Here is a breakdown of the essential information you need to know about the latest Danish DPA cookie consent guidelines.
The Danish DPA (Datatilsynet) cookie consent guidelines, which were released on February 20, 2020, provided much-needed clarity for website owners to ease compliance with GDPR personal data processing requirements.
Explore more privacy compliance insights and best practices
It is important to point out that the Danish DPA cookie consent guidelines follow Datatilsynet’s decision in a case involving the use of cookies on the Danish’ weather forecasting website, DMI.dk.
Here is a summary of the essential information you need to know about the latest Danish DPA cookie consent guidelines to avoid unnecessary fines that may hurt your business financially and reputationally:
In Denmark, there are two primary laws to consider when it comes to cookies. They are as follows:
The Danish Cookie Law, which is administered by the Danish Business Authority (Erhvervsstyrelsen), is the national implementation of the EU ePrivacy Directive. In a nutshell, the cookie law states that you must obtain the visitor’s consent before collecting, storing, and accessing information on the visitor’s device.
On the other hand, the GDPR and its national implementation, the Data Protection Act, are administered by the Danish DPA (Datatilsynet).
Both the General Data Protection Regulation (GDPR) and the ePrivacy Directive (EU Cookie Law) consider the consent you receive to be valid only if your user voluntarily consented to you collecting and processing their personal information.
To that end, there are specific requirements you need to satisfy to obtain valid EU cookie law and GDPR cookie consent. Primarily:
According to the GDPR, a data controller is the party responsible for how personal data is collected, processed, and used.
Typically, a data controller is the owner of a website that collects personal information from visitors.
On the other hand, the data processor is responsible for processing any personal information provided by the data controller.
In simple terms, a data processor is someone who handles personal information from website users on behalf of the data controller. This means that they do not own, control, or define the purposes for which personal data is collected.
Example
If you decide to use Google Analytics to monitor trends on your website, you are the data controller since you determine the personal information to be collected and the purpose for which it is collected.
Google, on the other hand, processes the data on your behalf via Google Analytics, making them a data processor.
Nonetheless, if you give data to Google Analytics and they determine the purpose and means of processing, Google Tag Manager will be both a data controller and a data processor.
According to the user who filed a case with Datatilsynet, after visiting the DMI.dk website, the country’s weather forecasting service collected users’ personal data using cookies and shared it with Google Ad Services.
Specifically, the Danish DMI.dk website exchanged user data for advertising space, allowing third parties in the adtech industry to personalize ads for website users.
The complainant claimed that this practice violated the transparency and legitimacy requirements of processing personal data under the GDPR. This practice was made possible by how the DMI.dk’s website cookie banner was configured.
After examining the facts of the case, the Danish DPA discovered that as a publisher, DMI has been doing this since 2004.
DMI acknowledged its non-compliant practices and promised to make changes and make its cookie banner compliant with data protection principles.
Additionally, your cookie notice should be easy to understand, easily accessible, and written in clear language, outlining the data controllers who will receive the personal information collected on your website.
As we mentioned above, there are two main authorities in Denmark for enforcing cookie laws, with Datatilsynet serving as the official DPA.
The Danish DPA and the Danish Business Authority have published separate guidance on the use of cookies. Furthermore, the Datatilsynet, the Danish Business Authority, and the Danish Council for Digital Security issued joint guidance on the requirements for the use of cookies.
Even having three sets of cookie guidelines may appear complicated, these guidelines set out similar requirements, so compliance with all three should not be a significant burden on organizations. Read about the EU cookie guidelines.
The Danish DPA cookie consent guidelines were published a week after the DMI.dk decision, which was made public on February 11, 2020.
It is important to note that the Danish DPA cookie consent guidelines are part of a comprehensive new set of guidelines focused on helping businesses process personal data in a GDPR-compliant way.
To focus on cookie consent, Datatilsynet makes it clear that you will be expected to use consent as a legal basis for processing personal data on your website.
According to Danish DPA cookie consent guidelines, your personal data processing activities are GDPR compliant if and only if the following conditions are met:
Example of Compliant Practice: You have a cookie banner that informs users when they access your website about the use of cookies on your website and ensures none are deployed until the user gives consent.
Example of Compliant Practice: You have a cookie banner with a link to your cookie policy that informs your users about the kind of data processing carried out by first and third-party cookies, the names of the entities responsible for processing, and the purposes of processing their personal information.
Example of Compliant Practice: Instead of using a cookie banner with pre-ticked consent boxes (CJEU Cookie Ruling), or relying on inactivity or scrolling as indicators of your visitors' consent to the placement of cookies in their devices, you allow them to freely make a clear choice.
Example of Compliant Practice: You have a cookie banner that allows your users to freely accept or reject cookies based on their purpose. Basically, you should give them the option of agreeing to functional, statistical, or marketing cookies by giving them an on/off toggle option for each type of cookie.
Example of Compliant Practice: Your cookie banner clearly displays ACCEPT and REJECT cookies buttons, allowing them to explicitly choose to give or deny prior consent for the processing of their personal data
Example of Compliant Practice: You have a cookie banner that logs in real-time both the denial and receipt of cookie consent from users.
The guidance issued by the Danish Business Authority (Erhvervsstyrelsen) in December 2019 aims to support the rules in the Danish Cookie Law (Cookiebekendtgørelsen) on information and consent requirements when storing or accessing information in the end user's device.
Furthermore, cookie information must be written in a clear, precise, and easy-to-understand language or in an equivalent pictorial language (i.e., pictograms).
The Danish DPA, the Danish Business Authority, and the Danish Council for Digital Security issued joint guidance known as the "Quick Guide." It establishes a number of checkpoints for organizations to consider before using cookies. Among the checkpoints are:
The Danish DPA's guidelines provide several examples of compliant and non-compliant cookie banner designs.
This cookie banner is an example of a non-compliant cookie banner. The user cannot refrain from providing consent, and cannot choose freely. Such consent does not meet the requirement of voluntariness.
This is another example of a non-compliant cookie banner. In this case, the individual has the option of opting out of the overall processing of personal data. However, collection and processing occur for a variety of purposes under the umbrella of a single overall consent. As a result, it fails to meet the condition of voluntariness because the data subjects lack sufficient freedom of choice in relation to being able to choose or opt-out of the two different purposes.
This is a non-compliant cookie banner. The mechanism, where the option of rejecting the cookie use is not displayed in the same manner as the option to allow cookie use, indirectly pushes the data subject to give consent.
This example is a compliant cookie banner. It is clear to the user what type of information will be collected and what it will be used for. The list of companies with whom the information can be shared is located in a fold-out menu, which in turn is in close proximity to the purposes of the information collection. The user is informed that consent can be withdrawn, and how. In this case, consent is freely given and informed. See more cookie banner examples.
Secure Privacy has a powerful and dependable solution that is simple to use for complying with the Danish DPA cookie consent guidelines.
Secure Privacy provides you with the following benefits:
Check out our video and learn more about Secure Privacy’s Top 6 Enterprise Features.
Book a 30-min call today and get a quick ‘check-up’ of your website, cookie consent banner, or your cookie policy from a data privacy expert.
Schedule a call to learn more
Danish DPA Official Website (Datatilsynet)
Danish Business Authority Official Website
Danish DPA Cookie Guidelines (available in Danish)
Danish Business Authority Cookie Guidelines
Joint Guidance on Cookies (available in Danish)
You may also want to check out these other Cookie Consent Guidelines from other EU DPAs
French CNIL Cookie Consent Guidelines
Irish Data Protection Commission Cookie Consent Guidance
Belgian DPA’s Cookie Consent Guidance
GDPR Compliance in Germany
The Spanish AEPD Cookie Consent Guidelines
Italian DPA Cookie Guidelines
The Swedish Datainpsektionen’s Cookie Consent Guidelines
UK ICO’s Cookie Consent Guidance
Dutch DPA Cookie Consent Guidelines
Luxembourg DPA Cookie Guidelines
DSK Germany Cookie Guidelines
Greek DPA Cookie Consent Guidelines
Czech Cookie Law
