Alstrøm - Din Isenkræmmer ApS’s Investigation by Danish Data Protection Authority

The Danish Data Protection Authority issued a ruling against a company which was found to have placed cookies on their website without obtaining valid consent from data subjects. The pop-up cookie banner on the website was designed in a way that made it more difficult for users to reject the use of cookies than to accept them. The company was found to have failed to obtain valid consent from users for the placement of cookies on their devices.

The Danish DPA investigated a complaint filed by a data subject regarding the controller's use of cookies on their website. The controller relied on consent as a legal basis, but the way they obtained consent violated legal regulations and utilised deceptive patterns of forced action and false hierarchy. The controller's initial consent request was through a pop-up box that only offered the option to “Close” or “Read more about cookies,” with no opt-out solution. This method did not provide data subjects with the option to consent to specific processing purposes, rendering it invalid under Article 6(1)(a) GDPR. In response to the investigation, the controller introduced a new method of requesting consent that included more information about processing and an opt-out solution. However, the DPA found that the design of the cookie banner nudged data subjects towards clicking “ACCEPT ALL” rather than “Accept,” making it easier to consent to cookie use than to reject it. Furthermore, the controller began cookie tracking before obtaining the data subject's consent, which the DPA criticised. Overall, the controller's use of deceptive patterns and failure to follow legal regulations regarding consent and opt-out solutions violated legal guidelines.

The DPA expressed severe criticism about the processing activities based on this cookie banner. Although there was no fine, the company had to implement a new consent solution.

Alstrøm - Din Isenkræmmer ApS and Danish Data Protection Authority