The current cookie rules
Under current cookie rules, you must obtain consent before you can collect statistics about visitors to your website. Rules that have raised concerns among many Danish businesses because a large number of visitors say no to cookies, and businesses lose important and valuable data about visitors.
The problem is not lessened by the fact that authorities in other countries interpret the cookie rules more leniently, and many companies do not follow the rules, thus gaining a competitive advantage. But now there is good news from the Danish Business Authority.
What does the Danish Business Authority say?
Danish Business Authority states in a press release on 15 October 2021that they will not prioritise the monitoring of websites' collection of simple statistics in the future. The press release states, among other things:
The current negotiations on a new ePrivacy Regulation envisage exempting simple statistical cookies for traffic measurement from the consent requirement. [...] The Danish Business Authority has therefore decided not to prioritise the supervision of statistical cookies in the case of cookies and similar technologies that collect statistics for the website owner's own use, e.g. in the form of traffic measurement, that do not build a user profile of the visitor or where data is passed on to a third party.
The current negotiations referred to by the Danish Business Authority are based, inter alia, on a note from an EU working group, which was tasked in 2012 with making recommendations for a review of the EU ePrivacy Directives. The recommendations include the following on statistical cookies:
However, the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms that are applied to other collected identifiable information such as IP addresses.
The new ePrivacy Regulation was originally due to enter into force on 25 May 2018 at the same time as the GDPR, but it has not yet been adopted. This is partly because member states have been unable to agree on the rules, and of course COVID-19 has taken some of the political focus away from a wide range of areas.
I and written answer to the journal Journalisten Erhvervsstyrelsen elaborates that:
Danish media and website owners in Denmark in general are still subject to the rules of the Cookie Order and GDPR. However, in a supervisory case, the Danish Business Authority will not deal with simple statistics cookies, and this could have an impact on how Danish media and other website owners can conduct traffic measurements.
In other words, it is still a legal requirement to obtain consent before using statistical cookies. But the statement from the Danish Business Authority can hardly be interpreted in any other way than that they are now turning a blind eye and tacitly allowing the collection of statistics without consent - as long as a number of conditions (see below) are met.
As a public authority, the Danish Business Authority cannot of course directly state that Danish companies do not have to comply with parts of the Cookie Order. The statement that they "will not prioritise supervision" is probably the closest statement they can make.
Collection of statistics without consent
The changed practice from the Danish Business Authority does not apply to all statistics cookies, but only simple statistics cookies for your own use. The relief also requires that you does not build a user profile of the visitorand that you does not disclose data to a third party. Of course, it is also a requirement that you comply with the applicable GDPR legislation.
The statement from the Danish Business Authority is brief and leaves much to interpretation. Here is our interpretation of the situation if you want to collect visitor statistics without consent:
You must comply with GDPR legislation
The GDPR deals with the processing of personal data (i.e. any information about an identified person) by companies. Collecting statistics without consent implies that you are not collecting personal data. In statistical contexts, this typically involves:
- IP addresses
- Personal data in URLs
If you use Google Analytics 4, IP addresses are automatically anonymised. If you are using an older version of Google Analytics, you will need to enable IP anonymisation yourself (see guide) - this rarely has major data implications, other than complicating the geographical location of visitors at city level.
For example, personal data in URLs may occur if you allow your visitors to create an account and the username is included in the URL (e.g. website.dk/account/username). It can also occur if you use personal data, such as email addresses, as parameters in your URLs for campaigns.
You may only use simple statistics cookies
The Danish Business Authority writes that the relaxation only applies to "simple statistics cookies" without further explanation. A search for "simple statistics cookies" on Google yields only three results, all three of which are quotes from the Danish Business Authority's press release.
Our assessment is that common cookies from common statistical systems such as Google Analytics and Adobe Analytics fall under the category of "simple statistical cookies". Examples of statistical systems that are unlikely to fall into this category are:
- Hotjar - visualises your users' movements and actions on your website.
- Facebook Pixel - enables audience building on Facebook and beyond.
- LinkedIn Insights - enables audience building on LinkedIn and beyond.
- Leadfeeder - shows which specific companies are visiting your website.
The above is of course only speculation, and we cannot know for sure what the Danish Business Authority means by the term "simple static cookies".
You must not disclose data to third parties
Collection of statistics without consent requires that you do not disclose data to third parties. You may use a third-party tool such as Google Analytics to collect the data, but as a data controller you may not pass the data to Google.
You can prevent data sharing to Google by changing your data sharing settings in Google Analytics (see guideThe settings allow you to exclude Google from accessing the data, for example for technical support purposes.
You should also avoid linking Google Analytics with Google's marketing tools, such as Google Ads. This will ensure that all statistical data can only be accessed via your Google Analytics account.
You must not build up user profiles of visitors
Collection of statistics without consent requires that you do not build user profiles of visitors. When the Danish Business Authority talks about "building user profiles", they probably mean tracking, which provides information on gender, age group and interests. In other words, a type of data typically used for marketing purposes.
Google Analytics allows tracking of demographics and interests. This type of tracking collects information about your visitors' age and gender, as well as the interests they express in their online travel and purchasing activities. You can turn off this tracking - if you have previously turned it on manually - through your account settings (see guide).
So what now?
Like the Danish Business Authority, we cannot of course directly encourage you to break the rules in the Cookie Order. But if you comply with the conditions mentioned in the previous section, the risk of collecting statistics without consent - and thus breaking the rules - is minimised or perhaps non-existent.
If we take the Danish Business Authority's word at face value - that in a "supervisory case they [will] not deal with simple statistics cookies" - there will be no negative consequences to breaking the rules. The only consequence will be positive: that you will have access to more accurate data, and that you can now better use the data in Google Analytics as an accurate basis for decision-making when evaluating your digital presence and the impact of your digital marketing efforts.
But in time, the statement from the Danish Business Authority will probably be elaborated and made more concrete, so that we all become a little bit clearer about what they actually mean. And one day - when the EU Commission has reached an agreement - there will be a new and better ePrivacy law from the EU.
Update on 30 October 2021
The Danish Business Authority has in a new press release clarified their earlier announcement. In the press release they write, among other things, that:
Statistical cookies, for example offered by free analytics tools, where these third parties also have access to use the collected data will continue to be a priority for the Board's oversight. The rules of the Data Protection Regulation and the Data Protection Act thus continue to apply to the extent that personal data of website visitors are collected and processed.
The new statement does not bring anything new to the table, but simply emphasises that you must comply with the conditions mentioned earlier in this post if you want to collect statistics without consent.
