Danish Cookie Guidelines

If you own a website in Denmark, you should familiarize yourself with the Danish cookie guidelines. Here, we explain the rules and the basics of how to collect consent to cookies in Denmark.

What are the Danish cookie guidelines?

The Danish cookie guidelines are some of the strictest in the world.

As a matter of fact, there are two different laws in play if you have a website that uses cookies:

Cookiebekendtgørelsen (the Danish cookie law)
The General Data Protection Regulation (GDPR)

But why two laws?

Cookiebekendtgørelsen (Danish Cookie Law)

Cookiebekendtgørelsen (BEK no. 1148 of 09/12/2011) is the national Danish adaptation of the European ePrivacy Directive from 2002.

The Danish Agency for Digital Government (Digitaliseringsstyrelsen) supervises compliance with Cookiebekendtgørelsen.

According to the Danish Cookie Law, if your website uses cookies that store, collect, or gain access to information on your visitor’s device, you must obtain the visitor’s explicit and informed consent.

Because of this, you are required to use a cookie banner on your website.

But the game changes when we talk about tracking cookies. Due to the fact that they collect personal information about your visitors, which is processed either by you or third parties (e.g., Google, Facebook, Amazon, Hotjar, etc.) the consent rules fall under the GDPR.

The General Data Protection Regulation (GDPR)

The GDPR is all about data processing and how you must handle personal information.
Although the GDPR talks very little about cookies, it concerns the data most cookies collect, especially tracking cookies (and any other tracking technology, i.e., fingerprinting).

If you use cookies that collect your users’ personal information for further processing, then you must collect valid consent under the GDPR.

According to the GDPR, valid consent is:

  • Freely given: Your visitor has to be able to accept or decline consent to cookies.
  • Specific: Consent must be granular. You may only ask for consent to one specific purpose at a time.
  • Informed: You must inform your visitors about which cookies you use, what data they collect, for what purpose, by whom, and for how long they are stored.
  • Unambiguous: Your visitor must actively consent by clicking a box/button in your cookie consent pop-up.

How do you collect valid consent to cookies in Denmark?

To comply with the Danish cookie guidelines and the GDPR when using cookies on your site, make sure you follow these 9 steps:

  • Inform your users of cookies
    Inform your users which cookies you use on your website, who owns the cookies (third parties), what data they collect, for what purpose, and for how long (lifespan). This information should be displayed in your cookie banner and cookie policy.
  • Active consent
    Consent must be actively given. This means your user must actively click on a ‘yes’ button. Consent is not given through an indirect action like scrolling, swiping, or using a website or app. Consent is a matter of yes or no, not assumed or implied.
  • No pre-ticked checkboxes
    This part relates to the decision made by the European Court of Justice in 2019 in the case against German lottery website Planet49. Consent must be something the user actively chooses (opt-in), not pre-selected accept of cookies in the cookie consent pop-up.
  • Reject button in the cookie banner
    According to Datatilsynet (Danish DPA), you must allow users to reject cookies in the first layer of your cookie consent pop-up. That means the ‘Do not accept’ button must be placed next to the ‘Accept’ button.
  • No nudging
    It must be easy for your users to distinguish between a ‘yes’ and a ‘no’ to cookies. Making the ‘yes’ button bigger and hiding the ‘no’ button is not considered valid consent. Buttons should be the same size and displayed next to each other.
  • Granular consent preferences
    You don’t have to collect consent for every single cookie! But you are required to collect consent by purpose/category. That is one consent for every main purpose (functional, statistics, marketing). You can do that with cookie controls in your cookie pop-up so users can accept or decline cookies by purpose.
  • Withdraw or change consent
    Users must be able to change or withdraw consent to cookies and tracking as easy as it was to give. Deleting cookies in the browser is not an option.
  • Collect valid consent before using cookies
    You must obtain valid consent from those visiting your website or app before using any cookies, except for technically necessary ones.
  • Store all user consents for 5 years
    Store all your users’ consents to cookies for 5 years so you can document to the Data Protection Authorities that you have collected valid consent. Should you be subject to an audit, you need this documentation to prove you have lawfully collected and processed data.

Will the Danish cookie guidelines impair my marketing?

Not necessarily. You can still collect marketing data as long as you get consent to do so.

And with a Consent Management Platform (CMP) like Cookie Information’s, you can easily collect valid user consent on your websites and apps.

The CMP gives you a transparent cookie banner informing visitors of cookies and your data collection practices. The keyword here is ‘transparency’: because transparency builds trust between you and your users, strengthening your business relationships.

What about users who opt out of data processing?

You can gain additional insights when users reject cookies through the seamless integration with Google’s Consent Mode v2. You can then use these additional insights to improve your reporting, attribution, and bidding strategies.

Ultimately Cookie Information’s CMP enables you to protect user privacy without compromising your marketing goals. And right now, you can test it out for 30 days – completely free, with no commitments.

Get started here

FAQ

Non-compliance can lead to legal repercussions, including fines and penalties, as it would be a violation of data protection laws.

Certain types of cookies, like those necessary for basic website functionality or security, may be exempt from the strict consent requirements.

Yes, these guidelines can evolve. It’s advisable for website owners and users to stay informed through official channels like the Danish Data Protection Agency’s website.

The Danish cookie guidelines are designed to align with the broader requirements of the GDPR, particularly in terms of consent and data protection.

Most websites do. This can either be technically necessary cookies (e.g., cookies that remember language choices, login settings, shopping cart cookies), or it can be cookies placed by some of the services you use, e.g., Google Analytics, Facebook, Instagram, LinkedIn, Hotjar, etc.

Maybe not, but many of the third-party services you use (Google Analytics, Facebook, Amazon, etc.) do. If you use third-party services that set cookies through your website, then you are the data controller (Data Controller according to GDPR). Therefore, it is your responsibility to obtain consent for cookies for these services.

No. Google Analytics uses several cookies that collect your visitors’ personal data, which also gives you insight into who your visitors are, how they come to your website, and what they look at. This is made possible by cookies that track your visitors on the website. If you use Google Analytics, then you must obtain GDPR consent.

Technically necessary cookies are important for your website to function and for your visitors to use different features on the site. This could be to save your visitors’ login or remember what they put in the shopping cart (so the items are saved when they click to a new page). Technically necessary cookies are not Google Analytics.