The 9 requirements to comply
with the Danish cookie guidelines:
-
Inform your users of cookies
Inform your users which cookies you use on your website; who owns the cookies (third parties); what data they collect; for what purpose; and for how long (life-span). This information should be displayed in your cookie banner and cookie policy. -
Active consent
Consent must be actively given. This means your user must actively click on a 'yes' button. Consent is not given through an indirect action like scrolling, swiping or using a website or app. Consent is a matter of yes or no, not assumed or implied. -
No pre-ticked checkboxes
This part relates to the decision made by the European Court of Justice in 2019 in the case against German lottery website Planet49. Consent must be something the user actively chooses (opt-in), not pre-selected accept of cookies in the cookie consent pop-up. -
Reject button in the cookie banner
According to Datatilsynet (Danish DPA), you are required to provide your users with the option of rejecting cookies in the first layer of your cookie consent pop-up. That means, the 'Do not accept' button must be placed next to the 'Accept' button. -
No nudging
It must be easy for your users to distinguish between a 'yes' and a 'no' to cookies. Making the 'yes' button bigger and hiding the 'no' button is not considered valid consent. Buttons should be the same size and displayed next to each other. -
Consent by purpose
You don't have to collect consent for every single cookie! But you are required to collect consent by purpose/category. That is, one consent for every main purpose (functional, statistics, marketing). -
Withdraw or change consent
Users must be able to change or withdraw consent to cookies and tracking as easy as it was to give. Deleting cookies in the browser is not an option. -
Collect valid consent before using cookies!
You are required to obtain valid consent from those who visit your website or app before using any cookies.
*Except for technically necessary cookies. -
Store all user consents for 5 years
Store all your users' consents to cookies for 5 years, so you can document to the Data Protection Authorities that you have collected valid consent. Should you be subject to an audit, you need this documentation to prove you have lawfully collected and processed data.
Danish cookie guidelines – what are the rules?
The Danish rules on cookies are some of the strictest in the world.
And there are actually two different laws in play if you have a website that uses cookies.
Here are the rules you should be aware of.
- Cookiebekendtgørelsen (the Danish cookie law)
- The General Data Protection Regulation (GDPR)
But why two laws? Let me explain.
Cookiebekendtgørelsen (Danish Cookie Law)
Cookiebekendtgørelsen (BEK no. 1148 of 09/12/2011) is the national Danish adaptation of the European ePrivacy Directive from 2002.
- Cookiekendtgørelsen applies when you use cookies on your website.
The Danish Cookie Law state that if you use cookies on your site that store, collect or gain access to information on your visitor’s computer/tablet/phone, you have to obtain the visitor’s consent.
In other words:
If you use cookies,
you must collect an informed consent.
That is why you are required to use a cookie banner on your website.
*Cookiebekendtgørelsen is administered by the Danish Business Authority (Erhvervsstyrelsen).
But the game changes, when we talk about tracking cookies.
If the cookies you use are classified as tracking cookies, i.e., they collect personal information about your visitors which is processed either by you or third parties (e.g., Google, Facebook, Amazon, Hotjar etc.), the rules for consent fall under the GDPR.
The General Data Protection Regulation (GDPR)
The GDPR is all about data processing and how you must handle personal information.
Although the GDPR talks very little about cookies, it concerns the data most cookies collect, especially tracking cookies (and any other tracking technology, i.e., fingerprinting).
When using cookies that collect your users’ personal information for further processing, you are required to collect valid consent in accordance with the GDPR.
If you use tracking cookies,
the rules for consent in the GDPR apply
According to the GDPR valid consent is:
- Freely given: Your visitor has to be able to accept or decline consent to cookies.
- Specific: Consent has to be granular. You may only ask for consent to one specific purpose at a time.
- Informed: You must inform your visitors about which cookies you use; what data they collect; for what purpose; by whom; and for how long time they are stored.
- Unambiguous: Your visitor must actively give consent by clicking a box/button in your cookie consent pop-up.
The guidelines for using (tracking) cookies and collecting valid consent under the GDPR is administered by the Danish Data Protection Authority (Datatilsynet).
How do you collect valid consent to cookies in Denmark?
In order to comply with the Danish cookie guidelines and the GDPR when using cookies on your site, make sure you follow the 7 quick steps mentioned in the top (click here to revisit the list).
Here’s how you do it:
- Ask your users for consent for using cookies. You can do that with a cookie pop-up.
- Respect their choice (if they decline). You can do that with a ‘decline all’ button next to the ‘accept’ button.
- Provide users with an easy way to withdraw or change consent. You can do that with a simple link to reopen the pop-up.
- Make it easy for your users to find information about your cookies and your data collection. Guide them to your cookie policy with a link in your cookie consent pop-up.
- Make consent granular (specific). You can do that with cookie controls in your cookie pop-up so users can accept or decline cookies by purpose (marketing, stats, functional).
- Store your users’ consent for 5 years. Your Consent Management Platform will do that for you. If it’s a good one.
Collecting valid consent to cookies can be done with a professional Consent Management Platform.
It provides you with a cookie consent pop-up that could look something like this:
Following these simple rules using a proven Consent Management Platform will ensure that your website complies with both the Danish Cookiebekendtgørelse and the GDPR.
FAQ on cookies and consent in Denmark
[Q] – We are not using cookies on our website!
[A] – Most websites use cookies. These are either technically necessary cookies used for making the website work (e.g., remember language preferences, login settings, shopping cart cookies), or cookies set through your website by some of the services you use like for example Google Analytics, Facebook, Instagram, LinkedIn, Hotjar etc.
Our website is not collecting – or processing – any personal data!
Maybe not, but third-party services like Google Analytics, Facebook, Hotjar, Amazon are! If you use any third-party service which set cookies through your website, you are the Data Controller (according to the GDPR), so collecting valid consent using these cookies is your responsibility.
Can we use Google Analytics without consent?
No. Google Analytics is using multiple cookies that collect your visitors’ personal information which is used to provide you with insights into audience, acquisition and behaviour. That’s made possible with persistent cookies that track the user across your website. If you use Google Analytics, you should definitely collect valid GDPR consent to cookies.
What are technically necessary cookies?
Technically necessary cookies are essential for your visitors to browse your website and use its features. That could be login features and shopping cart cookies (so the information is not lost when the visitor clicks away from a specific page). Technically necessary cookies are not Google Analytics. Unfortunately.
How do I know if my website is GDPR cookie compliant?
You have it checked. By a Consent Management Platform provider – like Cookie Information – which can easily and quickly assess whether your website uses cookies that are not collected consent for. Get a free compliance check here with Cookie Information. No strings attached.
