European Data Protection Agencies increase focus on cookie solutions and the use of Google Analytics

Cookie solutions do not comply with the GDPR

Companies today use cookies to measure campaigns and activities, target ads, create statistics and much more. Many companies benefit greatly from the personal information collected via cookies, and other companies from selling the information to third parties who can use the information for, among other things, marketing and statistics. The collection of personal data via cookies is currently receiving a great deal of attention from the Data Protection Agency in Denmark and other EU member states, where it have been decided that cookie and consent solutions, which have otherwise been recognized as standard frameworks in Europe, do not meet the requirements and GDPR.

European decisions about Google Analytics and TCF will also have an impact in Denmark

The Austrian Data Protection Agency has recently ruled that companies’ use of Google Analytics does not comply with the GDPR rules for third country transfers. The decision from the Austrian Data Protection Agency, which i.e. refers to the ruling of the European Court of Justice in the Schrems II case, is justified by the fact that Google does not provide a sufficient degree of additional measures to ensure that personal data is processed with a level of protection that is essentially equivalent to the level of protection that is essentially equivalent to the level of protection in the EU. Therefore, according to the Austrian Data Protection Agency, the use of Google Analytics cannot be considered legal in countries covered by the GDPR rules.

In addition, two new decisions from the Belgian and Dutch Data Protection Agencies, could have far-reaching consequences for companies’ future use of the so-called TCF framework developed by IAB Europe, which is an industry association for digital advertising companies in Europe. The TCF framework is used i.e. for the collection and transmission consents for advertising, including consents for the use of cookies and sharing of data with third parties.

According to the Belgian decision, the use of the TCF framework entails a number of breaches of the GDPR, including the solution not complying with the basic principles of processing personal data, legal basis, duty to provide information and processing security. The Dutch and French Data Protection Agency supports the Belgian decision and, in this connection, has recommended that all companies should stop using the TCF solution immediately.

The Danish Data Protection Agency calls for the use of an alternative solution

According to the Belgian Data Protection Agency’s decision, the Danish Data Protection Agency has published a statement in which the Data Protection Agency encourages companies to clarify whether the company’s website or advertising platform uses the TCF framework. If this is the case, the Danish Data Protection Agency encourages the company, together with its advertising suppliers, to switch to a solution that complies with the Data Protection Regulation.

In this connection, the Danish Data Protection Agency emphasizes that, as data controller, you will be responsible for ensuring that the company’s website is set up in accordance with GDPR, including in relation to the use of cookies, collection of consents, etc. even if you use consent solutions developed by an external supplier.

The Danish Data Protection Agency declares DBA’s consent solution for cookies invalid

In line with the increased supervision, the Danish Data Protection Agency has recently expressed serious criticism of DBA’s consent solution for cookies on their website, which according to the Danish Data Protection Agency does not live up to the data protection law rules. This is happening in connection with the introduction of new guidelines in this area in February. The decision is based on the fact that DBA, among other things:

• Processed personal information via cookies for several purposes, and that it was not possible for users to click “ok” for various purposes.

• Did not inform users through the consent solution that their personal information was passed on to third parties for marketing purposes.
• Did not indicate clearly in the consent text in the pop-up window on what legal basis the personal data was processed.
• Had not reported via the consent solution how the users revoked their consent.

The Danish Data Protection Agency regularly handles complaints about the processing of personal data on websites, but also handles cases such as the DBA case.

You can read more about the decision here.

Lund Elmer Sandager’s comment

The decision from the Belgian and Dutch Data Protection Agencies will most likely have consequences for the future of Danish companies’ use of Google Analytics and the TCF solution for collecting consents, and it is therefore important to investigate whether your company uses these solutions, and if so, consider alternatives.

In 2022, the Danish Data Protection Agency will actively monitor, among other things, observance of the duty to provide information in connection with unsolicited inquiries and processing of personal data about website visitors. It includes i.e. processing of personal data via cookies and by banner advertising.

We therefore encourage companies to check whether their existing personal data and cookie policies meet the disclosure requirements of the GDPR, including the processing of personal data for use in marketing and advertising via cookies.

If you have questions about the two new decisions or need advice on a solution for your company that meets the requirements of the GDPR, please do not hesitate to contact our specialists in IT law and GDPR Partner, Attorney Torsten Hylleberg, Attorney Anders Linde Reislev or Attorney Emilie Ipsen.