Mention Danish cookies, and it might bring to mind a delicious treat baked with copious amounts of butter. But if you conduct digital business in Denmark, it’s another type of cookie—the small data files that gather information on website users—that you need to be thinking about.
The use of website cookies in Denmark is regulated by the Danish Executive Order on Electronic Communications Services and Networks (aka, the “Cookie Order”) and the European Union’s General Data Protection Regulation (GDPR)—Europe’s all-encompassing data privacy regulation.
Before deploying non-necessary cookies on a Danish website, it is mandatory to first obtain a user’s informed consent. Organizations that fail to comply with cookie laws in Denmark can be punished with a fine. But beyond legal compliance, companies should be planning for a potential cookieless future and place customer consent at the center of their digital marketing strategy.
Danish regulations on cookies
Denmark is regarded as having one of the best qualities of life in the world, and this distinction extends to its digital quality of life. Denmark also ranks high for internet privacy along with its Scandinavian neighbors.
The basic right to privacy is enshrined in the 1953 Constitution of Denmark. Privacy rights were extended to data protection through legislation that includes the Data Protection Act of 2000, the Cookie Order of 2011 (Danish: Cookiebekendtgørelsen), which implements the EU’s e-Privacy Directive, and the Danish Data Protection Act, enacted in 2018 to supplement and implement the GDPR.
The Danish Cookie Order
The Danish Cookie Order is an executive order that put into effect the European e-Privacy directive, known as the “cookie law” because it led to the widespread adoption of cookie consent-pop ups.
The Order is intended to “protect the private sphere of the users” and reflects the view that a web user’s “terminal equipment” (e.g. computers, smartphones, and tablets) is part of the user’s private sphere. It covers all types of cookies, including first party and third party statistical, marketing, and tracking cookies, but there are exemptions for technically necessary cookies, such as those that remember the items in a user’s shopping cart while they browse other areas of the website.
The main requirements of the Danish Cookie Order are information and consent. Together, these requirements form the basis of informed consent. Informed consent must be gathered from users before web sites can store cookies on a user’s equipment, or access a cookie already stored. Specifically, users must be provided with “comprehensive information” about the storing of, or access to, cookies.
To meet the Order’s information requirement, it is necessary to:
Provide information in language that’s clear, precise, and easily understood
Explain the purpose of the cookies being used
Let the user know who is behind the cookies (i.e., the website owner or a third party)
Inform the user how to withdraw cookie consent
State the cookie’s duration/expiry date
In addition to meeting the Order’s information requirements, you must meet its consent requirements. The requirements for consent are:
The user must be able to withdraw consent they have previously given
User consent must be linked to the purpose for which the data collection is to be used
Compliance with Cookie Order rules is overseen by the Danish Business Authority. A simplified guide to the Order, updated in 2019, is available here.
The GDPR and cookies
The Danish Data Protection Act does not explicitly mention cookies. The GDPR does mention cookies—exactly once, in Recital 30. Cookies are considered personal data—and are therefore subject to the GDPR—when, either alone or in combination with other information, they can be used to identify online users.
While not all cookies are considered personal data according to this definition, the majority of cookies used for digital marketing purposes, such as advertising and analytics cookies, are cookies for GDPR purposes. Cookies that do qualify as personal data can only be deployed if there is a legal basis for doing so. Unless you have a “legitimate interest” for collecting cookies (hint: you probably don’t), you’ll need to collect user consent.
Article 4, section 11 of the GDP deals with data subject consent. It states that consent must be freely given, specific, informed, and unambiguous. These requirements are very similar to those found in the Danish Cookie Order. In addition, the GDPR mandates that companies deploying cookies must document users’ consent preferences and keep this information on file for at least 5 years.
Before continuing with Danish cookie laws and if you're interested in the state of privacy around the world, check out our data privacy barometer:
Requirements to comply with Danish cookie laws
User consent must be obtained for cookies other than those necessary for the site to function.
There must be an equal opportunity to consent—or not consent—to cookies. Do not “nudge” users to consent by using different-sized or colored buttons that make it easier to say “yes” to cookies, and don’t make it more difficult to say “no” by only giving the opportunity to choose between “yes” and “more information” in the first part of the cookie consent banner. Website owners must make it obvious that users can completely refrain from consenting to cookies.
The cookie banner must state, in an easy-to-understand manner, who is setting the cookies, the purpose for cookies, and when the cookies expire.
Obtain separate consent for each category of cookies. Users should have the ability to select/deselect individual categories of cookies (marketing, statistics, etc.) based on the purpose of the cookie.
Make it clear what type(s) of user information, such as browsing history and IP address, are sent to your organization and any third parties that process the data.
The cookie information you provide to users must always be available on your site.
Make it possible to withdraw consent at any time with clear, easy-to-understand directions, and make withdrawing consent as easy as giving consent.
Document consent preferences and store them for a minimum of five years, per the GDPR.
If a basis for subsequent processing of personal data is used other than consent for a specific processing purpose, this basis should be stated in your cookie banner or privacy notice.
If this last point is confusing, keep in mind that there are scenarios that do not require user cookie consent to be collected.
The cookie is technically necessary for the website to function properly;
The cookie is solely for the purpose of transmitting messaging via an electronic communications network; or
The cookie is required to provide a service expressly requested by the user.
How to comply with Danish cookie regulations
Danish authorities acknowledge that recent EU decisions in the area of cookies, and different sets of rules regulating cookies, can make it difficult for website owners to comply with cookie rules in Denmark. The Danish Business Authority recommends you take an inventory of your web properties and check which cookies are deployed.
Of course, that’s easier said than done.
But with a Consent Management Platform (CMP) from Didomi, complying with Danish cookie regulations is a snap. Our CMP gives you options for gathering cookie consent that works best for your particular audience in Denmark—and anywhere in the world. Experiment with different formats, A/B test, and turn consent into a business opportunity.
Get in touch to learn more about how Didomi can help:
Frequently Asked Questions (FAQ)
What are the main requirements of the Danish Cookie Order?
The Danish Cookie Order mandates two main requirements: information and consent.
Websites must provide comprehensive information about the storing of, or access to, cookies and obtain informed consent from users before storing cookies on their equipment.
How does the GDPR relate to cookie usage in Denmark?
The GDPR considers cookies personal data when they can be used to identify online users, either alone or in combination with other information. Much like the Danish Cookie Order, the GDPR requires that consent for cookies be freely given, specific, informed, and unambiguous.
What steps can organizations take to comply with Danish cookie regulations
Organizations can comply by ensuring they obtain active user consent for cookies, providing clear information on the purpose of cookies, who sets them, and when they expire, among other details. This can be achieved with a Consent Management Platform (CMP).
They should also document consent preferences and store them for a minimum of five years as per the GDPR.