Denmark

Can you place cookies without consent?

No.

Only cookies that are necessary for essential technical functions on the website do not require consent. All other cookies require consent.

In Denmark the ePrivacy Directive has been implemented by the Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment 1148/2011 (“Cookie Order”).

Where cookies or similar technologies are used to collect personal data the requirements of the GDPR must also be observed. In some instances, the GDPR requires consent. Consent must be granular, i.e. specific consent for each purpose.

Are cookie rules (whether specific or within general data protection laws) followed in practice?

Yes. In general, there is a high level of focus by regulators but a gap in following the rules in practice.

The Danish Agency for Digital Government oversees the cookie rules and enforces compliance with them. In June 2023, the Agency published its annual report of 2022 regarding its oversight of cookies and similar technologies. In 2023, the Agency conducted 159 supervisions (six of which related to shopping apps), where 86 cookie solutions were found not to comply with the cookie rules. 

GDPR is supervised and enforced by the Danish Data Protection Agency including when cookies are used to collect personal data.

Are there any exemptions if consent is required?

The Cookie Order provides exemptions where storing or giving access to information:

  • is for the sole purpose of carrying out the transmission of communication over an electronic communications network; or
  • is necessary (technical precondition) to enable the provider of an information society service explicitly requested by the end-user to provide that service.

Necessary cookies can be login-functions on a website or the electronic shopping cart in a webshop, where the cookies ensure that the electronic shopping cart remembers the user’s items while they are shopping or browsing the website.

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

No.

None of these cookies fall within the scope of the exemptions specified in question 3. 

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

No. A consent must be an active indication. Pre-ticked checkboxes and click-through features, where it is stated that by continuing to use the website, the user accept the use of cookies, are not considered active consent. Consent must meet GDPR standards. To the extent that cookies are used for collecting personal data, consent is most often the appropriate legal basis.

Can you set cookies without a cookie notice? 

No. Consent must be informed. The Cookie Order requires as a minimum that: -

  • The information is clear, precise and easily understood; -
  • it contains details of the purposes of the storing or access; -
  • it identifies any party storing or accessing information; -
  • it contains readily accessible means by which the user can refuse or withdraw consent; and 
  • it is given prior to the consent and subsequently available at all times

In addition, the information must inform of the lifespan of cookies.

If cookies are used to collect personal data, the information requirements in GDPR Art 13 and 14 must be complied with.

Some of the information must be placed in the banner while other information can be placed one-click-away and the remaining can be provided in a privacy notice. No cookie notice is necessary if only technically necessary cookies are placed. 

Can you set cookies without a cookie banner/ management tool?

Generally, there is no requirement to have a consent management tool, but in practice it is difficult to obtain informed consent without.

Are you able to use cookie walls? 

The Danish Data Protection Authority recently stated, that cookie walls can be used legally under 4 circumstances:

1. Companies that wish to use cookie walls must simultaneously offer visitors who do not wish to consent to the processing of their personal data a reasonable alternative, e.g., by being able to pay for access.

2. If the alternative for accepting cookies is to pay for access, the price must be fair.

3. When offering the choice between payment or consent to the collection of personal data for access to company content or service, companies must be able to demonstrate that all the purposes for which the company is requesting consent form a necessary part of this alternative.

4. In cases where visitors pay for access to the content or service, the company must process the data necessary to provide the content or service. This may be the case, for example, where the provision of the service requires the creation of an account or user profile. In this case, the company may process the personal data necessary to manage the user profile and provide the service in question. 

In accordance with the requirements set out above, the Danish Data Protection Agency issued a decision in February 2024 ordering one of the largest Danish news media to ensure the lawfulness of its cookie consent collection. The DDPA found that a consent is not considered voluntary, and therefore invalid, if the consent is required to access embedded content in news articles, and there is no alternative way to gain access to the embedded content, e.g., via payment.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

Yes. The Danish Business Authority (who  previously oversaw the cookie rules) has issued orders to remedy non-compliance with the Cookie Order, to our knowledge no other sanctions have been applied.

The Danish Data Protection Authority has published several cases concerning failure to comply with the data protection rules in relation to cookies. Currently, the largest suggested fine for non-compliance with the GDPR relating to processing of personal data via cookies is no less than DKK 200,000. 

Are there any current consultations relating to ad tech/cookies?

None currently, but the Danish Data Protection Authority is currently preparing new guidelines regarding the use of cookies.

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

The Danish Data Protection Agency has looked into the tool Google Analytics, its settings, and the terms under which the tool is provided. On the basis of this review, the Danish Data Protection Agency concluded that the tool cannot, without additional protections, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google.

Recent case law from the Danish Data Protection Authority shows that the Authority is increasing its focus on how collection of personal data through cookies is being handled, especially with regards to granularity of the consent. In October 2023 the Danish Data Protection Authority reported a website owner to the police recommending a fine of no less than DKK 200,000 for collecting and disclosing personal data via cookies without a legal basis.