Datatilsynet (Denmark) - 2021-431-0125: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet (Denmark) |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=...") |
(→Facts) |
||
| (One intermediate revision by one other user not shown) | |||
| Line 50: | Line 50: | ||
}} | }} | ||
The Danish DPA | The Danish DPA ruled that a company had failed to obtain the valid consent of data subjects for the placing of cookies because the pop-up cookie banner on the website was designed to make it more difficult to reject the use of cookies than to accept such use. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A data subject | A data subject filed a complaint with the Danish DPA regarding the controller's use of cookies on their website. The controller had relied on consent as a legal basis. The controller had first requested consent through a pop up box stating that the website used cookies. The pop up box contained two hyperlinks labeled "Read more about cookies" and "Close". During the DPA's investigation, the controller had introduced a new method of requesting consent. The controller's second solution included more information about the processing, as well as the option to opt out of processing for specific purposes from a list. With the new solution, the user had the choice between two hyperlinks labeled "ACCEPT ALL" and "Accept". The Danish DPA assessed both the first and the second consent request solution. | ||
=== Holding === | === Holding === | ||
Solution | ==== Solution 1: alternatives "Read more about cookies" and "Close": ==== | ||
The DPA held that the controller could not obtained a valid consent under [[:Category:Article 6(1) GDPR|Article 6(1)(a) GDPR]] for the use of cookies when the first solution was used. The data subject did not have the option to consent to processing for particular purposes. More importantly, the controller offered no opt-out solution for the use of cookies. The data subject therefore had no choice in the matter when visiting the website. As a consequence, the DPA expressed severe criticism about the processing activities based on this cookie banner. | |||
Lastly, the DPA also | ==== Solution 2: alternatives "ACCEPT ALL" and "Accept": ==== | ||
The DPA then had to assess whether the changes made to the cookie banner were sufficient to obtain the valid consent of data subjects. The DPA held that although the data subjects now had the possibility to reject all cookies, the cookie banner had been designed in a way that nudged the data subject towards clicking on the "ACCEPT ALL" button. It was easier for the data subjects to consent to the use of cookies than to reject such use. The DPA therefore also expressed criticism about the second solution. Lastly, the DPA also criticized the processing activities after the second solution was implemented because the cookie tracking actually began before obtaining the data subject's consent (i.e. before the data subject even clicked on the "Accept" or "ACCEPT ALL" button). | |||
== Comment == | == Comment == | ||
Latest revision as of 08:11, 27 October 2021
| Datatilsynet (Denmark) - 2021-431-0125 | |
|---|---|
 | |
| Authority: | Datatilsynet (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 4(11) GDPR Article 6(1)(a) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 20.10.2021 |
| Published: | |
| Fine: | None |
| Parties: | Alstrøm – Din Isenkræmmer ApS |
| National Case Number/Name: | 2021-431-0125 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Danish |
| Original Source: | Datatilsynet (in DA) |
| Initial Contributor: | n/a |
The Danish DPA ruled that a company had failed to obtain the valid consent of data subjects for the placing of cookies because the pop-up cookie banner on the website was designed to make it more difficult to reject the use of cookies than to accept such use.
English Summary
Facts
A data subject filed a complaint with the Danish DPA regarding the controller's use of cookies on their website. The controller had relied on consent as a legal basis. The controller had first requested consent through a pop up box stating that the website used cookies. The pop up box contained two hyperlinks labeled "Read more about cookies" and "Close". During the DPA's investigation, the controller had introduced a new method of requesting consent. The controller's second solution included more information about the processing, as well as the option to opt out of processing for specific purposes from a list. With the new solution, the user had the choice between two hyperlinks labeled "ACCEPT ALL" and "Accept". The Danish DPA assessed both the first and the second consent request solution.
Holding
Solution 1: alternatives "Read more about cookies" and "Close":
The DPA held that the controller could not obtained a valid consent under Article 6(1)(a) GDPR for the use of cookies when the first solution was used. The data subject did not have the option to consent to processing for particular purposes. More importantly, the controller offered no opt-out solution for the use of cookies. The data subject therefore had no choice in the matter when visiting the website. As a consequence, the DPA expressed severe criticism about the processing activities based on this cookie banner.
Solution 2: alternatives "ACCEPT ALL" and "Accept":
The DPA then had to assess whether the changes made to the cookie banner were sufficient to obtain the valid consent of data subjects. The DPA held that although the data subjects now had the possibility to reject all cookies, the cookie banner had been designed in a way that nudged the data subject towards clicking on the "ACCEPT ALL" button. It was easier for the data subjects to consent to the use of cookies than to reject such use. The DPA therefore also expressed criticism about the second solution. Lastly, the DPA also criticized the processing activities after the second solution was implemented because the cookie tracking actually began before obtaining the data subject's consent (i.e. before the data subject even clicked on the "Accept" or "ACCEPT ALL" button).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
