The Danish Data Protection Agency has on 11 February 2020 issued a decision regarding the legal basis for use of personal data collected by third party cookies on the website of the Danish weather forecast service DMI.dk. The Danish Data Protection Agency states in its decision that DMI and Google are joint data controllers in respect of cookies placed by Google on DMI’s website used for banner ads. The Agency further states that the collected consent from the users of DMI’s website to collect their personal data from cookies is not in compliance with the GDPR.
The key items of the decision of the Danish Data Protection Agency are:
- Websites become joint “controllers” when they use Google ad-services: By integrating banner ads on DMI’s website, DMI has a decisive role on which personal data is being collected and transmitted about the visitors of the web site to Google. The Danish Data Protection Agency thus assess that DMI and Google collectively decides the means used to collect and transmit the personal data about the website users and thus are joint data controllers. It is not decisive for the responsibility as data controller that DMI does not have access to the personal data which Google’s cookies collect.
- DMI’s liability is limited to the collection and transmission of data: The Danish Data Protection Agency clarified in its decision that the liability of DMI is limited to the operation or set of operations involving the processing of personal data in respect of which it is a joint controller. Thus, DMI is not responsible for the third parties’ (in this case Google’s) use and processing of personal data subsequent to the transmission. This is in line with the ECJ Fashion ID ruling on the use of Facebook plug-ins.
- Consent required for all data controllers: The Danish Data Protection Agency clarifies that consent must be provided not only to the joint data controller that will be involved later, in this case Google, but must be provided to all the data controllers. The Danish Data Protection Agency emphasizes that the consent must be provided before the actual collection of personal data takes place and thus in this case DMI must collect the consent because the collection of personal data takes place when the user enters DMI’s website.
- Legal basis when collecting and transmitting data to Google: The Danish Data Protection Agency assess that DMI must use consent as the legal basis to process the personal data about its users of the website. As DMI is a public company, DMI cannot use the legitimate interest assessment in GDPR Article 6(1)(f). However, we assess that also private entities must rely on consent when collecting and transmitting data for the purpose of ad-services.
- Granularity and informed consent: The Danish Data Protection Agency once again makes it clear that consent must be obtained for each purpose when multiple purposes exist. The Agency also clarifies that the option to provide a granular consent cannot be “one-click-away” under a “details”-button in the cookie banner on the website. The Agency further states that the information to the website users must be provided in a declaration that is easy to understand, easy to access and that in a clear and plain language explains which data controllers the personal data will be provided to. It is not enough to state the name of the data controller’s products using the personal data but the actual name of the data controller’s organization must be easily available to the user.
- It must be as easy to say no as it is to say yes. On DMI’s website, the user was presented with the option to choose “ok” to cookies or “more details”. The option to say no to cookies was hidden under the “details” button which led you to an “update consent” option. According to the Danish Data Protection Agency it is not compliant to use such “one-click-away” approach as it must be as easy to say no as it is to say yes.
The decision makes it clear that most companies using banner ads must update its cookie consents to obtain a more clear and granular consent to the collection and transmission of personal data to its ad-service providers such as Google.
Based on the decision described in this newsletter, the Danish Data Protection Agency has today published a guidance on processing of personal data about website users. The guidance can be found here: (In Danish)
The decision can be found here: (In Danish)