Missing cookie consent resulted in serious criticism
A financial institution had a consent solution on its website for cookies. However, the company responsible for the website placed its own and third-party cookies before obtaining consent. Besides missing consent, the consent solution did not comply with the data protection rules. That triggered serious criticism from the Danish Data Protection Agency.
When a user visited a financial institution's website, a cookie consent solution popped up. It allowed the user to choose between the following:
- Absolutely necessary
- Accept all
- Reject all
- Show details
"Absolutely necessary" was already pre-ticked. Therefore, cookies were placed before the user even gave consent. The user complained to the Danish Data Protection Agency, which considered that the company responsible for the website had breached the data protection rules.
According to the Danish Data Protection Agency, it was contrary to the data protection rules to begin the processing activities before consent was obtained. Also, the cookie consent solution did not comply with the statutory requirements. It was not sufficiently informed, and it was unclear if the user could withdraw the consent at any time. We have previously written about unlawful consent solutions here.
The decision from the Danish Data Protection Agency is closely linked with the new guidance it issued on how companies should be able to demonstrate that consent has been obtained lawfully.
How do documentation requirements and data minimization work together?
One of the conditions to obtain lawful consent is that companies can document that consent has been obtained in accordance with the requirements. Companies must comply with this requirement while also paying attention to comply with the rules on data minimization and storage limitation. That can be a difficult balance.
With its new guidance, the Danish Data Protection Agency clarifies that companies only need to be able to document the consent while the processing activities are ongoing. When the processing activities stop, companies must delete the documentation of the individual consent and the data processed based on it. An example could be where consent is withdrawn, and processing activities stop.
However, if companies continue the processing activities without consent – for example, by referring to it being necessary to establish, exercise or defend a legal claim, the information can be retained. In that scenario, companies must establish a retention period. The retention period must be based on an individual assessment and can illustratively be based on operational experiences. Defining a long retention period just for the sake of it or keeping the information to defend a purely hypothetical legal claim would, as a main rule, result in unlawful retention.
IUNOs opinion
The decision and guidance show how important it is for companies to have the right lawful basis and retention periods, especially when processing occurs based on consent. Moreover, when using consent as the lawful basis, companies must fully understand all the requirements that must be satisfied to obtain lawful consent, all while also ensuring compliance with the other data protection rules.
IUNO recommends that companies regularly review consent solutions and internal retention policies. Decisions from the Danish Data Protection Agency may lead to adjustments or material changes, as it is clarified on a case-by-case basis how to approach the rules in practice. The decisions on nudging here and "No thank you-lists" here are good examples.
[The Danish Data Protection Agency's decision of 23 December 2022 in case 2021-31-5283]
When a user visited a financial institution's website, a cookie consent solution popped up. It allowed the user to choose between the following:
- Absolutely necessary
- Accept all
- Reject all
- Show details
"Absolutely necessary" was already pre-ticked. Therefore, cookies were placed before the user even gave consent. The user complained to the Danish Data Protection Agency, which considered that the company responsible for the website had breached the data protection rules.
According to the Danish Data Protection Agency, it was contrary to the data protection rules to begin the processing activities before consent was obtained. Also, the cookie consent solution did not comply with the statutory requirements. It was not sufficiently informed, and it was unclear if the user could withdraw the consent at any time. We have previously written about unlawful consent solutions here.
The decision from the Danish Data Protection Agency is closely linked with the new guidance it issued on how companies should be able to demonstrate that consent has been obtained lawfully.
How do documentation requirements and data minimization work together?
One of the conditions to obtain lawful consent is that companies can document that consent has been obtained in accordance with the requirements. Companies must comply with this requirement while also paying attention to comply with the rules on data minimization and storage limitation. That can be a difficult balance.
With its new guidance, the Danish Data Protection Agency clarifies that companies only need to be able to document the consent while the processing activities are ongoing. When the processing activities stop, companies must delete the documentation of the individual consent and the data processed based on it. An example could be where consent is withdrawn, and processing activities stop.
However, if companies continue the processing activities without consent – for example, by referring to it being necessary to establish, exercise or defend a legal claim, the information can be retained. In that scenario, companies must establish a retention period. The retention period must be based on an individual assessment and can illustratively be based on operational experiences. Defining a long retention period just for the sake of it or keeping the information to defend a purely hypothetical legal claim would, as a main rule, result in unlawful retention.
IUNOs opinion
The decision and guidance show how important it is for companies to have the right lawful basis and retention periods, especially when processing occurs based on consent. Moreover, when using consent as the lawful basis, companies must fully understand all the requirements that must be satisfied to obtain lawful consent, all while also ensuring compliance with the other data protection rules.
IUNO recommends that companies regularly review consent solutions and internal retention policies. Decisions from the Danish Data Protection Agency may lead to adjustments or material changes, as it is clarified on a case-by-case basis how to approach the rules in practice. The decisions on nudging here and "No thank you-lists" here are good examples.
[The Danish Data Protection Agency's decision of 23 December 2022 in case 2021-31-5283]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing