Digitaliseringsstyrelsen - Decision against Meta of 30 October 2023

From GDPRhub
Digitaliseringsstyrelsen - Decision against Meta of 30 October 2023
Courts logo1.png
Court: Digitaliseringsstyrelsen (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 4(11) GDPR
ePrivacy Directive
Article 2(8) Cookiebekendtgørelsens
Article 3(1) Cookiebekendtgørelsens
Article 3(2)(4) Cookiebekendtgørelsens
Decided: 30.10.2023
Published:
Parties: Meta Platforms Inc.
National Case Number/Name: Decision against Meta of 30 October 2023
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Danish
Original Source: Digitaliseringsstyrelsen (in Danish)
Initial Contributor: co

The Danish Agency for Digitalization ordered Meta to adapt its cookie banner and the information provided in its cookie policy so that they comply with the national law on cookies.

English Summary

Facts

The Danish Business Authority first sent a consultation letter requesting Meta to elaborate on the cookies it uses and on the cookie banner displayed on its website as it deemed that it did not provide sufficient information. Meta responded stating that it only uses technically necessary cookies for non-registered users, whereas a cookie banner requiring consent shows up for registered users.

In the consent banner for registered users, Meta grouped the categories "Our cookies on other apps and websites" and "Cookies from other entities" under a single consent. Also in the consent banner for unregistered users, it is not possible to give a granular consent for different purposes as the only options were "Allow only necessary cookies" or "Allow necessary and optional cookies". In 2022, Meta changed the banner for unregistered users adding a link to the cookie policy allowing to manage one’s consent, but still only one consent could be given for several purposes.

Further, the option to withdraw consent for non-registered users was presented in such a way, that users would have to click several times before finally withdrawing consent.

In its letter, the Danish Business Authority also pointed out that Meta did not provide sufficient information on cookies and similar technologies used on its website. Meta responded stating that this corresponded to the Guidelines of the Authority of 2013 which only required general information on the purposes of cookies to be provided. Meta adapted its cookie policy as of September 2023 adding a list of cookies and "The most common purposes of these cookies”.

The case was then transferred to the Danish Agency for Digitalization which is competent for dealing with cases relating to the application of the Cookiebekendtgørelsens (The cookie Law), the national implementation of the ePrivacy Directive.

Holding

Upon receiving a statement by Meta listing all the changes it adopted, the Agency concluded that the use of cookies on Meta’s website was still in violation of Article 3(1) of the Cookie Law and consent could not be deemed to be valid according to Article 2(8) of the Cookie Law and Article 4(11) GDPR.

First of all, Meta’s cookie banner did not allow its registered and unregistered users to give a granular consent, that is separate consents for different generic purposes, in violation of Article 2(8) of the Cookie Law and against the wording of Recital 43 GDPR and Recital 32 GDPR, as interpreted by the EDPB.

Secondly, a permanent and clear option to withdraw one’s consent to the use of cookies was not available. As a matter of fact, users would have to click three times before being able to withdraw their consent, which the Agency deemed to be in violation of Article 3(2)(4) of the Cookie Law.

Thirdly, Agency noted that with respect to the information to be provided, Meta wrongfully relied on the 2013 Guidelines by the Authority as a new set of guidelines was published in 2019. The latter requires that also detailed information about each cookie should be provided. Even after the adaptation of September 2023, the Agency found the current cookie policy to be in violation of Article 3(1) of the Cookie Law, as it only provided examples of the purposes.

The Agency thus ordered Meta to bring its webpage into compliance by 27 November 2023, so that:

  • It is possible for users to grant granular consent
  • A permanently available option to withdraw consent through a direct and clearly marked access is given on the website.
  • Information about cookies and their purposes is continuously available on the website and this is provided in clear, precise and easily understandable language.

Comment

This is not a DPA decision, as the authority competent for dealing with cases relating to the application of the Cookiebekendtgørelsens, the national implementation of the ePrivacy Directive is the Danish Agency for Digitalization.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

The Digital Agency · Landgreven 4 · PO Box 2193 · 1013 København K

Meta Platforms Inc. 30 October 2023
1601 Willow Road
Menlo Park, CA 94025

United States

Sent per mail to Gorrissen Federspiel






Decision in case about the use of cookies on https://da-dk.facebook.com


The Danish Business Authority sent on 1 September and 8 December 2022 respectively
consultation letters to Meta Platforms Inc. (hereafter Meta) regarding the use of coo-
is chosen on the website https://da-dk.facebook.com (hereinafter the Website), on the back
because of how the solution looked at this point.


On 17 October 2022 and 5 January 2023, respectively, Meta submitted its
markings for the case. In addition, Meta sent a follow-up on 15 March 2023

statement that describes a number of changes that Meta would make to Hjemme-
the site's consent solution during April 2023.

The supervision of compliance with the cookie decree has until 15 December

2022 located at the Danish Business Authority. Due to the reorganization of the department, the supervision is included
compliance with these rules has been transferred to the Digital Agency. It's there-
for the Digital Agency, which makes a decision in the case.


The Digital Agency finds, on the basis of the information available in the case,
occasion to make the decision below.


    1. Decision 2
The Digital Agency hereby makes a decision pursuant to section 20, subsection of the Telecommunications Act. 2.

The meta-use of cookies and similar technologies on the Website is against this

section 3, subsection of the cookie executive order 1.


Meta is ordered by 27 November 2023 at the latest to bring the items listed below
keep the Website's consent solution in accordance with the cookie statement
section 3, subsection 1, cf. § 2, no. 8. Meta is requested to give an explanation by the same date at the latest

for how Meta has complied with the orders.



1Executive order no. 1148 of 9 December 2011 on requirements for information and consent when storing or ad-
access to information in end-user terminal equipment.
2 Legislative Decree No. 955 of 17 June 2022 on electronic communication networks and services.



                        The Digital Agency · Landgreven 4 · PO Box 2193 · 1013 Copenhagen K Page 2 of 11






It should also be noted that the data protection rules, including data protection
ses regulation, applies when collecting or otherwise processing

personal data. The Danish Agency for Digitization only supervises the rules in cookie
the executive order, and the Danish Agency for Digitalisation has therefore not taken a position on
processing of the personal data collected via cookies and similar technologies

on the website.

The consent solution for the Website's "registered users"

Meta is ordered to change the consent solution for the Website's "registered user
gers", so that a single consent is not obtained for several different overall purposes
Goal. The consent solution must give the end user the opportunity to give a separate consent

thick for each individual overall purpose, cf. section 3, subsection of the cookie executive order 1, cf. §
2, No. 8.


The consent solution for the Website's "unregistered users"
Meta is ordered to change the consent solution for the Website's "not registered".
users", so that a single consent is not obtained for several different superiors

purpose. The consent solution must give the end user the opportunity to provide a separate
consent for each individual overarching purpose, cf. section 3, subsection of the cookie executive order 1,
cf. § 2, no. 8. Meta must also ensure that the possibility of providing a granular co-

thick is readily available to end users.

Option to withdraw consent

Meta is required to give the end user immediate access to withdraw his consent
to cookies and similar technologies back. This access must be clear to users
do. The access for the user to withdraw the consent as well as instructions for this

must also be continuously accessible by a direct and clearly marked
access to the website, cf. section 3, subsection of the cookie executive order 1, cf. § 3, subsection 2, No. 4
and 5.


Access to information about the cookies and similar technologies used
Meta is required to provide both the "registered users" and "non-registered users"

access to information about all used cookies and similar technologies, cf.
section 3, subsection of the cookie executive order 1, cf. § 3, subsection 2, no. 1-3 and no. 5, cf. § 2, no. 8.
The information must be continuously available and the description must be in one

clear, precise and easy-to-understand language.







3Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
ner in connection with the processing of personal data and on the free exchange of such information and on
repeal of Directive 95/46/EC (General Data Protection Regulation). Page 3 of 11






    2. The legal basis
The rules on the use of cookies and similar technologies are found in the Telecommunications Act, and the

more requirements for website owners' consent solutions are laid down in the cookie notice
late.


The rules in the Telecommunications Act and the cookie decree originate in the e-data protection directive
tive. The e-data protection directive contains special regulations on data protection for
electronic communication services. These rules specify and supplement the ge-

neral rules on data protection in the data protection regulation.

The rules on the use of cookies are intended to protect the end user from the use of

cookies and similar technologies on websites without the end user having given one
valid consent to this. Through cookies and similar technologies, websites can
the owner and possibly third parties collect information about the end user's online behavior and

create a detailed user profile about this. Information that may be collected through coo-
kies and similar technologies, therefore form part of the end user's private sphere, which
requires effective protection.


Website owners who use cookies and similar technologies that are not technically
necessary, therefore have a duty to obtain the end users' consent to use

of these cookies and similar technologies in accordance with the cookie
section 3, subsection 1.


Section 2, no. 8 of the Cookie Order states that a consent constitutes "Any volunteer, spe-
cific and informed declaration of intent whereby the end user consents to information being stored
or access is gained to information already stored in the end user's terminal equipment.”


The concept of consent in section 2, no. 8 of the cookie executive order must be understood in agreement
mel with the definition of the concept of consent in the data protection regulation article
4, No. 11.


Article 4 of the Data Protection Regulation, no. 11 states that consent must be understood
"any voluntary, specific, informed and unequivocal declaration of intent by the data subject whereby

the data subject by declaration or clear confirmation agrees that personal data relating to
the person in question is made the subject of treatment”.


It appears, among other things, of recital 32 of the data protection regulation, that "Consent
should cover all processing activities carried out for the same purpose. After treatment
serves multiple purposes, consent should be given to all of them”.




4 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data
and protection of privacy in the electronic communications sector (Directive on data protection in-
that for electronic communication) Page 4 of 11






Recital 32 is supplemented by recension 43, of which i.a. it appears that "Consent forms
not to have been given voluntarily if it is not possible to give separate consent to different ones
processing activities regarding personal data, even if it is appropriate in the individual case

case, or if the fulfillment of a contract, including the provision of a service, is made dependent on
consent, even if such consent is not necessary for its fulfillment.”

As far as cookies and similar technologies, which are technically necessary, apply
there is no requirement to obtain consent, as these fall outside the rules

in the cookie executive order, cf. section 4 of the cookie executive order.

For further information on the requirements, see the agency's guidance:

https://digst.dk/sikkerd/digitale-tilsyn/tilsyn-med-cookieomraadet/cookievej-
the wire/. The Danish Agency for Digitalisation can also refer to the Council for Digital Security
kerhed's quick guide to setting cookies: https://www.digitalsikkerd.dk/wp-con-

tent/uploads/2021/04/Quickguide-2.pdf.

    3. The Digitalisation Agency's assessment and justification
On 15 March 2023, Meta sent a statement describing a number of changes

ger, which Meta will make for the website's consent solution during April. That
is the Danish Agency for Digitalisation's assessment that the mentioned changes do not solve the conditions,
which is addressed in this decision.


In the consultation letter of 1 September 2022, the Danish Business Authority has requested Meta to
to explain the cookies and similar technologies that are placed before the end user

have consented to its use. Meta has the consultation response of 17 October 2022 confirm
tet that only technologies are used which can be categorized as either technical
necessary cookies, cf. section 4 of the cookie executive order, or simple statistical cookies. 5

The Board will therefore take no further action in relation to this point.

The Danish Business Authority further complained that the cookie banner on the Website does not appear on a
informs in a sufficiently clear manner about the purposes for which Meta uses its own cookies

and similar technologies, including that the icons used do not give a fair indication
image. In the consultation response of 5 January 2023, Meta has stated that Meta in relation to "does not register
ready users" only use cookies and similar technologies for the purpose of promising

technically necessary purposes, cf. section 4 of the cookie executive order. As such are exempt
for the information and consent requirement, the Digital Agency will therefore not impose
Meta to change the purpose descriptions of first-party cookies in the Website's cookie-

banner for "unregistered users". Meta also has in the consultation response of 17.
October 2022 sent a screenshot of the cookie banner that is used for the "re-
registered users”. It is the Danish Digital Agency's assessment that the description of



5Cookies and similar technologies that collect statistics exclusively for the service's own use, and where one
third parties do not have the opportunity to use the data for their own purposes. The Digitalization Agency does not prioritize so-
form in its supervision, and therefore does not address conditions related to this type of cookies. Page 5 of 11






the purpose of Metasegne cookies and similar technologies (first-party cookies) serve
up to section 3, subsection of the Cookie Executive Order 1, cf. § 3, subsection 2, no. 1 and 2, cf. § 2, no. 8.

On the basis of the available information, the Digital Agency will not carry out

themselves further according to these two points.

However, the Digital Agency maintains its assessment of the other shortcomings. The board
will elaborate and justify the board's decision in the case in the following sections.


3.1. Obtaining valid consent on the Website
The Danish Business Authority complained in the consultation letters of 1 September and 8

cember 2022, that the Website does not give the visitor the opportunity to provide a
granular consent, as it is only possible for the visitor to give a single consent
consent for all purposes.


Meta has stated the following in the consultation response of 5 January 2023: "It follows explicitly from
recital 43 of the GDPR that the requirement for separate consents to be given to different processing
operations are only triggered when it is “appropriate in the individual case”. And even then, not

doing so merely creates a "presumption" against the consent being freely given, which may conse-
quentlyrebutted. Assuch, there is no legal rule preventing the grouping of related cookie purposes
in aggregate categories when obtaining consent to the extent that doing so does not conflict with the
overall requirement that clear and comprehensive information must be provided, cf. above. accord-

ingly, it is MPIL's position that the cookie consent experience in question complies with applicable
legal requirements.”

In its guidelines, the European Data Protection Board has consent to

team to the data protection regulation commented on the interpretation of recital 43
and 32. From this it appears that "In consideration 43 it is explained that consent is not supposed to be
given voluntarily, if the process/procedure for obtaining consent does not allow the registered mu-

equality to give separate consent to various processing activities regarding personal data
nings (e.g. for some of the treatment operations and not for others), even if appropriate
in the individual case. Recital 32 states that "Consent should cover all processing
activities carried out for the same purpose or purposes. When treatment serves multiple purposes, it should be given

consent to them all”.

If the data controller has several processing purposes and has not attempted to obtain separate con-

thick for every single purpose, freedom is out of control. This granularity is closely related to
the requirement that consent must be specific, as mentioned in point 3.2 below. When personal data
processes for several different purposes, the solution is to comply with the conditions
for valid consent in granularity, i.e. separation of purposes and obtaining consent to

each purpose.” Page 6 of 11






It is therefore the opinion of the European Data Protection Board that if cookies
and similar technologies are used for multiple purposes, a separate agreement must be obtained
thick for each of these purposes. A consent will thus neither be considered to

be voluntary or specific, if the end user, in connection with the provision of co-
tykke has not had the opportunity to divide his consent according to the individual purposes.

Considering the European Data Protection Board's interpretation of recital 32 and

43 to the data protection regulation, the Digital Agency cannot agree that
website owners must only obtain separate consent when it is appropriate i
the individual case. It is, on the other hand, the Digitalisation Agency's assessment that there must be
separate consent is obtained when cookies and similar technologies are used for several

different overall purposes, so that a consent can be considered to fulfill the requirement
to be voluntary and specific. This applies regardless of whether it is appropriate
to combine the consent for different overall purposes in one unified consent.


When consent is obtained for several different overall purposes, the end-use must
therefore the opportunity is given to specifically opt-in or opt-out of consent to each
single overall purpose.


If, for example, several cookies or similar technologies are used for the same
ordered purposes, it will be in accordance with the rules to pool these under
one consent. Are cookies or similar technologies used for various over-

orderly purposes, on the other hand, it will not live up to the rules to collect these in one consent.

Meta stated in the consultation response of 17 October 2022 that the consent solutions in Metas
cookie banners are different depending on whether it is a "registered user" or a

"non-registered user", who visits the Website. The consent solutions for
respectively "registered users" and "non-registered users" will of this
reason will be dealt with separately below.


3.1.1. Requirements for granularity in the consent solution for "registered users"
In the website's cookie banner aimed at "registered users", the end users have
option to consent to two different categories: "Our cookies on other apps and

websites" and "Cookies from other companies".

In addition to the category "Our cookies on other apps and websites", Meta states, among other things, that these
cookies are set to be able to adapt and improve the experience, help companies

with analysis and measurement of advertising effectiveness and to provide outside services
The homepage.

In addition to "Cookies from other companies", Meta states, among other things, that tools are used

from other companies for both advertising and measurement services. other than that
the following appears from the information text: Page 7 of 11






"If you allow these cookies:
     We will be able to better customize ads for you outside of the Meta products and measure theirs
         efficiency

     The functions of our products are not affected
     Other companies will receive information about you using cookies”


Based on the above information, it is the Danish Agency for Digitalisation's assessment that
that the two categories "Our cookies on other apps and websites" and "Cookies from other
entities" each cover several different overall purposes, and that they "re-

registered users" are hereby forced to consent to several different superiors
purpose through one unified consent.

The "registered users" are thus not given sufficient opportunity to add or

opt out of consent to the various overall purposes, and the consent fulfills
therefore not the conditions of being voluntary and specific. It is on that background
The Danish Agency for Digitalisation's assessment that the consent solution does not meet the requirement i

section 3, subsection of the cookie executive order 1, cf. section 2, no. 8.

3.1.2. Demand for granularity in the consent solution for "unregistered users"
In the website's cookie banner aimed at "unregistered users" the final

the user is informed of the following in the first layer of information:

"We use tools from other companies on Facebook for advertising and measurement services
outside of the Meta products, for analytics and to provide certain features and improve our services

for you. These companies also use cookies. You can allow the use of all cookies, only
reversible cookies, or you can choose several options below. You can read more about cookies and about,
how we use them, and to review or change your choices in our policy at any time

cookies”.

It is not possible for the end user to provide a granular through the cookie banner
consent on the basis of the individual overall purposes, as the end user in co-

kiebannertaleneharpossibilitytochoose"Allowonlynecessarycookies"or"Allow
necessary and optional cookies” in the cookie banner.

In the consultation response of 5 January 2023, Meta stated that:

"For both registered and non-registered users, third party cookies are only used for advertising and
measurement cookies if users have provided their prior consent. As the cookie consent banners show
(see Appendix A of our Initial Reply):


• non-registered users may consent to the use of third party cookies by selecting the option “allow
essential and optional cookies”[…]” Page 8 of 11






Based on the description in the cookie banner's first information layer and Meta's consultation response
of 5 January 2023, the Digital Agency assumes that there is consent to
optional cookies cookies are used for several different overall purposes.


However, the end user does not have the option to opt in or out of consent
separately for the individual overall purposes, the consent does not meet the conditions
about being voluntary and specific.


The Danish Agency for Digitization can ascertain that the website's consent solution was
Dated 5 October 2022. In the cookie banner aimed at "unregistered users"
a link to Meta's cookie policy appears. In the cookie policy, one has been implemented

function that gives the end user access to manage his consent to the use of
cookies.

In the information text that appears next to the end user's access to manage

its consent, Meta informs, among other things, that tools from other companies are used
for various general purposes, including advertising and measurement services
as well as to provide certain features and improve Meta's services. In addition, it appears

the following of the information text:

"If you allow these cookies:
     Functions you use on the Meta products are not affected

     We will be able to better tailor ads to you outside of the Meta products and measure theirs
        efficiency

     Other companies will receive information about you using cookies”

The function that allows "non-registered users" to administer co-
thick, however, correspondingly only contains the possibility of providing one overall

thick, as there is only one purpose category that the end user can select. The "non-directed
stred users" is therefore not given in the cookie banner or through the option
in order to administer the consent sufficient opportunity to opt-in or opt-out of co-

thick for the various overall purposes.

Despite the change in the cookie policy on 5 October 2022, it is therefore Digitalise-
the Danish Administrative Agency's assessment that the consent for the "unregistered users" continues

cannot be considered to be voluntary and specific, as Meta both in the cookie banner and
with the access to manage the consent, obtains one collective consent for several
different overall purposes.


Against this background, it is the Digitalisation Agency's assessment that neither consent
the solution in the cookie banner for "not registered users" or the consent solution
according to the access to manage the consent meets the requirements of the cookie declaration

relsen § 3, subsection 1, cf. § 2, no. 8. Page 9 of 11






3.2. The access to revoke consent for "unregistered users"
It follows from § 3, subsection of the cookie executive order. 1, cf. § 3, subsection 2, no. 4, that it is a
prerequisite for the use of cookies and similar technologies is that there is an immediate

readily available access for the end user to refuse or revoke consent as well as
a clear, precise and easy-to-understand guide on how the end user uses this
access.


If the end user wishes to revoke the consent, this requires that they "not
registered users”:
    1. "clicks" on "policy on cookies" in the cookie banner

    2. "clicks" on "Manage your cookies"
    3. "clicks" on the link: "You can manage cookies from other companies in Meta-
        the products from this browser” in the pop-up window.


It is the Danish Digital Agency's assessment that the right to withdraw consent
is not immediately available to the end user, requiring several clicks before
the end user gets access to manage his consent. It must in this connection

it should be noted that the agency has also become aware that the same is being given
a detailed deletion guide, which can be found when the user:

    1. "clicks" on "policy on cookies" in the cookie banner

    2. "clicks" on "Settings for browser cookies"
    3. "clicks" on one of the specified links to the most popular browsers, after which
        the user in this fourth layer of information can see how he can delete

        cookies from the browser

It thus still requires three clicks for the user to access the function. It means -
in relation to the description of a valid solution in the consultation letter - that this solution is not either

complies with the rules.

The access to revoke consent thus does not meet the requirements of the cookie policy
the notice § 3, subsection 1, cf. § 3, subsection 2, No. 4.


3.3. Insufficient information about cookies and similar technologies
The Danish Business Authority has stated in its consultation letter of 1 September 2022 that Meta does not
provides the end user with adequate information about the cookies and similar technologies

cookies, which are used on the website, cf. section 3, subsection of the cookie executive order 1, cf. § 3,
PCS. 2.


It appears from Meta's consultation response of 17 October 2022 that: "As with the design of the
cookie consent experience, the overview of cookies used presented to users – whether registered or
not – has been designed with readability and understandability at the forefront. Thus, rather than
presenting users with a cookie declaration merely listing the cookies used, which for the average user Page 10 of 11






would do little in the way of ensuring transparency, MPIL instead presents the user with a curated
overview of illustrative and representative examples. These examples cover the purposes and also
refer to the duration of the cookies.”


In continuation of this, Meta has claimed that Meta's solution is in accordance
mels with the Danish Business Authority's guidance from 2013. In their consultation response, Meta has
17 October 2022 cited the Danish Business Authority's guidance from 2013, from which the

goes that the information that should be provided should describe the purpose of the use of the service
cookies, and not the individual cookies themselves, and that it is up to the web service itself,
how detailed they want to describe their cookies.


In this connection, the Danish Agency for Digitalisation must note that the Danish Business Authority's road-
guidance from 2013 no longer applies, as the guidance was replaced by a new one
guidance in December 2019.


When consent is obtained, e.g. via a layered cookie banner, it will initially
point be sufficient to only present the end user with the most important informa-
nings on an overall level in the first information layer of the cookie banner. This will

Among other things, include information about the provider, purpose and link to more detailed information
nings. However, the end user is also entitled to access detailed information
about the cookies and similar technologies used, including detailed information
information on purpose, provider and duration of operation. This information can for example-

view is provided via a link to a list of the cookies and similar technologies in question.

It is the Danish Agency for Digitalisation's assessment that the conditions in the cookie notice
sens § 3, subsection 1, cf. § 3, subsection 2, is only fulfilled if the end user is provided with

make information available in relation to each individual cookie and similar technology,
used on the Website. The requirement that the information must be adequate
and that the detailed cookie information must cover all the ones used

cookies and similar technologies appear in section 3, subsection of the cookie executive order. 1.
This is also supported by the EU Court's decision in the Planet49 case (C-
673/17), as it follows from paragraph 74 of the judgment that: "[…] the user [must be] able
to determine without difficulty the consequences of any consent and to ensure that this consent is given

with full knowledge of the consequences”. It is the Danish Agency for Digitalisation's assessment that this
is only fulfilled if the user receives a comprehensive list of all cookies used
and similar technologies.


At the time of the consultation, Meta's cookie policy only provided general information
descriptions of the purposes of the cookies and similar technologies used. Meta gave
e.g. under the section "advertising, recommendations, insight and measurement" only information

about the purpose, provider and functional duration of specially selected cookies in order to
simplify the cookies and similar technologies used. Since the consultation letter is
a change was made to the website so that users in the solution per 19 September Page 11 of 11






2023 under "The cookies we use and the way we use them" is given one
listing of cookies. However, it is described above the listing that "Below are shown the coo-
kies, which we normally use, as well as the most common purposes of these cookies”. The board understands

this so that only examples of the technologies used continue to be given as well
examples of their most common purposes.

Neither the Website's previous nor current cookie policy as it was

out per 19 September 2023 thus contains, according to the Digitalisation Agency's opinion,
See an exhaustive list of the technologists used with detailed information
about the provider, purpose and functional duration of each individual cookie used and similar
new technology.


It is thus the Danish Agency for Digitalisation's assessment that Metaslösning is still not viable
up to the requirements in section 3, subsection of the cookie executive order. 1, cf. section 3 subsection 2, No. 1-3, as they

listed examples of used cookies and similar technologies (purpose, provider
and functional duration) are not adequate.

Complaints guidance

This decision can be appealed to the Teleklagenævnet, Toldboden 2, 8800 Viborg, tel.:
72 40 56 00, e-mail: tkn@naevneneshus.dk.

A possible complaint must be received by the Telecomplaints Board no later than four weeks after that

The Digital Agency has made this decision. Attention is drawn
that pursuant to § 3, subsection 2, in executive order no. 838 of 21 April 2011 re
The Telecom Complaints Board's company does not have to pay a fee for handling complaints
this type in the Telecommunications Complaints Board. A possible complaint must be submitted via Digitalise-

Ringingstyrelsen at digst@digst.dk, or the Digitalization Agency, Landgreven 4, Post-
box 2193, 1017 København K. It can be stated for information that if Digi-
The Danish Agency for Digitization maintains the decision, forwards the Danish Agency for Digitization in gi-

know fall as soon as possible and as a starting point within 7 working days after receipt of
the complaint, the case and its documents to the Telecommunications Complaints Board, cf.
37.


With best regards

Allan Villadsen
Chief consultant, Master of Laws
T +45 21604635

Email allvil@digst.dk