All Blog Posts

Understanding Danish DPA cookie consent guidelines

If you offer goods and services to Danish users or track their website activity using cookies, you need their explicit consent to do so. But what does explicit consent mean, and how can you obtain it? We look at Danish cookie guidelines and how you can collect compliant consent.

Feb 12, 2024

Datatilsynet, the Danish Data Protection Agency (DPA), has published numerous guidelines to help website owners and operators regarding the use of cookies to collect user data.

These guidelines on cookies and consent establish requirements around informing users about cookies, obtaining their consent to use non-essential cookies, enabling them to accept or reject cookies, and more.

For businesses and website operators engaging with users located in Denmark, a clear understanding of European Union (EU) data privacy laws, regional laws, and the Danish cookie guidelines can enable legal compliance and maintain user trust.

We look at data privacy in Denmark, cookie consent laws, and how to comply with the Danish DPA’s cookie consent requirements.

According to Danish cookie laws, websites and apps must obtain explicit consent from users if they use cookies to collect, store, or process their personal data.

These regulations are shaped by the EU’s General Data Protection Regulation (GDPR) and the ePrivacy Directive (known as the “EU cookie law”).

General Data Protection Regulation (GDPR)

The GDPR is a cornerstone in data protection within the European Union (EU). Although it doesn’t specifically regulate the use of cookies, it’s important in Danish cookie law for three reasons:

  • It regulates the handling of personal data, which can include data obtained through cookies
  • It includes the legal bases for processing user data, which includes consent
  • It lays down a clear definition of “consent”

The Danish Data Protection Act (Act No. 502 of 23 May 2018) supplements the GDPR in Denmark.

ePrivacy Directive

The ePrivacy Directive regulates how websites and apps can use cookies to collect and process data from EU users. The EU cookie law is implemented in Danish cookie law in the Cookiebekendtgørelsen (BEK No. 1148 of 09/12/2011) or “Cookie Order”.

Danish cookie laws apply to any company, organization or individual, regardless of their location, that collects and processes data from visitors of websites and apps located in Denmark if they:

  • offer goods and services to Danish users, even if no payment is required from the user
  • monitor online behavior of Danish users located in Denmark

They also apply to the processing of personal data done by companies, organizations or persons established in Denmark.

The data controller, or the entity that determines why and how personal data will be processed, must ensure that personal data processing complies with the GDPR’s provisions.

You must always have a legal basis under Danish law to process users’ data. According to the ePrivacy Directive, the legal basis for processing data through tracking cookies is prior informed consent, unless they are purely functional cookies.

In its quick guide on the use of cookies issued in February 2021, Danish DPA acknowledges that there could be other legal grounds to process personal data under the GDPR (Article 6.1). It emphasizes the importance of conducting a specific assessment to determine the appropriate legal basis and recommends that obtaining consent is the most practical approach.

When it comes to minors, the Danish Data Protection Act (as amended in January 2024) stipulates different consent requirements. Processing the data of children under 15 years old is lawful only if consent is authorized by a parent or guardian.

Consent is a central concept in Danish cookie law, and the Danish DPA in February 2020 specifically incorporated the GDPR definition of consent in its guidelines on the processing of personal data of website visitors. The GDPR requires that consent must be a freely given, specific, informed and unambiguous indication that the person giving consent agrees to the processing of their personal data.

These guidelines further stipulate that you must obtain consent before you set cookies and process user data, except for cookies that are necessary for a website to function.

GDPR cookie consent must meet a number of strict requirements before it is valid. The DPA’s guidelines on processing of personal data, quick guide and guidelines on consent (issued in May 2021) together outline specific criteria that must be met to obtain valid consent as per the GDPR’s definition.

Freely given

  • Accepting or rejecting cookies should both be equally easy on the first layer
  • Cookie banner design and language should not influence a user to accept cookies
  • If a user has given consent, they must be able to withdraw it as easily as they gave it

Specific

  • You must obtain separate consent from users for each category of purposes, each with its own checkbox
  • Granular consent doesn’t have to be provided for every single cookie, but it should be offered for different categories of cookies, e.g. a user should be able to allow cookies for statistical purposes while rejecting advertising cookies

Informed

  • Users should have access to clear, understandable information about the purpose of cookies
  • You must provide transparent access to which parties have set cookies and what information is being transmitted through them, which can be done through a cookie policy

Unambiguous indication

  • Consent for cookies needs to be an active action by the user, such as ticking a box or clicking a button to ensure that the user’s choice is explicit and deliberate
  • Pre-checked consent boxes, which a user must uncheck to reject consent, is not valid consent
  • Users scrolling or swiping through a website or app is not valid consent as it may be difficult to distinguish from other user activity and is not an unambiguous indication that the user is accepting cookies

These detailed consent requirements are designed to safeguard user autonomy and privacy, ensuring that consent is an informed choice.

In its guidelines on consent, the Danish DPA also has stipulated that you must be able to demonstrate that the data subject has consented to the processing of their data.

Collect GDPR-compliant cookie consent

Start your 14-day free trial of Cookiebot CMP today

Sign up

Cookie wall guidelines from the Danish DPA

A cookie wall is a method by which a company requires visitors to give consent for their data to be processed before accessing a website. In February 2023, the Danish DPA established criteria for implementing cookie walls that comply with data protection rules.

  • If you use a cookie wall, you must provide a reasonable alternative for users who do not consent to data processing. The content or service provided must be similar, regardless of the user’s choice.
  • If the alternative to consent is payment, the cost must be reasonable, offering a genuine choice between payment and consent.
  • All the purposes for which you’re seeking consent should be limited to what is necessary for the service offered. Separate consent might be needed for purposes not integral to the paid alternative.
  • When visitors have paid, you can process personal data necessary for providing the service. However, processing data for purposes beyond what is required for the service is not allowed unless you obtain additional consent.

Important rulings regarding cookies and personal data in Denmark

The Danish DPA has, in recent years, made a number of decisions on the use of cookies to collect personal data from Danish users. In considering violations of Danish cookie guidelines, the DPA looked at the following issues:

  • A government institution was deploying cookies and processing personal data for advertising purposes before obtaining user consent. The DPA held that the institute and Google (as the ads were from Google’s ad platform) were joint controllers, but the institute was responsible for gathering consent.
  • A loan broker’s website had placed a number of cookies on the complainant’s browser before the complainant had given consent. The DPA also found that the cookie consent solution didn’t give any information about withdrawing consent, and it did not meet the requirements for valid consent.
  • An online marketplace’s use of cookie walls was mostly lawful, as it provided a paid access alternative to consent. However, the DPA noted that it had not shown that the processing of personal data for statistical purposes was required in the alternative to payment.
  • In a similar case, a media group website’s consent procedure was found to be inadequate as the paid service alternative was not equivalent to the consent-based access and didn’t provide visitors with a free choice. The media group had also not shown that processing of personal data for statistical purposes was required in the alternative to payment.
  • A gardening equipment company was using cookies to collect and pass on data to Google and Meta without a legal basis. As per Danish procedure, the DPA reported the company to the police and recommended a minimum fine of no less than DKK 200,000.

Inform users about cookies

Danish cookie guidelines require you to share clear information with users about the types of cookies used and their purposes. The minimum requirements, as per the DPA’s consent guidelines, are:

  • the identity of the data controller
  • the purpose of the intended processing
  • what data is being processed
  • the right to withdraw consent at any time

This information should be easily accessible and understandable, allowing users to make informed decisions. It can be shared in the cookie consent banner, with more detailed information shared in the cookie policy, to provide transparency about your data collection practices.

For consent to be valid under Danish cookie laws, it must comply with the GDPR’s requirements of opt-in consent. This means you must obtain cookie consent through active and explicit user actions, such as clicking a button or checking a box.

Additionally, you must obtain specific consent for different categories of cookies, such as statistics cookies or marketing cookies, enabling users to make more tailored choices. Importantly, the process should avoid nudging users towards giving consent through either design or language presented; the consent mechanism must have a neutral presentation of choices where accepting or rejecting cookies is equally straightforward.

Cookie consent banners should implement the requirements of the Danish cookie guidelines to enable compliance with the GDPR, ePrivacy Directive and local cookie laws,

Your cookie banner must offer users clear options to accept, reject, or customize their cookie preferences, without using pre-checked boxes or manipulative design patterns. It should provide information as per the consent guidelines’ minimum requirements, in language that’s easy to understand.

The Danish DPA permits the use of cookie walls if they comply with the conditions laid out in its cookie wall guidelines. If your website must use cookie walls, ensure that it complies with these conditions and that all users, regardless of whether they choose to accept cookies or not, receive similar content or service.

If you choose a fee as the alternative to consent, ensure that it is a reasonable amount to give users a real choice. Don’t process any data from paid users that you don’t need to provide the service without their explicit consent for these cookies.

Your website should contain an easily accessible cookie policy, either as a separate document or as part of a privacy policy, that provides detailed information about your cookie usage. Include information about any third-party cookies, including who is setting the cookies, for what purposes, and what personal data they collect.

Your cookie policy must also inform users about how they can change or withdraw their consent preferences.

The DPA’s quick guide requires you to inform users in the cookie policy if you’re using a legal basis other than consent for processing personal data.

Is your website compliant with Danish cookie laws?

Scan your website for free with Cookiebot CMP today

Sign up

If your website processes data from Danish visitors, you must comply with EU regulations and Danish cookie guidelines or face penalties under the GDPR. Implementing a consent management platform (CMP) like Cookiebot CMP can help you achieve compliance and build user trust.

Cookiebot CMP can enable you to obtain explicit consent that complies with Danish cookie guidelines and data privacy laws. With Cookiebot CMP, you can:

  • present users with an opt-in cookie banner that requires active action for setting cookies
  • provide users with the option to withdraw consent as easily as they provided it
  • enable users to give specific consent for different categories of cookies, fulfilling the legal requirements for granular consent
  • use our cookie checker to scan your website for cookies and provide detailed information in your cookie policy
  • document consent as required by the DPA’s guidelines on consent

Cookiebot CMP also supports Google Tag Manager. With this integration, Cookiebot CMP automatically controls all cookies on your website so that they don’t collect any user data before users give consent.

FAQs

What are Danish GDPR laws?

The General Data Protection Regulation (GDPR) is a European Union regulation and applies in Denmark. It is applicable to all entities that process data from users in the territory of Denmark, regardless of where the entity is located. The GDPR is supplemented in Denmark by the Danish Data Protection Act. The GDPR and Data Protection Act together regulate the processing of personal data of users who are located in Denmark.

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.