Danish Data Protection Authority Cites a Website for Failing to Provide Required Cookie Consent

On December 11, 2020, Danish Data Protection Authority held that a website’s cookie consent mechanism violated the GDPR where it failed to provide required voluntariness, granularity, and unequivocal expression of will.

The website, which provides various golf-related content, used a consent banner which contained the following disclosure:

This website uses cookies.  We use cookies to personalize our content and ads, to show you social media features and to analyze our traffic. We also share information about your use of our website with our social media partners, advertising partners and analytics partners. Our partners may combine this data with other information that you have provided to them or that they have collected from your use of their services. You agree to our cookies if you continue to use our website.

The website user then had the option to click on “Allow all cookies” or “Show details.” If the user clicked on “Show details,” the user was presented with information about cookies used by the website, including cookies related to “statistics,” and “marketing.” Not clicking any button and continuing to use the website was seen as consent to cookies.

The DPA concluded that the website processed personal data of its users for statistical and marketing purposes and that its consent mechanism violated the consent requirements outlined in the GDPR in the following respects:

• First, according to the GDPR Article 4(11), consent presupposes voluntariness. The DPA concluded that consent cannot be considered voluntary when it is not possible to refrain from giving consent to the processing in question.
• Second, a valid consent presupposes that the data subject is free to separately consent to various purposes for data processing – the requirement for granularity. Here, the website users could not separately consent to their data being processed for separate purposes, such as statistics and marketing.
• Third, consent must be an expression of an unequivocal expression of will on the part of the data subject. Pursuant to the GDPR, silence or inactivity cannot constitute a valid consent. Thus, the website visitor’s continued use of the website could not constitute valid consent under the GDPR.

Companies subject to the European Union’s ePrivacy Directive and the GDPR continue to struggle with cookie compliance under these regulations.  At the same time, Data Protection Authorities are ramping up their fines for non-compliance.  Just this month, France’s Data Protection Authority sanctioned Google and Amazon for having deposited advertising cookies on the computers of their users without prior consent or satisfactory disclosure.  When it comes to cookie consent mechanisms, organizations must ensure that they provide for the required elements of voluntariness, granularity, and unequivocal expression of will.

Improve customer trust with Clarip’s privacy governance platform.  Schedule a demo of the Clarip data mapping software for GDPR by calling 1-888-252-5653.