Denmark New Guidance (Quick Guide) on Cookies

On 12 February 2021, the Danish Data Protection Authority (Datatilsynet) published a Quick Guide on the use of cookies outlining compliance action items for organizations that use cookies. The Guide clarifies that the user’s consent must be obtained before the use of non-necessary cookies as set out in the European Union’s e-Privacy Directive. It reaffirms that for consent to be valid, it must be freely given, specific, informed, and an unambiguous indication of the user’s wishes.

Under the new Quick Guide, organizations have the following responsibilities in connection to the use of cookies:

1. Do not process any non-necessary cookies without the user’s prior consent:
   The user’s consent must be obtained prior to setting non-necessary cookies. The necessary cookies should be interpreted narrowly and are only those that are essential for the functioning of the website, for example, cookies that are used to remember the content of a shopping cart.
2. Obtain active consent of the user:
   An active and positive action must take place for consent to be considered valid. The use of pre-ticked checkboxes does not constitute active consent. Similarly, simply navigating on a website does not mean that the user has accepted the use of cookies.
3. Provide equal opportunity to accept and reject the use of cookies:
   Organizations must make clear to users that they can refuse to consent to the use of cookies. Users should not be misguided/nudged via button sizes, colors, or locations and the first information layer of the cookie consent banner must include the option to refuse to consent to the use of cookies and not just have “yes” and “more information” buttons.
4. Allow cookie selection by categories:
   Organizations must allow users to select and deselect individual cookie categories based on their purposes.
5. Provide sufficient information to users:
   Organizations must provide users with the information about the use of cookies, their purposes, and the expiry dates of cookies, as well as information on parties that are processing cookies and what information is transmitted to parties.
6. Ensure easy withdrawal of cookies:
   Users must be allowed to withdraw their consent at any time in a manner as easily as was for giving consent.
7. Document consent:
   Organizations must document consent for the purposes of compliance.
8. Inform about any alternative legal bases used for subsequent processing:
   Practically, consent is the right legal base for the use of cookies. However, any alternative legal base used for the subsequent processing of personal data should be stated either in the cookie declaration/banner or in the privacy notice. The use of any alternative legal base requires a concrete assessment of the purpose and disclosure of personal data.