Cookie consent under scrutiny: Danish DPA’s 2026 focus creates opportunity for compliant businesses

Ines Pimentel

Think your cookie banner is compliant? The Danish DPA just made consent a 2026 enforcement priority – and their data shows most websites have issues. Here’s what’s changing, what they’re targeting, and why compliant businesses should see this as an opportunity.

Table of contents

What the Danish DPA announced – and why it matters

Your cookie banner might be about to get a lot more scrutiny. The Danish Data Protection Authority (Datatilsynet) has announced its enforcement priorities for 2026, and cookie consent practices are firmly in the spotlight. The authority will examine whether Danish websites give users a genuine choice about tracking – and the findings so far suggest many do not.

For businesses still relying on manipulative consent designs or non-compliant cookie banners, this is a clear warning. But for those who have invested in proper consent management platforms, this enforcement focus could be the competitive edge you’ve been waiting for.

In their official 2026 supervision plan, Datatilsynet was blunt:

Notice that phrase: “real opportunity to say no.” The DPA is not just checking whether websites have a cookie banner. They’re asking: can users actually decline without jumping through hoops? 

“Studies are still being published regularly showing extensive collection of personal data continues on Danish websites, and where citizens do not have a real opportunity to say no to tracking technologies.”

Notice that phrase: “real opportunity to say no.” The DPA is not just checking whether websites have a cookie banner. They’re asking: can users actually decline without jumping through hoops? 

Two agencies, coordinated enforcement

Datatilsynet will coordinate its enforcement with Digitaliseringsstyrelsen (the Danish Agency for Digital Government). Two regulatory bodies examining cookie consent practices simultaneously increases both the scope and likelihood of enforcement actions.

So how bad is it, really? Cookie Information’s 2024 report Cookie Compliance in Denmark: Trends & Insights found that compliance issues are actually getting worse, not better:

  • 94% of analyzed websites have a cookie banner (up from 91% in 2023)
  • But 84% have compliance issues (up from 79%)
  • And 70% set non-essential cookies before consent

More banners. More problems. The most common violation – firing cookies before consent – is exactly what GDPR prohibits and what the DPA is now targeting.

The problem is widespread across industries, most prominent in Sports (89%), E-commerce (83%), and Arts & Culture (82%).

Denmark’s track record on privacy enforcement

This announcement builds on Denmark’s consistent enforcement of tracking-related privacy violations.

Previous enforcement actions by the Danish DPA

  • Shopping apps focus (2025): Datatilsynet examined consent practices in retail applications.
  • Government guidance: The Danish Ministry of Industry recommended that companies develop exit strategies from American cloud services.

The 2026 focus on website cookie consent represents a natural progression in their systematic approach to examining consent practices throughout digital touchpoints.

Denmark is not acting in isolation. Nordic data protection authorities have shown a pattern of coordinated, strict enforcement on consent compliance.

Norway’s E-Com Act changes (January 2025)

Norway introduced significant updates to its Electronic Communications Act (E-Com Act), tightening cookie consent requirements. 

Previously acceptable practices such as pre-ticked boxes or implied consent via browser settings are no longer allowed.

Read more:

Norwegian E-Com Act: compliance checklist for marketers

Norwegian DPA sanctions 6 websites for Meta and Snapchat tracking pixel violations

Compliance Report 2024: Norway

Sweden’s Google Analytics enforcement

Sweden’s data protection authority (IMY) ruled that four companies unlawfully transferred personal data to the US via Google Analytics, reinforcing the need for EU-compliant analytics alternatives.

Read more:

Swedish DPA targets dark patterns in cookie banners

Compliance Report 2024: Sweden

The European Data Protection Board (EDPB) coordinates enforcement activities through its Coordinated Enforcement Framework. Datatilsynet will participate in the 2026 effort, focusing on transparency and disclosure. Cookie consent practices face scrutiny at both national and EU level.

Here’s the uncomfortable truth behind the DPA’s announcement: a lot of websites are cutting corners.

The European Data Protection Board (EDPB) coordinates enforcement activities through its Coordinated Enforcement Framework. Datatilsynet will participate in the 2026 effort, focusing on transparency and disclosure. Cookie consent practices face scrutiny at both national and EU level.

  • Dark patterns in cookie banners: Making “Accept All” prominent while hiding “Reject”
  • Cookie walls: Blocking content unless users accept all tracking cookies
  • Pre-checked consent boxes: Defaulting to consent rather than requiring opt-in
  • Asymmetric effort: Multiple clicks to reject, one click to accept
  • Missing granular consent: All-or-nothing instead of category-level cookie preferences0

Read more:

Dark patterns in cookie banners: What are they and how do you avoid them?

How to design a user-friendly and compliant cookie banner in 2026

What happens when enforcement begins

When regulators act, the consequences extend beyond GDPR fines:

  • Your campaigns could stop overnight. Enforcement orders can immediately suspend marketing tools tied to unlawful data collection.
  • Your analytics could go dark. Losing tracking access means losing the ability to segment audiences or measure performance.
  • Your reputation takes a hit. Public enforcement erodes customer trust.

So what happens if you’re already doing this right?

Operational continuity

While competitors scramble to rebuild consent infrastructure, you keep operating. Your cookie consent solution keeps working; your analytics keep flowing; your campaigns keep running.

Trust differentiation

Privacy-aware consumers notice consent experiences more than marketers expect. A banner where accepting and declining are equally easy signals respect. One that hides the reject button signals manipulation.

When users encounter aggressive cookie banners that hide reject options, they notice. Some bounce. Others comply but lose trust.

As enforcement tightens across Europe, a transparent consent experience becomes a differentiator – not just a legal checkbox.

Read more:

Five things every marketer should know about web analytics in 2026

Better data quality through privacy-first analytics

It sounds counterintuitive, but privacy-respecting consent often produces better data than aggressive tracking. 

Here’s the catch with traditional analytics: if someone declines cookies, they vanish from your data. If 40-60% of visitors decline cookies – common in privacy-conscious markets – your analytics might only show half the picture – over-reporting some channels and under-reporting others, biased by which audiences click “Accept”.

What if you didn’t have to choose between privacy compliance and complete data? The most effective approach combines consent-based tracking with anonymous data collection.

Here’s how it works:

A visitor arrives, and you immediately start collecting anonymous behavioral data – page views, traffic sources, session patterns. No consent needed because no personal data is involved.

Then they see your cookie banner. If they accept, you switch to full tracking with longer-lasting identifiers – returning visitor recognition, cross-session journeys, and personalization. If they decline, anonymous tracking continues. 

Why consent management still matters:

This isn’t about bypassing consent. A well-designed consent experience still drives higher opt-in rates, unlocking richer data for consenting visitors. The difference: declining visitors don’t disappear from your analytics entirely.

The results:

Piwik PRO partner Hopkins, leading digital marketing and analytics agency in Finland, found that after implementing this combined approach, they captured 3x as many sessions – and 4x more traffic overall (180,000 visits versus 40,000 in GA4). 

How to set this up

To make this work, consent management and analytics need native integration – not custom development.

The Cookie Banner + Analytics Plan from Cookie Information and Piwik PRO delivers this, starting at €35/month:

  • Cookie Information CMP – Automated cookie scanning, auto-blocking, categorization, and WCAG-compliant banners in 44+ languages
  • Piwik PRO Analytics – Anonymous tracking methods (with session hash, without cookies, or fully cookieless) plus full tracking for consenting visitors
  • Tag Manager – Consent-based triggers controlling when scripts fire
  • Data activation – Turn insights into audiences and campaigns instantly

Setup takes minutes. Consent signals flow automatically across all modules – no middleware, no gaps, no compliance headaches.

Simplify consent and analytics today

See how the Cookie Banner + Analytics Plan handles both – setup takes minutes.

Start free trial
Check prices

Data sovereignty: the hidden compliance factor

But there’s another critical dimension: where your data goes matters as much as how you collect consent.

The US data transfer risk

Under the US CLOUD Act, American authorities can compel US-based companies to provide customer data access, regardless of where it’s stored. Multiple European DPAs have ruled against US-based analytics tools on these grounds.

Read more:

Trump, data transfers and EU alternatives: the marketer’s survival plan

Life after GA4: Why EU organizations are going local

True EU data sovereignty

True data sovereignty means more than EU hosting. It requires that both the data and organizations handling it remain entirely under EU legal jurisdiction, free from foreign ownership.

Benefits include: minimized legal risk from non-EU surveillance frameworks, GDPR alignment, strengthened user trust, and long-term legal certainty for data-driven strategies.

Read more:

EU hosting vs. EU sovereignty: Why the difference matters for privacy-first analytics

Let’s be honest: would your cookie banner survive a regulatory audit? Here’s what compliant consent actually requires:

  • Genuine choice: Declining is as easy as accepting – no dark patterns, no asymmetric button designs or hidden reject options
  • Granular control: Users can accept some cookie categories (like analytics) while declining others (like marketing cookies) – no all-or-nothing 
  • Clear cookie policy: All cookies listed with purposes and lifespans
  • Proper cookie categorization: Only strictly necessary cookies are exempt; analytics and marketing require opt-in
  • No pre-consent tracking: Scripts blocked until the user makes an active choice 

Read more:

GDPR explained: How to achieve privacy compliance

Preparing for 2026: what to do now

The DPA’s announcement is part of a broader European trend. Here’s how to get ahead – before someone else audits your site for you.

Start with three questions:

  • Can users decline cookies as easily as they accept?
  • Are all cookies categorized and disclosed in your cookie policy?
  • Is consent collected before non-essential tracking starts?

If any answer is “no” – or “I’m not sure” – you have work to do.

A good place to start is our free cookie compliance checker – a tool that scans and analyzes your website to give you an overview of your cookie banner, pre-consent cookie activity, unclassified cookies or trackers, and post-rejection cookie activity.

2. Evaluate your data sovereignty

Consider EU-based consent management and analytics with EU data residency. European companies with no US capital connections offer complete data sovereignty that US providers cannot guarantee.

3. Consider your analytics approach

If visitors declining consent creates blind spots in your analytics, consider platforms offering anonymous tracking alongside consent-based collection. This maintains visibility across your entire audience while staying compliant.

Looking ahead: The EU’s Digital Omnibus framework would enable first-party analytics without consent when specific technical criteria are met – first-party processing, no third-party sharing, statistical purposes only. Privacy-first platforms like Piwik PRO with Cookie Information are already positioned to meet these requirements.

When your CMP and analytics work together natively, consent signals flow automatically – no custom integrations, no compliance gaps. You can track consent rates, see how banner designs affect opt-ins, and adjust tracking based on user choices. The Cookie Banner + Analytics Plan from Cookie Information and Piwik PRO delivers this in one package, starting at €35/month.

The bottom line

The Danish DPA’s 2026 focus on cookie consent follows years of regulatory attention across the Nordic region. What makes it significant? The explicit acknowledgment that many websites still don’t give users genuine choice about cookies and tracking.

For compliant businesses, that’s an opportunity. When enforcement hits competitors cutting corners, you’ll keep operating, keep building trust, and keep collecting complete data.

Cookie consent compliance is not just about avoiding fines (under GDPR: up to 4% of global revenue). In a market where regulators actively target non-compliant practices, proper consent management becomes genuine competitive advantage.

The question isn’t whether stricter enforcement is coming. It’s whether you’ll be ready when it does.

Ready to turn compliance into advantage?

Start your free trial of the Cookie Banner + Analytics Plan now

Try free for 30 days

Frequently asked questions

What did the Danish DPA announce about cookie consent for 2026?

The Danish Data Protection Authority (Datatilsynet) announced that website tracking – specifically whether users have a genuine opportunity to decline cookies – will be an enforcement priority in 2026. They’re coordinating with Digitaliseringsstyrelsen (the Danish Agency for Digital Government), meaning two regulatory bodies will examine consent practices simultaneously.

What cookie consent violations is the Danish DPA targeting?

The DPA is targeting practices that deny users a “real opportunity to say no.” This includes dark patterns (making Accept prominent while hiding Reject), cookie walls (blocking content unless users accept), pre-checked consent boxes, asymmetric designs (one click to accept, multiple to decline), and missing granular consent options.

Does this only affect Danish websites?

No. This is part of a broader Nordic and EU enforcement trend. Norway tightened cookie consent requirements in January 2025, Sweden has ruled against Google Analytics, and the European Data Protection Board coordinates enforcement across member states. Any business targeting Nordic or EU audiences should ensure compliance.

What are the penalties for non-compliant cookie consent?

Under GDPR, fines can reach up to 4% of global annual revenue. Beyond fines, enforcement can result in orders to suspend data collection, which disrupts marketing campaigns and analytics. Reputational damage from public enforcement actions also affects customer trust.

Can I still collect analytics data if visitors decline cookies?

Yes, with the right setup. Anonymous tracking methods collect behavioral data (page views, traffic sources, engagement patterns) without personal identifiers. Because no personal data is involved, GDPR consent requirements don’t apply. This lets you maintain analytics visibility across your entire audience.

What’s the difference between EU hosting and EU data sovereignty?

EU hosting means your data is stored in EU data centers, but the company may still be subject to non-EU laws (like the US CLOUD Act). True EU data sovereignty means both the data AND the organization handling it are entirely under EU legal jurisdiction, with no foreign ownership or extraterritorial influence.

How do I know if my current cookie consent setup is compliant?

Check these elements: Can users decline as easily as accept? Can they choose specific cookie categories? Are all cookies disclosed with purposes and lifespans? Are non-essential cookies blocked until consent is given? If any answer is “no,” your setup may not survive regulatory scrutiny.

Take advantage of our free cookie compliance checker as a starting point – you’ll get an overview of your cookie banner compliance, pre-consent cookie activity, unclassified cookies or trackers, and post-rejection cookie activity.

What is the Digital Omnibus and how does it affect cookie consent?

The Digital Omnibus is an EU framework that would enable first-party analytics without consent when specific criteria are met: first-party processing only, no third-party data sharing, and statistical purposes only. Privacy-first analytics platforms are already designed to meet these requirements.

What’s the easiest way to set up compliant cookie consent with anonymous tracking?

The Cookie Banner + Analytics Plan from Cookie Information and Piwik PRO combines both in a native integration starting at €35/month. Cookie Information handles consent (auto-scanning, auto-blocking, WCAG-compliant banners in 44+ languages) while Piwik PRO provides analytics with anonymous tracking for visitors who decline cookies. Setup takes minutes – consent signals flow automatically across all modules without custom development. Try free for 30 days