Danish DPA zooms in on the cookie consent banner design and peeks into the ePrivacy&GDPR relationship

Ad-tech, cookies and joint controllership – the three topics privacy world has been gradually getting the grips of, especially in recent years. Starting with the Facebook Fan Page, on to the Fashion ID and Planet49 cases (insightfully summarized here) the CJEU has created a body of case-law which many privacy professionals have been referring to when advising on how ‘compliant’ advertising solutions should look and feel like.

At the same time, there was some disappointment in the community as these decisions (naturally!) did not offer the answers to all the practical questions (what arrangements should be put in place between website publishers and cookie providers to ensure the legitimacy of the data exchange?) and more overarching conceptual dilemmas (what is the relationship between Article 6 of the GDPR and ePrivacy consent requirement in the context of cookie-enabled data collection?).

Last week, the Danish supervisory authority (Datatilsynet) provided some answers to these fundamental questions at the same time giving very practical hands-on pointers on “the most common pitfalls to avoid” when developing and implementing cookie consent banners. The below summarizes the decision of the authority, which is also available here in Danish.*

Background of the case

The case originated from a complaint lodged before the Datatilsynet by a visitor to a dmi.dk website which is owned and managed by the Danish Meteorological Institute (DMI), a public authority under the Danish Ministry of Climate, Energy and Utilities.

The complainant, who (based on the contents of the complaint summarized in the decision) appeared to be very well-versed in the matters of ad-tech industry, argued that the DMI collected users’ personal data and, by using cookies, shared it with Google ad services (e.g., Google Ad Exchange) in order to sell advertising space and, as a result, allowed third-parties to target the website users with the personalized ads. Such practice, according to the complainant, did not meet transparency and lawfulness requirements under the GDPR, due to the set-up of the cookie consent solution used on the website. The complainant challenged advertising practice in more general terms as well, as it was possible for the DMI to display ads without personalizing their contents.

During the investigation, it was established that the DMI, as a publisher, has been monetizing its website since 2004, and even used this revenue stream to fund a part of its activities. Also, in the course of the investigation, the DMI essentially acknowledged its flawed practices and committed to aligning the cookie consent solution with the legal requirements and the Datatilsynet’s guidance.

The interesting part of the case is, however, not the outcome, but the process. More precisely, the four significant challenges the Danish authority had to face in order to get to the resolution of the complaint. And although the analysis offered by the authority of each of those challenges it relatively concise, the importance of the findings should not be underestimated as it has considerable practical implications for publishers, advertisers and even cookie consent solution providers.

Challenge #1. Competence dilemma

Notably, the first problem the Datatilsynet had to address heads on was whether it was competent to handle the complaint. This is due to the fact that the supervision of ePrivacy rules (include the Executive “Cookie Order”) as lex specialis generally falls in the purview of Danish Business Authority (Erhvervsstyrelsen), which naturally creates tensions in the enforcement.

In this context, the Datatilsynet reviewed Google documentation and found that the DMI discloses to Google visitor IP information, website information, visitor access requests, and the information “about online identifiers contained in the cookies”. In the Datatilsynet’s opinion, these operations amount to the personal data processing as they are aimed at analyzing individual characteristics and behaviour in order to show the visitors personalized ads, and thus the authority has the competence to investigate the complaint.

Challenge #2. (Joint) controllership test

Building on the CJEU decisions in Wirtschaftsakademie and Fashion ID cases, the Datatilsynet moved on to find that the website operator (DMI) together with Google should be considered as joint controllers, but only for collection and disclosure of website visitors’ personal data. The authority essentially reiterated the CJEU’s argument that a website operator does not need to have access to personal data to be able to determine means and purposes of its processing and assume a role of the data controller to that end.

• With respect to the “means” element of the joint controllership definition, it was established that the DMI “significantly influenced” collection and transmission of personal data to Google as such processing would not have occurred without the banners being embedded on the website. This essentially follows the “decisive influence” test articulated by the CJEU in the Fashion ID case.
• When it comes to the “purposes” element, the authority considered that both the DMI and Google shared similar commercial interests which came down to generating revenue from advertising. While Google’s interest in this is self-explanatory, the website operator’s financial interest, in this case, was perhaps even more apparent than in Fashion ID case. As it has been mentioned above, DMI has been monetizing the website for the last 16 years and even funded a part of its activities from the profits.

Finally, and DMI explained that although the DMI and Google assumed joint controllership for collection and disclosure of visitors’ personal data, any subsequent processing, including profiling, of personal data by Google was undertaken independently, without the DMI’s influence. As such, the latter was not considered a data controller for other processing operations.

Challenge #3. ePrivacy and/or GDPR and the lawful basis quest

To the extent of its responsibility as a joint controller, the DMI had to ensure the lawfulness of data collection and disclosure. According to the Datatilsynet:

“(W)here the processing of personal data of the website visitors is triggered by visits to dmi.dk, it is a responsibility of DMI and not of Google to identify a lawful basis for data processing”.

It is noteworthy that in this case, the Datasilsynet did not immediately move to conclude that consent was the only acceptable lawful basis for data processing only because ePrivacy rules require to obtain it before placing non-essential cookies on the user’s terminal equipment. The authority firstly considered whether other lawful bases, namely legitimate interests (Article 6(2)(f) of the GDPR) or public interest/official authority (Article 6(2)(e) of the GDPR), could be applicable in the present case. It is not a surprise that the Datatilsynet concluded that legitimate interests cannot be invoked by a DMI as a public authority, while public interest ground was not applicable since such processing was not necessary – as a matter of fact, the DMI could achieve its goals with less intrusive means, i.e. by continue displaying non-personalized banners which would eliminate the need to process visitors’ personal data.

Ultimately, the Datatilsynet concluded that consent was the most appropriate lawful basis for this type of processing. Although the authority did not explicitly differentiate between essential and non-essential cookies, from the nature of the complaint and the context of the case it can be concluded that the Datatilsynet’s reasoning applies to non-essential cookies.

One may also deduce that if the circumstances of the case were different and the website operator was a private entity, the Datatilsynet could have potentially engaged in a more detailed assessment of the applicability of the “legitimate interests” as a ground for data processing. However, given the reasoning on Article 6(2)(e) of the GDPR, it is unlikely that the conclusion would have been materially different.

Challenge #4. "One-click-away" problem

The DMI has employed a “Cookie information” consent solution, which the Datatisynet analyzed in its decision. When accessing the DMI’s website, the user was offered a possibility to click “OK” thereby consenting to collection of cookies for both statistical and marketing purposes, or “Show details” (the current version on the website and in the screenshot reads “Cookie settings”) and provide a granular consent to each of the purposes.

The authority deemed that such a set-up did not meet consent transparency and granularity requirements as:

“Show details option was located “one-click-away” and thus it was impossible (to provide granular consent) upon the initial interaction with the consent solution”.

The Datatilsynet also criticized the “nudging” effect of the consent solution:

“Similarly, in the opinion of the Data Authority, it is not in accordance with the principle of transparency that the possibility of refraining from giving consent to the processing of personal data in the DMI's solution does not have the same communication effect - that is, it does not appear as clear - as the possibility of to give consent, thereby pushing the data subject indirectly towards giving consent for the processing of personal data.”

Importantly, the authority was very specific about the way in which “informed consent” should be secured. It emphasized that the data subjects should be at least made aware of the identity of the data controller and the purposes of the processing, and this information should be provided to them in a simple and easily understandable form. With respect to the latter, the authority criticized the consent solution on the following grounds:

“The category “Marketing” also states that cookies are supplied by the provider DoubleClick (…) there is no sufficiently clear information about the (joint) data controllers, including Google (…). (T)he identity of the data controller must appear (in the consent solution) and not of the service provider’s websites, nicknames or product names used by the data controller as it is not easily understandable and easily accessible to a data subject”.

The Danish regulator seems to go a step further compared to the CJEU in assessing the transparency of consent notices, and even, without naming it explicitly, the “fair design” requirements for the consent solutions. It is interesting that in this context the Datatilsynet made no explicit reference to the Planet49 case - even more when setting out minimum requirements for the informed consent, it did not include mandatory disclosure of retention periods, which the CJEU established as a requirement in Planet49.

No grace period

The authority’s decision has not resulted in a proposal for a fine (Datatilsynet does not have authority to impose the fines, this is a prerogative of the national courts), but rather in a “serious criticism” towards the DMI practices. Also, the decision does not include any specific instructions (e.g. delete the personal data collected in violation of the GDPR consent rules), although such an obligation may be implied from the decision as a whole.

On the back of the decision, the authority has issued extensive new guidance on the processing of website visitors’ personal data (available here in Danish). The Datatilsynet acknowledged that although “the rules are not new per se”, the specific position of the authority on this matter could be considered a novelty and thus will be taken into account when preparing the upcoming plan of ex officio investigations. At the same time, the investigation of the specific complaints may lead to the establishment of a violation under the semi-new rules, which effectively means that entities are not getting a real ‘grace period’ in this area.

*I have analyzed the unofficial English translation of the decision which was made available to me by a combination of the online translation tools and a “human intervention” of my knowledgeable Danish friends. If anything was lost in translation, it’s on me.

**DoubleClick is currently owned by Google.