Digitaliseringsstyrelsen - Decision against Meta of 30 October 2023
| Digitaliseringsstyrelsen - Decision against Meta of 30 October 2023 | |
|---|---|
 | |
| Court: | Digitaliseringsstyrelsen (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 4(11) GDPR ePrivacy Directive Article 2(8) Cookiebekendtgørelsens Article 3(1) Cookiebekendtgørelsens Article 3(2)(4) Cookiebekendtgørelsens |
| Decided: | 30.10.2023 |
| Published: | |
| Parties: | Meta Platforms Inc. |
| National Case Number/Name: | Decision against Meta of 30 October 2023 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | Danish |
| Original Source: | Digitaliseringsstyrelsen (in Danish) |
| Initial Contributor: | co |
The Danish Agency for Digitalization ordered Meta to adapt its cookie banner and the information provided in its cookie policy so that they comply with the national law on cookies.
English Summary
Facts
The Danish Business Authority first sent a consultation letter requesting Meta to elaborate on the cookies it uses and on the cookie banner displayed on its website as it deemed that it did not provide sufficient information. Meta responded stating that it only uses technically necessary cookies for non-registered users, whereas a cookie banner requiring consent shows up for registered users.
In the consent banner for registered users, Meta grouped the categories "Our cookies on other apps and websites" and "Cookies from other entities" under a single consent. Also in the consent banner for unregistered users, it is not possible to give a granular consent for different purposes as the only options were "Allow only necessary cookies" or "Allow necessary and optional cookies". In 2022, Meta changed the banner for unregistered users adding a link to the cookie policy allowing to manage one’s consent, but still only one consent could be given for several purposes.
Further, the option to withdraw consent for non-registered users was presented in such a way, that users would have to click several times before finally withdrawing consent.
In its letter, the Danish Business Authority also pointed out that Meta did not provide sufficient information on cookies and similar technologies used on its website. Meta responded stating that this corresponded to the Guidelines of the Authority of 2013 which only required general information on the purposes of cookies to be provided. Meta adapted its cookie policy as of September 2023 adding a list of cookies and "The most common purposes of these cookies”.
The case was then transferred to the Danish Agency for Digitalization which is competent for dealing with cases relating to the application of the Cookiebekendtgørelsens (The cookie Law), the national implementation of the ePrivacy Directive.
Holding
Upon receiving a statement by Meta listing all the changes it adopted, the Agency concluded that the use of cookies on Meta’s website was still in violation of Article 3(1) of the Cookie Law and consent could not be deemed to be valid according to Article 2(8) of the Cookie Law and Article 4(11) GDPR.
First of all, Meta’s cookie banner did not allow its registered and unregistered users to give a granular consent, that is separate consents for different generic purposes, in violation of Article 2(8) of the Cookie Law and against the wording of Recital 43 GDPR and Recital 32 GDPR, as interpreted by the EDPB.
Secondly, a permanent and clear option to withdraw one’s consent to the use of cookies was not available. As a matter of fact, users would have to click three times before being able to withdraw their consent, which the Agency deemed to be in violation of Article 3(2)(4) of the Cookie Law.
Thirdly, Agency noted that with respect to the information to be provided, Meta wrongfully relied on the 2013 Guidelines by the Authority as a new set of guidelines was published in 2019. The latter requires that also detailed information about each cookie should be provided. Even after the adaptation of September 2023, the Agency found the current cookie policy to be in violation of Article 3(1) of the Cookie Law, as it only provided examples of the purposes.
The Agency thus ordered Meta to bring its webpage into compliance by 27 November 2023, so that:
- It is possible for users to grant granular consent
- A permanently available option to withdraw consent through a direct and clearly marked access is given on the website.
- Information about cookies and their purposes is continuously available on the website and this is provided in clear, precise and easily understandable language.
Comment
This is not a DPA decision, as the authority competent for dealing with cases relating to the application of the Cookiebekendtgørelsens, the national implementation of the ePrivacy Directive is the Danish Agency for Digitalization.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
File history Click on a date/time to view the file as it appeared at that time. Date/TimeDimensionsUserComment current15:51, 21 November 2023 (357 KB)Co (talk | contribs) You cannot overwrite this file.File usage There are no pages that use this file.
