The Danish DPA cookie consent guidelines released on Feb.20, 2020, provided much-needed clarity for website owners to ease compliance with GDPR personal data processing requirements.
Here is a breakdown of the essential information you need to know about the latest Danish DPA cookie consent guidelines and ensure you avoid unnecessary fines that may hurt your business both financially and reputationally;
- What is cookie consent?
- Who is a Data Controller?
- Key takeaways from the Danish DPA (Datatilsynet) decision in the DMI.dk Case
- What are the Danish DPA Cookie Consent Guidelines
- Compliance with Danish DPA Cookie Consent Guidelines and Secure Privacy
What is Cookie Consent?
Both the General Data Protection Regulation (GDPR) and the ePrivacy Directive (EU Cookie Law) consider the consent you receive valid only if your user allowed you to collect and process their personal information voluntarily.
To this effect, there are specific requirements you need to satisfy to obtain valid EU cookie law and GDPR cookie consent. Primarily;
- You must avoid processing your users’ personal information until you receive valid consent from them
- Consent is only valid if it is given freely, it is specific, it is informed, and it is based on a clear indication of the user’s agreement to your processing of their personal data
- You must take into account specific obligations when it comes to obtaining consent from minors under the age of 16 especially for social media and content services
- You need to keep logs of all the consent you either receive or denied in case it is required for verification by the relevant Data Protection Authority
- You must give users clear information about the cookies you use on your website and their purpose, the data controller, and the third parties with whom you share their personal data.
Who is Data Controller?
According to the GDPR, a data controller is a party responsible for how personal data is collected, processed, and how it will be used.
Typically, a data controller is the owner of a website that collects personal information from visitors.
Well, now that you know who a data controller is, you may be wondering who is a data processor? Basically, this is an entity responsible for processing any personal information provided by the data controller.
In simple terms, a data processor handles personal information from website users on behalf of the data controller. What this means is that he/she does not own, control, or define the purposes of personal data collection.
If you decide to use Google Analytics to monitor trends on your website, you qualify as the data controller since you determine the personal information to be collected and the purpose for which you are gathering it.
On the other hand, Google, through Google Analytics, processes the data on your behalf, which makes them a data processor.
Nonetheless, if you give data to Google Analytics and they determine the purpose and means of processing, Google Tag Manager will be both a data controller and a data processor.
According to the user who filed a case with Datatilsynet, after visiting the DMI.dk website, the country’s weather forecasting service collected users’ personal data using cookies and shared it with Google Ad Services.
Specifically, the Danish DMI.dk website exchanged user data for advertising space that allowed third parties in the adtech industry to personalized ads for website users.
The complainant argued that this practice violated the transparency and legitimacy requirements of processing personal data under the GDPR. This practice was made possible by how the DMI.dk’s website cookie banner was configured.
After examining the facts of the case, the Danish DPA discovered that as a publisher, DMI had engaged in this practice since 2004.
On its part, the DMI acknowledged its non-compliant practices and promised to make changes and make its cookie banner compliant with data protection principles.
5 Key Takeaways from the Danish DPA (Datatilsynet) Decision in the DMI.dk Case for Businesses
- You become a joint controller if you use Google Ad Services on your website: the Danish DPA determined that both DMI and Google are joint data controllers because they jointly decide the means used to collect and transfer personal data obtained from website users with the help of cookies.
- DMI’s violations are limited to the collection and sharing of personal data: The Datatilsynet made it clear that DMI’s was not responsible for the third party’s (Google) use and processing of personal data after receiving it from the DMI.dk website. This ruling mirrors the CJEU’s ruling in the Fashion ID case involving the use of Facebook plugins.
- All Data Controllers Must Obtain Prior Consent: According to the ruling, all data controllers must receive consent before starting to collecting personal information from users, regardless of whether it is a single data controller involved or there is a joint one that will be involved later.
- Consent is the legal basis when collecting and sharing data with Google: Since DMI is a public body, consent is the applicable GDPR legal basis for processing user data on its website as opposed to legitimate interest, which is applicable to private entities.
Nonetheless, you also need to be aware that as a private business, you need to receive prior consent before collecting and sharing personal information with adtech partners.
- Consent must be informed and Granular: Datatilsynet clarified that you need to ensure that you receive prior consent for every purpose for which you wish to collect personal information.
Do not make the option to provide granular consent ‘one-click-way’ with a ‘DETAILS’ button in your cookie banner.
Additionally, your cookie notice should be easy to understand, easily accessible, and written in clear language outlining the data controllers who will receive the personal information you collect on your website.
What are the Danish DPA Cookie Consent Guidelines?
Following this decision made public on Feb. 11, 2020, the Danish DPA cookie consent guidelines were published a week later.
It is important to note that the Danish DPA cookie consent guidelines are part of a broad and extensive new guidance focused on helping business process personal data in a GDPR-compliant way.
Narrowing our focus to the question of cookie consent, the Datatilsynet makes it clear that you will be expected to use consent as a legal basis for processing personal data on your website.
According to Danish DPA cookie consent guidelines, your personal data processing activities can be considered GDPR compliant if;
- You do not process data before prior consent is given
- You provide users with information about the different types of cookies you have on your website, their purposes, and reasons why you need to process their personal information
- You receive consent based on an active option when a user accesses your website to show that they definitively agreed to the processing of their personal data
Example of Compliant Practice: You avoid using a cookie banner that has pre-ticked consent boxes or relying on inactivity or scrolling as an indicator of your visitors’ consent to the placement of cookies in their devices, and instead allow them to freely make a clear choice.
- You make it easy for the visitor to provide consent for specific purposes and not others in line with the granularity requirement.
Example of Compliant Practice: You have a cookie banner that allows your users to freely accept or reject cookies based on their purpose. Basically, you should give them free choice over whether they agree to functional, statistical, or marketing cookies by giving them an on/off toggle option for each type of cookie.
- You make it easy for users to withdraw their consent as is the case when they are giving it. This includes not only the text, but also the visual elements of your cookie banner.
Example of Compliant Practice: Your cookie banner has clear ACCEPT and REJECT cookies buttons that allow them to explicitly choose to give or deny prior consent for the processing of their personal data
- You are keeping logs of what users have given consent to and how you obtained their consent.
Example of Compliant Practice: You have a cookie banner that logs both the denial or receipt of cookie consent from users in real-time.
Danish DPA Cookie Consent Guidelines and Secure Privacy
To comply with the Danish DPA cookie consent guidelines, Secure Privacy is a powerful, and reliable solution that is easy to use.
With Secure Privacy’s you get;
- Easily customizable and stylish GDPR compliant cookie consent banners to help you manage consents from your users and allow them to opt-in and opt-out the different types of cookies you have on your website in like with ePrivacy Directive and GDPR requirements
- Unique Cross-domain consent capability that allows your users to manage their cookie preferences in a single step across several domains
- Advanced monthly website scanning to ensure you are aware of all the cookies you have on your website, the type of personal information they collect, their provenance, and the recipients of the data collected.
- Prior consent tool to ensure that you do not deploy cookies before users give consent to the collection and processing of their data.
- Real-time logs and consent tracking such that you can maintain recoverable records of the consent statuses of your data subject in case they are required by the German DSK.
- 70+ language support, which enables you to set your cookie consent banner in the language of your target users
- Precise Geo-location capability that makes it possible for you to show your cookie consent banner to German users only
- A future-proof solution characterized by unique agility to respond to evolving cookie consent compliance regulatory changes, including compliance with LGPD in Brazil and California’s CCPA.
Check out our video and learn more about Secure Privacy’s Top 6 Enterprise Features; https://www.youtube.com/watch?v=iULVRao0UcY&list=LL&index=5
Alternatively, you can sign up for your free trial of our complete GDPR compliance solution here.
You may also want to check out these other Cookie Consent Guidelines from other EU DPA’s