Danish DPA Cookie Consent Guidelines:6 Easy Compliance Tips (With Examples)

It is important to point out that the Danish DPA cookie consent guidelines follow Datatilsynet’s decision in a case involving the use of cookies on the Danish’ weather forecasting website, DMI.dk.

Here is a summary of the essential information you need to know about the latest Danish DPA cookie consent guidelines to avoid unnecessary fines that may hurt your business financially and reputationally:

• What are the Danish cookie laws?
• What is cookie consent?
• What is a Data Controller?
• The context of the case against the Danish Meteorological Institute’s (DMI) use of cookies on its website (DMI.dk)
• Key takeaways from the Danish DPA (Datatilsynet) decision in the DMI.dk case
• What are the Danish DPA cookie consent guidelines?
• How Secure Privacy can help your business comply with Danish DPA cookie consent guidelines
  

What are the Danish cookie laws?

In Denmark, there are two primary laws to consider when it comes to cookies. They are as follows:

• The Danish Cookie Law (Cookiebekendtgørelsen); and,
• The General Data Protection Regulation of the EU - GDPR (and the Data Protection Act of Denmark).

The Danish Cookie Law, which is administered by the Danish Business Authority (Erhvervsstyrelsen), is the national implementation of the EU ePrivacy Directive. In a nutshell, the cookie law states that you must obtain the visitor’s consent before collecting, storing, and accessing information on the visitor’s device. 

On the other hand, the GDPR and its national implementation, the Data Protection Act, are administered by the Danish DPA (Datatilsynet). 

What is Cookie Consent? 

Both the General Data Protection Regulation (GDPR) and the ePrivacy Directive (EU Cookie Law) consider the consent you receive to be valid only if your user voluntarily consented to you collecting and processing their personal information. 

To that end, there are specific requirements you need to satisfy to obtain valid EU cookie law and GDPR cookie consent. Primarily:

• You must avoid processing your users’ personal information until you have received their valid consent. 
• Consent is only valid if it is freely given, specific, informed, and based on a clear indication of the user’s agreement to your processing of their personal data.
• When obtaining consent from minors under the age of 16, you must consider specific obligations, especially for social media and content services.
• You need to keep records of all consents you receive or deny in case they are required for verification by the relevant Data Protection Authority.
• You must give users clear information about the cookies you use on your website and their purpose, as well as the data controller and third parties with whom you share their personal data. 
  

What is a Data Controller? 

According to the GDPR, a data controller is the party responsible for how personal data is collected, processed, and used. 

Typically, a data controller is the owner of a website that collects personal information from visitors. 

On the other hand, the data processor is responsible for processing any personal information provided by the data controller. 

In simple terms, a data processor is someone who handles personal information from website users on behalf of the data controller. This means that they do not own, control, or define the purposes for which personal data is collected.

Example

If you decide to use Google Analytics to monitor trends on your website, you are the data controller since you determine the personal information to be collected and the purpose for which it is collected. 

Google, on the other hand, processes the data on your behalf via Google Analytics, making them a data processor. 

Nonetheless, if you give data to Google Analytics and they determine the purpose and means of processing, Google Tag Manager will be both a data controller and a data processor. 

The Context of the Case Against the Danish Meteorological Institute’s (DMI) Use of Cookies on its Website (DMI.dk)

According to the user who filed a case with Datatilsynet, after visiting the DMI.dk website, the country’s weather forecasting service collected users’ personal data using cookies and shared it with Google Ad Services. 

Specifically, the Danish DMI.dk website exchanged user data for advertising space, allowing third parties in the adtech industry to personalize ads for website users. 

The complainant claimed that this practice violated the transparency and legitimacy requirements of processing personal data under the GDPR. This practice was made possible by how the DMI.dk’s website cookie banner was configured. 

After examining the facts of the case, the Danish DPA discovered that as a publisher, DMI has been doing this since 2004. 

DMI acknowledged its non-compliant practices and promised to make changes and make its cookie banner compliant with data protection principles. 

5 Key Takeaways from the Danish DPA (Datatilsynet) Decision in the DMI.dk Case for Businesses

1. You become a joint controller if you use Google Ad Services on your website: The Danish DPA determined that both DMI and Google are joint data controllers because they jointly decide the means used to collect and transfer personal data obtained from website users via cookies. 
2. DMI’s violations are limited to the collection and sharing of personal data: Datatilsynet made it clear that DMI’s was not responsible for third-party (Google) use and processing of personal data obtained from the DMI.dk website. This ruling mirrors the CJEU’s ruling in the Fashion ID case involving the use of Facebook plugins. 
3. All data controllers must obtain prior consent: According to the ruling, all data controllers must receive consent before collecting personal information from users, whether it is a single data controller involved or a joint one that will be involved later. 
4. Consent is the legal basis when collecting and sharing data with Google: Because DMI is a public body, consent, rather than legitimate interest, is the applicable GDPR legal basis for processing user data on its website. However, you should be aware that, as a private company, you need to receive prior consent before collecting and sharing personal information with adtech partners. 
5. Consent must be informed and granular: Datatilsynet clarified that you must receive prior consent for every purpose for which you wish to collect personal information. Do not include a 'DETAILS' button in your cookie banner with the option to provide granular consent in a 'one-click-way.' 

Additionally, your cookie notice should be easy to understand, easily accessible, and written in clear language, outlining the data controllers who will receive the personal information collected on your website. 

What are the Danish DPA Cookie Consent Guidelines?

As we mentioned above, there are two main authorities in Denmark for enforcing cookie laws, with Datatilsynet serving as the official DPA. 

The Danish DPA and the Danish Business Authority have published separate guidance on the use of cookies. Furthermore, the Datatilsynet, the Danish Business Authority, and the Danish Council for Digital Security issued joint guidance on the requirements for the use of cookies.

Even having three sets of cookie guidelines may appear complicated, these guidelines set out similar requirements, so compliance with all three should not be a significant burden on organizations. Read about the EU cookie guidelines.

Datatilsynet Guidelines

The Danish DPA cookie consent guidelines were published a week after the DMI.dk decision, which was made public on February 11, 2020. 

It is important to note that the Danish DPA cookie consent guidelines are part of a comprehensive new set of guidelines focused on helping businesses process personal data in a GDPR-compliant way. 

To focus on cookie consent, Datatilsynet makes it clear that you will be expected to use consent as a legal basis for processing personal data on your website. 

According to Danish DPA cookie consent guidelines, your personal data processing activities are GDPR compliant if and only if the following conditions are met: 

• You do not process data before prior consent is given.

Example of Compliant Practice: You have a cookie banner that informs users when they access your website about the use of cookies on your website and ensures none are deployed until the user gives consent. 

• You provide users with information about the different types of cookies you have on your website, their purposes, and reasons why you need to process their personal information.

Example of Compliant Practice: You have a cookie banner with a link to your cookie policy that informs your users about the kind of data processing carried out by first and third-party cookies, the names of the entities responsible for processing, and the purposes of processing their personal information.

• You receive consent based on an affirmative action when a user visits your website to show that they have definitely agreed to the processing of their personal data.

Example of Compliant Practice: Instead of using a cookie banner with pre-ticked consent boxes (CJEU Cookie Ruling), or relying on inactivity or scrolling as indicators of your visitors' consent to the placement of cookies in their devices, you allow them to freely make a clear choice.

• In accordance with the granularity requirement, you make it simple for the visitor to provide consent for specific purposes and not others. 

Example of Compliant Practice: You have a cookie banner that allows your users to freely accept or reject cookies based on their purpose. Basically, you should give them the option of agreeing to functional, statistical, or marketing cookies by giving them an on/off toggle option for each type of cookie. 

• You make it easy for users to withdraw their consent, just as you make it easy for them to give it. This includes the text as well as the visual elements of your cookie banner.

Example of Compliant Practice:  Your cookie banner clearly displays ACCEPT and REJECT cookies buttons, allowing them to explicitly choose to give or deny prior consent for the processing of their personal data

• You are keeping logs of what users have given consent to and how you obtained their consent.

Example of Compliant Practice: You have a cookie banner that logs in real-time both the denial and receipt of cookie consent from users. 

The Danish Business Authority Cookie Guidance

The guidance issued by the Danish Business Authority (Erhvervsstyrelsen) in December 2019 aims to support the rules in the Danish Cookie Law (Cookiebekendtgørelsen) on information and consent requirements when storing or accessing information in the end user's device. 

1. The cookie rules require that you obtain informed consent from those who visit the website before you and others install cookies and similar technologies (i.e., for statistics or marketing purposes)
2. If you only use cookies for technically necessary purposes (essential cookies) on your website, you do not need to inform the users or get their consent.
3. You must notify users about the purposes for which you and/or third parties use cookies on your website and obtain their consent for each processing purpose. Users must be able to accept or reject the collection or storage of information on their device.
4. You must provide the necessary information to the user about your use of cookies. This information must include:
   undefinedundefinedundefinedundefinedundefined

Furthermore, cookie information must be written in a clear, precise, and easy-to-understand language or in an equivalent pictorial language (i.e., pictograms). 

The ‘Quick Guide’ as the Joint Guidance Checkpoints for Compliance

The Danish DPA, the Danish Business Authority, and the Danish Council for Digital Security issued joint guidance known as the "Quick Guide." It establishes a number of checkpoints for organizations to consider before using cookies. Among the checkpoints are:

• You must not use any non-essential cookies without the user’s prior consent
• You must obtain the active consent of the user (pre-ticked checkboxes and navigating the website must not equate to active consent)
• You must provide equal opportunity to accept and reject the use of cookies (do not mislead users with button sizes or colors)
• You must allow cookie selection by category (provide option for granular consent)
• You must provide sufficient information to users (such as cookies, purposes, expiry dates, parties that process data, and what data is transmitted to them)
• You must ensure the easy withdrawal of cookies
• You must keep records of all consent
• You must inform your users of any alternative legal bases used for any subsequent processing in your cookie declaration or cookie policy
  

Examples of Compliant Cookie Banners

The Danish DPA's guidelines provide several examples of compliant and non-compliant cookie banner designs. 

This cookie banner is an example of a non-compliant cookie banner. The user cannot refrain from providing consent, and cannot choose freely. Such consent does not meet the requirement of voluntariness.

This is another example of a non-compliant cookie banner. In this case, the individual has the option of opting out of the overall processing of personal data. However, collection and processing occur for a variety of purposes under the umbrella of a single overall consent. As a result, it fails to meet the condition of voluntariness because the data subjects lack sufficient freedom of choice in relation to being able to choose or opt-out of the two different purposes.

This is a non-compliant cookie banner. The mechanism, where the option of rejecting the cookie use is not displayed in the same manner as the option to allow cookie use, indirectly pushes the data subject to give consent.

This example is a compliant cookie banner. It is clear to the user what type of information will be collected and what it will be used for. The list of companies with whom the information can be shared is located in a fold-out menu, which in turn is in close proximity to the purposes of the information collection. The user is informed that consent can be withdrawn, and how. In this case, consent is freely given and informed. See more cookie banner examples.