Digitaliseringsstyrelsen - Decision against Google of 30 October 2023
Digitaliseringsstyrelsen - Decision against Google of 30 October 2023 | |
---|---|
Court: | Digitaliseringsstyrelsen (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 4(11) GDPR Article 2(8) Cookiebekendtgørelsens Article 3 Cookiebekendtgørelsens |
Decided: | 30.10.2023 |
Published: | |
Parties: | Google LLC |
National Case Number/Name: | Decision against Google of 30 October 2023 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | |
Original Language(s): | Danish |
Original Source: | Digitaliseringsstyrelsen (in Danish) |
Initial Contributor: | ar |
The Danish Agency for Digital Government found that Google had violated the national implementation of Art. 5(3) of the ePrivacy Directive and ordered them to make several changes.
English Summary
Facts
The Danish Business Authority was formerly responsible for supervising compliance with the Danish cookie rules. Due to reorganisation, the supervision was transferred to the Danish Agency for Digital Government on 15 December 2022, who is the authority making the decision in this case.
On 1 and 16 September 2022, Google LLC was sent consultation letters regarding the use of cookies on their website, based on how the banner looked at that time.
The Agency for Digital Government (Agency) pointed out that the website did not allow users to give granular consent. The text on the first layer of the cookie banner stated that by selecting "accept all", users agreed that Google could use cookies to process their data for four purposes. Users would also be given the option of dividing their consent under "More choices" on the second layer of the cookie banner. However, users were only given the option to split their consent over two purposes, different to the ones in the first layer. Secondly, the Agency found that Google did not provide users with adequate information about all cookies used on the website. It also pointed out that the information was not considered to be permanently available through direct and marked access on the website, as it was difficult for users to retrieve information when clicking away the cookie banner.
On 13 September and 6 October 2022, Google Denmark ApS, Google LLC and Google Ireland Limited submitted comments to the letters. They argued that the material scope of the Danish Cookie Law is limited to the website operator, which in their cases is Google Ireland Limited. In light of this, they contested the Agency’s territorial competence to supervise Google Ireland Limited.
Holding
Firstly, the Agency affirmed that the website owner is subject to the obligations regarding the use of cookies under the Danish Cookie Law. Meaning that Google LLC, as the website owner, was subject to its requirements. Henceforth, on the territorial scope, the Agency, citing the EDPB Internal Document 04/2021, reiterated that a supervisory authority is competent to handle a case when the controller or processor is established in that Member State and when the processing of personal data is carried out as part of the establishment's activities. Hence, the Agency confirmed to have territorial jurisdiction given that Google Denmark ApS, a subsidiary of Google LLC, has its registered office in Copenhagen, and because the placing of cookies on users’ terminal equipment was part of the activities carried out by Google Denmark ApS in the Danish market on behalf of Google LLC.
Secondly, on the Cookie banner, the Agency assessed that the four purposes described in the first layer of the cookie banner were not sufficiently similar to be grouped under the two overall purposes of the second layer. Since users should give separate consent for each general purpose under Articles 2(8) and 3(1) of the Cookie Law , the condition for voluntary and specific consent (as also described in Article 4(11) GDPR) was not met. In connection with this, the Agency acknowledged that the website allowed users to withdraw their consent. However, it was not immediately accessible and it was unclear how consent could be withdrawn, breaching Articles 3(2), (4) and (5) of the Cookie Law. Hence, the Agency ordered Google LLC to change the consent solution and provide users with immediate access to withdraw their consent to cookies.
Thirdly, the Agency assessed that users did not have access to a cookie policy with clear, precise and easily understandable language under Article 3(1) and (2) of the Cookie Law. This was because the information was given as examples, and the adequate explanation was only given in English, while the recipient group primarily spoke Danish. Additionally, the Agency found that the required information was not permanently available through direct access on the website, as it was difficult for users to retrieve information after clicking away the cookie banner - contrary to Articles 3(1), (2) and (5) of the Cookie Law. The Agency recognized this had been changed and now required fewer clicks for users to access the information. However, it still believed it was not easy for users to reach it. Therefore, the Agency required Google LLC to provide all the information in clear, precise and easily understandable language and for the information to be made always accessible.
In conclusion, the Agency ordered Google LLC to comply with the above requirements no later than 27 November 2023, and by the same date, explain how it complied with the orders.
Comment
The rules on the use of cookies stem from the Danish Telecommunications Act, with more detailed requirements for consent solutions regarding cookies laid down in the Danish Cookie Law. These provisions originate from the ePrivacy Directive implementation and specify and supplement the GDPR. In Denmark, the Danish Agency for Digital Government is the supervisory authority for cookie rules. They solely supervise cookie rules, explaining why their decision doesn't concern personal data processing as per the GDPR, which falls under the Danish Data Protection Authority, Datatilsynet.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
The Digital Agency · Landgreven 4 · PO Box 2193 · 1013 København K Google LLC October 30, 2023 1600 Amphitheater Parkway Mountain View, CA 94043 United States Sent per email to Plesner Advokatpartnerselskab Decision in case about the use of cookies on https://google.dk The Danish Business Authority sent on 1 September and 16 September 2022 respectively consultation letters to Google LLC regarding the use of cookies on https://google.dk (hereinafter the Website), based on how the solution looked out at this time. Google Denmark ApS, Google LLC and Google Ireland Limited (hereinafter Google) have respectively on 13 September and 6 October 2022 submitted comments on the case. The supervision of compliance with the cookie decree has until 15 December 2022 located at the Danish Business Authority. Due to the reorganization of the department, the supervision is included compliance with these rules has been transferred to the Digital Agency. It's there- for the Digital Agency, which makes a decision in the case. The Digital Agency finds, on the basis of the information available in the case, occasion to make the decision below. 1. Decision The Digital Agency hereby makes a decision pursuant to section 20, subsection of the Telecommunications Act. 2. Google LLC's use of cookies and similar technologies on the Website is in contrary to section 3, subsection of the Cookie Order. 1. Google LLC is ordered no later than November 27, 2023 to bring the information below conditions present at the Website's consent solution in accordance with co- section 3, subsection of the kie executive order 1, cf. § 2, no. 8. Google LLC is also requested 1Executive order no. 1148 of 9 December 2011 on requirements for information and consent when storing or ad- access to information in end-user terminal equipment. 2 Legislative Decree No. 955 of 17 June 2022 on electronic communication networks and services. The Digital Agency · Landgreven 4 · PO Box 2193 · 1013 Copenhagen K Page 2 of 16 no later than the same date to explain how Google LLC has complied with the bids. It should also be noted that the data protection rules, including data protection ses regulation, applies when collecting or otherwise processing personal data. The Danish Agency for Digitization only supervises the rules in cookie the executive order, and the Danish Agency for Digitalisation has therefore not taken a position on processing of the personal data collected via cookies and similar technologies on the website. Option to give granular consent Google LLC is ordered to change the consent solution for the Website so that no one collective consent is obtained for several different general purposes. non-consensual the provision must give the end user the opportunity to give a separate consent to each kelt overall purpose, cf. section 3, subsection of the cookie executive order 1, cf. section 2, no. 8. Option to withdraw consent Google LLC is required to give the user an immediate access to withdraw his compa- thick for cookies and similar technologies left. This access must be clear to the user. Access for the user to withdraw consent and guidance must also be continuously available by a direct and clearly marked restricted access to the Website, cf. section 3, subsection of the cookie executive order 1, cf. § 3, subsection 2, No. 4 and 5. Access to information about the cookies and similar technologies used Google LLC is required to give the user access to information about all used cookies and similar technologies, cf. section 3, subsection of the cookie executive order 1, cf. § 3, subsection 2, no. 1-3 and no. 5, cf. § 2, no. 8. The information must be continuously available, and the description must be in clear, precise and easily understandable language. 2. Legal basis The rules on the use of cookies and similar technologies are found in the Telecommunications Act, and the more requirements for consent solutions regarding use of cookies and similar technologies is determined in the cookie executive order. The rules in the Telecommunications Act and the cookie decree originate in the e-data protection directive 4 tive. The e-data protection directive contains special regulations on data protection for 3Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons ner in connection with the processing of personal data and on the free exchange of such information and on 4repeal of Directive 95/46/EC (General Data Protection Regulation). and protection of privacy in the electronic communications sector (Directive on data protection in- that for electronic communication) Page 3 of 16 electronic communication services. These rules specify and supplement the ge- neral rules on data protection in the data protection regulation. The rules on the use of cookies are intended to protect the end user from the use of cookies and similar technologies on websites without the end user having given one valid consent to this. Through cookies and similar technologies, data can be collected information about the end user's online behavior and a detailed user profile is created about it this. Information that can be collected via cookies and similar technologies constitutes therefore part of the end user's private sphere, which requires effective protection. Use of cookies and similar technologies that are not technically necessary, for therefore postpones obtaining the end users' consent to the use of these cookies and similar technologies in accordance with section 3, subsection of the cookie executive order. 1. Section 2, no. 8 of the Cookie Order states that a consent constitutes "Any volunteer, spe- cific and informed declaration of intent whereby the end user consents to information being stored or access is gained to information already stored in the end user's terminal equipment.” The concept of consent in section 2, no. 8 of the cookie executive order must be understood in agreement mel with the definition of the concept of consent in the data protection regulation article 4, No. 11. Article 4 of the Data Protection Regulation, no. 11 states that consent must be understood "any voluntary, specific, informed and unequivocal declaration of intent by the data subject whereby the data subject by declaration or clear confirmation agrees that personal data relating to the person in question is made the subject of treatment”. It appears, among other things, of recital 32 of the data protection regulation, that "Consent should cover all processing activities carried out for the same purpose. After treatment serves multiple purposes, consent should be given to all of them”. Recital 32 is supplemented by recension 43, of which i.a. it appears that "Consent forms not to have been given voluntarily if it is not possible to give separate consent to different ones processing activities regarding personal data, even if it is appropriate in the individual case case, or if the fulfillment of a contract, including the provision of a service, is made dependent on consent, even if such consent is not necessary for its fulfillment.” As far as cookies and similar technologies, which are technically necessary, apply there is no requirement to obtain consent, as these fall outside the rules in the cookie executive order, cf. section 4 of the cookie executive order. For further information on the requirements, see the agency's guidance: https://digst.dk/sikkerd/digitale-tilsyn/tilsyn-med-cookieomraadet/cookievej- Page 4 of 16 the wire/. The Danish Agency for Digitalisation can also refer to the Council for Digital Security kerhed's quick guide to setting cookies: https://www.digitalsikkerd.dk/wp-con- tent/uploads/2021/04/Quickguide-2.pdf. 3. The Digitalisation Agency's assessment and justification Google has claimed in the consultation responses that it is not Google LLC, but there- against Google Ireland Limited, which is the proper subject of duty according to the rules in e-data protection data protection directive and the cookie decree, and contested that the Danish Agency for Digitalisation has territorial jurisdiction to supervise Google Ireland Limited. other than that has Google raised objections to the shortcomings that the Danish Business Authority has pointed out in the consultation letters regarding the cookie solution on the Website. The Digitalization Agency requested, among other things, Google to explain the cookies and similar technologies that are placed before the end user has consented to their use. In the consultation letter of 6 October 2022, Google has confirmed that only tech- nologies, which can be categorized as either technically necessary cookies, cf. cookie § 4 of the executive order, or simple statistical cookies. The board will therefore not undertake say more about this point. The board also complained that the company did not provide adequate information about third parties in the first layer of the cookie banner if third party content is used on the service. Google has stated in the consultation letter of 6 October 2022 that this is not the case the case. The Danish Agency for Digitization will thus not take further action in stick to this point, as the solution in that case complies with the rules in the cookie declaration the rail. However, the Digital Agency maintains its assessment of the other shortcomings. The board will elaborate and justify the board's decision in the case in the following sections. 3.1. The Digitization Agency's territorial competence In both its consultation response of 13 September 2022 and 6 October 2022, Google has stated, that the subject of the cookie decree is limited to website op- the rater, i.e. the natural or legal person who places and/or allows cookies and similar technologies. In this connection, Google has stated that it is Google LLC, which is established in the USA, who owns the Website, but that it is only Google Ireland Limited that acts as The operator of the website, in that it is Google Ireland Limited that places cookies and offers the search service on the Website. Google has therefore claimed that use of cookies on the Website alone is covered by the Irish implementation of 5Cookies and similar technologies that collect statistics exclusively for the service's own use, and where one third parties do not have the opportunity to use the data for their own purposes. The Digitalization Agency does not prioritize so- form in its supervision, and therefore does not address conditions related to this type of cookies. Page 5 of 16 e-Data Protection Directive, subject to the Irish Data Protection Authority supervision, and that the Digital Agency therefore does not have competence to supervise use of cookies and similar technologies on the Website. 3.1.1. The subject of the obligation for the cookie notice It is not elaborated either in the e-data protection directive's article 5, paragraph 3, or cookie be- the notification of who is the subject of the rules' obligations. "Natural or legal persons may not store information or gain access to information that already stored, in an end user's terminal equipment or allow third parties to store information or obtain access to information if the end user does not consent to this after receiving full providing information about the storage of or access to the information.” (Digitalisation Board- sen's underlining). According to its wording, the provision covers all natural or legal persons who: 1) Stores information 2) Gains access to information 3) Allows third parties to store or gain access to information With reference to the wording of the cookie executive order § 3, subsection 1, and the purpose behind the rules in the cookie executive order and the e-data protection directive, it is Digita- The licensing authority's view is that the owner of the website is subject to the Swedish Tax Agency. the use of cookies and similar technologies on the website in question, as the owner of the website has final control over the content on the website, including the use of cookies and similar technologies. The owner is of course free to outsource the practical and technical location etc. of cookies and similar technologies to an operator within a group or to a third party. However, this does not change the fact that the owner remains responsible for ensuring that that the requirements in the cookie executive order are complied with. It is against this background that the Digital Agency's assessment is that Google LLC as owner of the homepage is subject to the pre-rules in the cookie executive order regarding use of cookies and similar technologies on the Website and thus subject to the requirements, which follows from this. 3.1.2. Territorial scope of application of the rules The e-data protection directive does not contain any regulation of the territory of the rules all field of application. It follows solely from the nature of the e-data protection directive. 15 a, subsection 4, that: "The relevant na- national supervisory authorities can take measures to ensure effective cooperation across the borders to enforce the national laws adopted pursuant to this Directive and to Page 6 of 16 provide harmonized conditions for the provision of services that entail data flows across the borders. […]”. Since no measures have been taken in accordance with the e-data protection directive art. 15 a, subsection 4, it is basically up to the individual Member States to determine the framework for the supervisory authorities' territorial supervisory competence. However, neither the Telecommunications Act nor the Cookie Decree contain any regulations ring of the question of territorial supervisory competence and thus also contains no limitation of the Digitalisation Agency's territorial supervisory authority. Coo- The kie executive order also does not contain any obligation to cooperate with or transfer cases to supervisory authorities of other Member States. Since the e-data protection directive does not contain any regulation of the framework for supervisory authorities' territorial supervisory competence, published the European Danish Data Protection Board in 2021 a note with a view to aligning the national supervisory authorities' practice in the area. 6 The European Data Protection Board concludes in the note that a supervisory authority is competent to deal with a case when the data controller or data processor is established in the relevant co- Member State, and the processing of personal data is carried out as part of the establishment's activities, although the sole responsibility for the collection and processing of personal data in- it for the EU belongs to another establishment in the group which is located in another Member State. These conditions were derived by the European Data Protection Board from the European Court of Justice 7 practice regarding the interpretation of the repealed data protection directive article 4, including in particular case C-210/16 (Wirtschaftsakademie Schleswig-Holstein). It is against this background that the Digitalization Agency is of the opinion that the limits for Di- the digitization agency's territorial competence should be interpreted accordingly with the two conditions laid down by the European Data Protection Board and EU- The Court's practice regarding Article 4 of the Data Protection Directive and data protection Article 3, subsection of the regulation 1, which replaces and continues the data protection di- article 4 of the directive, and that the Digital Agency is not covered by data protection the regulation's rules on cooperation and coherence mechanisms. 6Internal EDPB Document 04/2021 on criteria of territorial competence of supervisory authorities to en- 7orce article 5(3) of the ePrivacy Directive. in connection with the processing of personal data and on the free exchange of such data.e persons in Page 7 of 16 3.1.3. Establishment in Denmark As far as the European Data Protection Board's condition that the data controller equal or the data processor must be established in the Member State in question, has EU The Court of Justice in case C-230/14 (Weltimmo) emphasized that the concept of establishment re- includes any, even minimal, real and actual activity carried out via a permanent 8 structure. Google Denmark ApS, which is a subsidiary of Google LLC, has registered the office address in Copenhagen and, according to the CVR register, has 151 employees in Denmark. On this basis, the Digital Agency assesses that Google LLC is established in Denmark through Google Denmark ApS. 3.1.4. The processing is carried out as part of the establishment's activities The EU Court of Justice has, among other things, commented on the European Data Protection Board's declaration that the processing of personal data is carried out as part of the establishment's activities vites, in cases C-131/12 (Google Spain SL and Google) and C-210/16 (Wirtschaf- tsakademie Schleswig-Holstein). In case C-131/12 (Google Spain SL and Google), the European Court of Justice ruled that: ”[…] a processing of personal data carried out for a search engine such as Google Search, which is offered by a company with its registered office in a third country, which however has a company or a body in a Member State, is carried out 'as part of activities' carried out by that undertaking or this body if this company or this body in this Member State is to provide advertising and sale of advertising space offered by the search engine, which helps to make the service which the search engine offers, profitable. In such circumstances, the activities of the search engine provider and the activities carried out by by the company or body of the search engine provider in the Member State in question, namely closely linked, since the activities relating to the means of creating advertising space, which handle lead search engine economically profitable, and this search engine at the same time is the means that makes it possible to carry out the activities.” (Digitalisation Agency's emphasis). Against this background, the EU Court of Justice concluded that: ”[…] a processing of personal data are carried out as part of activities carried out within the territory of a Member State by a registered responsible company or body as referred to in the provision, when a search engine provider loses lers a branch or a subsidiary in a Member State that must provide for advertising and the sale of advertising 10 space in the search engine and whose activity is aimed at the inhabitants of this Member State. ” (Digi- talization agency's underlining). 8Case C-230/14 (Weltimmo) paragraph 31. 9C-131/12 (Google Spain and Google), paragraphs 55 and 56. 10C-131/12 (Google Spain and Google), paragraph 60. Page 8 of 16 The EU Court subsequently clarified in C-210/16 (Wirtschaftsakademie Schleswig-Holstein), that the fact that: ”[…] strategic decisions with regard to in- collection and processing of personal data relating to persons residing in the Union's decide, is made by a parent company which is established in a third country […], there can be no doubt that the supervisory authority governed by the law of a Member State is competent in relation to it controller's business, which is located on the territory of this Member State." (Digitalize- Ringingstyrelsen's emphasis). In the case, the European Court of Justice determined that: "[…] where a company established outside the Union nen, has several companies or bodies in different Member States, the supervisory authority is in one Member State competent to exercise the powers conferred on it in accordance with directive vet's article 28, subsection 3, against one of this company's companies or bodies that are located on the territory of this member state, even if this company or this body according to the group internals division of tasks is exclusively tasked with selling advertising space and handling other marketing measures on the territory of this Member State, and the sole responsibility for the collection and processing of per- personal information in the entire territory of the EU belongs to a company or body which is located in 12 another Member State. ” (Digitisationstyrelsen's emphasis). In addition, it appears both from C-131/12 (Google Spain SL and Google) and C- 210/16 (Wirtschaftsakademie Schleswig-Holstein), that the requirement that the treatment must be carried out "as part of the establishment's activities", must not be interpreted restrictively, and that it is not a requirement that the processing be carried out by the establishment in the Member State, as the processing must only be carried out as part of the establishment's activities. 13 This line was subsequently upheld by the European Court of Justice in case C-645/19 (Fa- cebook Belgium) . 14 From this it can be deduced that a company established in Denmark is subject to Di- The digitalisation agency's supervisory competence, even if the parent company is registered in a third country, and regardless of the fact that the establishment in Denmark, according to the group's internal tasks distribution is solely tasked with selling advertising space and handling other mar- chain measures. This applies accordingly, even if the sole responsibility for placing cookies and similar technologies and in this connection collect and process personal information within the EU belongs to another establishment in the group, which is situated in another Member State. According to the CVR register, Google Denmark ApS' core tasks are the following: "The company's purpose is mediation of the sale of online advertisements, marketing of online advertisements and mediation of 11C-210/16 (Wirtschaftsakademie Schleswig-Holstein), paragraph 63 12C-210/16 (Wirtschaftsakademie Schleswig-Holstein), paragraph 64 13C-131/12 (Google Spain and Google), paragraphs 52 and 53, C-210/16 (Wirtschaftsakademie Schleswig- Holstein), paragraphs 56 and 57 and C-645/19 (Facebook Belgium), paragraphs 91 and 93. 14C-645/19 (Facebook Belgium), paragraphs 92 to 95. Page 9 of 16 sales and direct marketing of other products and services, as well as all business, professional technical and financial, transactions as well as activities and transactions relating to research and development as well as real estate or movable property that is directly or indirectly related to said purpose or contributes to promoting the fulfillment thereof.”. The activities carried out by Google Denmark ApS include e.g. sale and dissemination of advertisements and advertising space on the search service, which i.a. can be accessed via Home- since, to Danish customers. As the sale of advertising also contributes considerably to to make the information services provided by Google on the Website economical misc profitable, it is the opinion of the Danish Agency for Digitalisation that marketing activities terns carried out by Google Denmark ApS are inextricably linked with the location of cookies and similar technologies on Danish users' terminal equipment via the Website the 5th It is therefore the Danish Agency for Digitalisation's assessment that the location of cookies and similar new technologies on the end users' terminal equipment via the Website takes place as part of the activities that Google Denmark ApS carries out on behalf of the Danish market by Google LLC. 3.1.5. Conclusion in relation to the Digitization Agency's territorial competence It is the opinion of the Danish Digital Agency that: The website owner Google LLC is established in Denmark through Google Denmark ApS The placement of cookies and similar technologies on the end users' terminal equipment via the Website takes place as part of the activities of Google Denmark ApS performs on the Danish market on behalf of Google LLC. Based on the above, it is the Danish Agency for Digitalisation's assessment that the agency has territorial competence in the case. It must also be emphasized that the agency would also have territorial competence to enforce the cookie notice if the website was owned by Google Limited Ireland. As Google Limited Ireland is part of the Google Group, and constitutes the group's European headquarters, it is the board's assessment that Google Denmark ApS can also be considered to be an establishment of Google Limited Ire- country, and that the agency would therefore also have territorial competence in this situation in the case. 15C-645/19 (Facebook Ireland Limited and others v Gegevensbeschermingsautoriteit) recitals 92 to 95 Page 10 of 16 3.2. Obtaining valid consent on the Website The Danish Business Authority has stated in the consultation letter of 1 September 2022 that the website does not allow the user to provide a sufficiently granular consent. It appears from the text on the front of the cookie banner that by selecting "accept everyone" consents to Google using cookies to: "Develop and improve new services", “Deliver and measure the effectiveness of advertisements”, “Show customized content (depending on your settings)”, and “Show customized ads (depending on your settings)” The user is given the opportunity to divide (granulate) his consent under "More choices- options” on the second layer of the cookie banner. The end user was at the time of the the ring letter, however, only given the opportunity to divide (granulate) his consent on background of two overall objectives: "Search customization", and "Ad customization in Search" In its consultation response, Google has described that "The GDPR definition of consent in Article 4(11) requires that it be "specific" and "informed". The ePrivacy Directive/Executive Cookie Order likewise requires that users be provided with "clear and comprehensive information" prior tomakingtheirselection.However,GooglenotesthatneithertheGDPRortheExecutiveCookie Order mandate that a separate consent must be sought for each cookie. Indeed, Recital 32 of the GDPR clearly anticipates a single consent being obtained for multiple purposes, with the statement "Consent should cover all processing activities carried out for the same purpose or purposes" (our emphasis). In accordance with Recital 43 of the GDPR, a separate consent only needs to be given for different processing operations where “appropriate in the individual case”. We note that the Danish Business Authority Cookie Guidelines make no mention of requiring a separate consent for each cookie and/or purpose, provided information is given about each purpose”. At the outset, it should be noted that it is not the opinion of the Danish Agency for Digitalisation that there separate consent must necessarily be obtained for each individual cookie or similar technology. In its guidelines, the European Data Protection Board has consent to team to the data protection regulation commented on the interpretation of recital 43 and 32. From this it appears that "In consideration 43 it is explained that consent is not supposed to be given voluntarily, if the process/procedure for obtaining consent does not allow the registered mu- equality to give separate consent to various processing activities regarding personal data nings (e.g. for some of the treatment operations and not for others), even if appropriate Page 11 of 16 in the individual case. Recital 32 states that "Consent should cover all processing activities carried out for the same purpose or purposes. When treatment serves multiple purposes, it should be given consent to them all”. If the data controller has several processing purposes and has not attempted to obtain separate con- thick for every single purpose, freedom is out of control. This granularity is closely related to the requirement that consent must be specific, as mentioned in point 3.2 below. When personal data processes for several different purposes, the solution is to comply with the conditions for valid consent in granularity, i.e. separation of purposes and obtaining consent to each purpose.” It is therefore the opinion of the European Data Protection Board that if cookies and similar technologies are used for multiple purposes, a separate agreement must be obtained thick for each of these purposes. A consent will thus neither be considered to be voluntary or specific, if the end user, in connection with the provision of co- tykke has not had the opportunity to divide his consent according to the individual purposes. Considering the European Data Protection Board's interpretation of recital 32 and 43 to the data protection regulation, the Digital Agency cannot agree that separate consent must only be obtained when it is appropriate in the individual case coincidence. It is, on the other hand, the Danish Agency for Digitalisation's assessment that it must be obtained separate consent when cookies and similar technologies are used for several different purposes overall purpose, so that a consent can be considered to fulfill the requirement to be voluntarily and specifically. This applies regardless of whether it would be appropriate to collect the consent for different overall purposes in one overall consent. When consent is obtained for several different overall purposes, the end-use must therefore the opportunity is given to specifically opt-in or opt-out of consent to each single overall purpose. If, for example, several cookies or similar technologies are used for the same ordered purposes, it will be in accordance with the rules to pool these under one consent. Are cookies or similar technologies used for various over- orderly purposes, on the other hand, it will not live up to the rules to collect these in one consent. In relation to the location of the function that allows the end user to access or opt out of consent to the individual overall purposes (granularity), that is The Danish Agency for Digitalisation's assessment that it will be in accordance with the rules, that this function is placed in the cookie banner's second information layer, as long as the final the user is informed about this in the cookie banner's first information layer. Access to this function must also be clear and easily accessible. Page 12 of 16 It is based on the above assessment of the Danish Digital Agency that the four described purposes in the first layer of the cookie banner are not sufficiently similar to remain collected under two general objectives. The end user is thus not given an adequate freedom of choice between the various overall purposes, and the condition preferred voluntarily and specific consent is hereby not fulfilled. It is therefore the agency's assessment that the solution does not meet the consent requirement in section 3, subsection of the cookie executive order. 1, cf. § 2, No. 8. It should be noted that, since the time of the consultation letter, an dring in the formulation of the second granularity field, so that according to consent can choose from: Search customization Personalization of ads in Search However, it is still the agency's assessment that this does not meet the existing regulations described in the consultation letter. 3.3. Lack of access to withdrawal of consent In the consultation letter of 1 September 2022, the Danish Business Authority stated that the Website does not contain an immediately available access for the user to be able to return Withdraw your consent to cookies and similar technologies. In the consultation response of 6 October 2022, Google has described three different ways, upon which the user can withdraw his consent. Google has explained that the first layer of the cookie banner states that the Searchers can at any time access g.co/privacytools and from there - with one click - revisit the cookie banner, where the user can decide on his consent. Google has too explained that the second layer of the cookie banner contains a clear guide on how to geren sets cookies in Chrome and that the guide can be accessed via the 'cookies' link there appears at the top of the cookie banner's first and second layer. Google has also explained in the response to the consultation that the visitor can withdraw consent under 'settings' on Google's front page and 'your data in search'. Thus however, it requires more clicks than Google has described. Wants the user to withdraw his consent back - after deciding on consent in the cookie banner - required that at the time of the hearing, that the user clicked on the following: Settings on the front page of Google Your data in search Ad customization Manage your cookies Page 13 of 16 The Danish Agency for Digitization has noted that there have subsequently been changes to this solution, so it only requires three clicks in the solution as it looked per on September 19 2023. It now requires the user to click on the following: Settings on the front page of Google Your data in search Search customization and cookies The Danish Agency for Digitalisation acknowledges that access is thus given on the Website to, that the user can withdraw his consent. It is, however, the Digitalisation Agency's assessment that access to this is not immediately available to the user, as they ways in which consent can be withdrawn are not presented in a clear and useful kind way. In this way, the two first described functions do not meet the requirement that the right to withdraw consent must be immediate and continuous accessible to the visitor via a direct and clearly marked access on the home mesiden, cf. section 3, subsection of the cookie executive order 2, no. 4-5, including that it must be as easy to withdraw consent as to give it. It is also the agency's assessment that the third solution does not live up to it either the requirements in section 3, subsection of the cookie executive order. 2, No. 4-5. This is because the way to manage cookies (the titles of the displayed links) is not described on a sufficiently comprehensible way that the average user will be able to discern that it is through this, that his consent can be withdrawn. This has not changed with it updated solution, as the user still has to go through "Settings" on the front page of the Website as well as "Your data in search" before the user meets with it more comprehensible title "search customization and cookies". 3.4. Insufficient information about cookies and similar technologies The Danish Business Authority has stated in the consultation letter of 1 September 2022 that Google does not provides the user with adequate information about all cookies and similar technologies nologies which are used on the Website, cf. section 3, subsection of the cookie executive order. 1, cf. § 3 pieces. 2. The board has also stated in the same consultation letter that the information about this is not considered to be continuously available by a direct and clear marked access on the Website, as it is difficult for the user to find clears when the user has clicked away the cookie banner. These two lack re- are explained separately below. 3.4.1. Lack of adequate information about all cookies and similar technologies In the consultation response of 1 September 2022, Google has claimed that Google informs engages users in a meaningful and easy-to-read way so that users don't stay overwhelmed by technical details. Google explains that the information about the used cookies appear in these places: The cookie policy (https://policies.google.com/technologies/cookies?hl=en) Page 14 of 16 Cookie declaration (https://business.safety.google/adscookies/?hl=da) In their consultation response, Google has also contested that an exhaustive one must be given list of cookies and similar technologies. Google writes that "We do not, however, accept that a table or list format – or for that matter an individual description of the function of each cookie, where multiple cookies are used for the same purpose(s) – is mandated either by the GDPR, the ePrivacy Directive, or Danish law.” Furthermore, Google has, in relation to the English language cookie declaration stated that the user has the option in the cookie banner to choose the language yourself, and that the solution is basically presented in that language, to which the terminal equipment is set. Under 'cookies' on the website, Google has a cookie policy which describes Google's use of cookies in prose text. However, only examples are given individual cookies used on Google services. The cookie policy contains thus not an exhaustive description of the cookies and similar technologies used nologies. In the cookie policy, however, there is a link to a cookie declaration which contains information about all the cookies used, i.e. for functional, analytical and marketing property-related purposes, on a number of Google websites, including on Hjem- meside. This declaration is presented in English only. It is therefore the Danish Digital Agency's assessment that the user does not have access to one cookie declaration in a clear, precise and easy-to-understand language, cf. sens § 3, subsection 2, no. 1. Since the recipient group primarily speaks Danish, and that Hjemme- since it is otherwise designed in Danish, the website should present a Danish-language version cookie declaration. The Digitization Board notes that there are no form requirements for how the relevant information is presented to the user, but that the information must is presented in clear, precise and easy-to-understand language, cf. section of the cookie decree 3 pieces. 1, cf. § 3, subsection 2, no. 1. However, the information must, as a minimum, be adequately contain information about the provider of and the purpose of the reversed cookies, cf. § 3, subsection 2, no. 2-3. In addition, the agency considers that in order to in- the formation, cf. section 3, subsection 1, can be said to be adequate, shall information is also given on the expiry date of the technologies used and given information about these three conditions in relation to all of the cookies used. It is the Danish Agency for Digitalisation's assessment that fulfillment of the above requirements pre- states that the information is presented in a way and in a language so that the average the user understands what consent is given to, cf. section 3 of the cookie executive order, PCS. 1, cf. § 3, subsection 2. This has also been established by the EU Court of Justice in Planet49- case (C-673/17), where it follows from paragraph 74 of the judgment that "[…] the user [must be] able to determine without difficulty the consequences of any consent and to ensure that this consent is given with full knowledge of the consequences”. It is the agency's assessment that this alone Page 15 of 16 is fulfilled where the service provides the user with a comprehensive list of all used cookies and similar technologies. The user must receive the information during view to the language in which the website is presented, which on the Website is Danish. In this connection, the Danish Agency for Digitization must note that the cookie declaration the ration at https://business.safety.google/adscookies/?hl=da does not provide this option, as it is only displayed in the English language. The Danish Digital Agency thus assesses that Google's solution does not meet the vein in § 3, subsection of the Cookie Executive Order 1, cf. § 3, subsection 2, No. 1-3. It is because the information about the cookies used (purpose, provider and functional duration), cannot be considered to be adequate, as this information is only stated as examples, and as the adequate explanation is only given in English. 3.4.2. The required information is not continuously available in a direct and clear manner marked access on the Website The information about the use of cookies and similar technologies must be permanently available on the website through direct and clearly marked access, cf. section 3, subsection of the cookie executive order 1, cf. § 3, subsection 2, No. 5. The Digital Agency does not consider that this has been met on the Website, since it is difficult for the user to retrieve the information after the visitor has decided on consent in the cookie banner. At the time of the consultation letter, it required the following steps for the user to access Google's cookie policy (and thus the required information), after consent- the kebanner has disappeared: 1) That the user on the front page of the website clicks on "settings" 2) That the user clicks on "Your data in Search" 3) That the user clicks on "Ad customization" 4) That the user in the box entitled "Do you want to customize your ads in Google Search without logging in" click on "manage your cookies" 5) That the user clicks "privacy policy" at the bottom of the second layer of the cookie ban- downright 6) That the user clicks on "technologies" in the header 7) That the user in the left margin clicks on "how to use Google cookies" If the user wishes to access Google's cookie declaration, the user must then: 8) Click on "Cookie types and other technologies that Google uses" 9) Click on the link in "See more information about cookies used for advertising, here." under the section "Advertising" Page 16 of 16 This solution has since been changed in the agency's consultation letter, so it is in the solution per 19 September 2023 alone requires the following steps for the user to access these information: Privacy on the front page How Google uses cookies (the link is very far down, and under the heading "Other useful resources") "See more information about cookies used for advertising here" It is the Danish Agency for Digitalisation's assessment that the number of clicks – and the ratio that the real clicks are very difficult to identify – implies that the information that in the opinion of the Danish Digital Agency, is required by the cookie executive order § 3 pieces. 1, are not accessible to the user via a clearly marked access on The website, why the solution does not meet the requirements of the cookie notice sens § 3, subsection 1, cf. § 3, subsection 2, no. 5. The Digital Agency recognizes that now requires fewer clicks for the user to access the information. However, it is still the board's responsibility assessment that the deficiencies have not been resolved with the adjusted solution, as the above three "clicks" are still difficult to identify because the text is not sufficiently comprehensible available to the end users, and that the second link is hidden far down in the text. 3.5 Complaints guidelines This decision can be appealed to the Teleklagenævnet, Toldboden 2, 8800 Viborg, tel.: 72 40 56 00, e-mail: tkn@naevneneshus.dk. A possible complaint must be received by the Telecomplaints Board no later than four weeks after that The Digital Agency has made this decision. Attention is drawn that pursuant to § 3, subsection 2, in executive order no. 838 of 21 April 2011 re The Telecom Complaints Board's company does not have to pay a fee for handling complaints this type in the Telecommunications Complaints Board. A possible complaint must be submitted via Digitalise- Ringingstyrelsen at digst@digst.dk, or the Digitalization Agency, Landgreven 4, Post- box 2193, 1017 København K. It can be stated for information that if Digi- If the Danish Agency for talization maintains the decision, the Agency will forward it as soon as possible and as a starting point within 7 working days after receiving the complaint the case and its documents to the Telecommunications Complaints Board, cf. Section 37 of the Public Information Act. With best regards Allan Villadsen Chief consultant, cand. jur. T +45 21604635 Email allvil@digst.dk