Danish provisions applicable to Cookies
The Danish Data Protection Agency has on 11 February 2020 issued a decision regarding the legal basis for use of personal data collected by third party cookies on the website of the Danish weather forecast service DMI.dk. Based on this decision, the Danish Data Protection Agency has on 17 February 2020 released guidelines on data processing for website visitors. The guidance is accessible here (in Danish). The Danish requirements for collection of valid consent for cookies are now among the toughest in Europe.
In particular, the guidelines highlight that, among other things, website owners usually rely on consent as a legal basis when processing website visitors’ personal information. In order for such consent to be considered valid under the GDPR, it must meet a number of requirements, including that visitors opt-in to such processing, and clearly stating the purposes of processing.
In summary the following rules apply:
- Consent must be given voluntary: A website user must have a free choice whether to accept cookies or not.
- Consent must be specific: In order to meet this requirement, website owners must state specific purposes of the data collection. The Danish Data Agency emphasizes that consent must be obtained for each purpose when multiple purposes exist (statistics, marketing, social media, etc.).
- Consent must be informative: A website user needs to know who is collecting the data and why. In addition, the information to the website users must be provided in a declaration that is easy to understand, easy to access and clearly and plainly explains who will be provided the personal data. Therefore, the option to provide consent cannot be “one-click-away” under a “details”-button in the cookie banner on the website.
- Consent must be given by an active action: The website user must give an unambiguous indication by which he or she agrees to the processing of personal data relating to him or her. Thus, pre-ticked boxes are not considered to be valid consent.
- Documentation requirement: Any consent obtained must be documented. According to the Danish Data Protection Authority, a website owner is expected to provide evidence about
- the time at which consent was given,
- the consent version (i.e. the solution used to obtain consent)
- the scope of the consent (i.e. to which purposes the website user has given his/her consent).
A website owner must ensure that a website user can give his consent no matter the type of device used (computers, smartphones, tablets, etc.). Therefore, the website owner must ensure that the solution can adjust to any type of device.
The consequence of not complying with the requirements of the Cookie Act will be a fine.
The updated cookie rules apply to all cookies except technically necessary cookies.
- those necessary for the functionality of the website
- booking systems
- Web forms
- electronic shopping baskets
New guidelines are expected soon
The Danish Business Authority announced that the Cookie Guidelines are currently revised in light of the prelimnary ruling from the ECJ in October 2019.