sure withdrawing consent is as easy as accepting. These fixes take minutes but could save you from €40,000 daily fines. The RTL Belgium case made the rules clear – now it’s your turn to follow them. Your customers deserve real choice. Your business deserves protection. Compliant cookie consent gives you both. Good luck!