DMI – Reprimand (Denmark, 2020)
DMI was reprimanded for using cookies on its website without getting proper consent from users. They had a confusing setup that made it harder for visitors to refuse cookies. This reprimand serves as a warning for companies to ensure clear consent practices.
What happened
DMI used cookies before obtaining consent and had no easy way for users to reject them.
Who was affected
Website visitors who encountered DMI's cookie consent setup.
What the authority found
The authority found that DMI violated GDPR rules by not providing a clear reject option for cookies.
Why this matters
This reprimand emphasizes the need for clear and user-friendly consent mechanisms for cookies. Companies should review their practices to avoid similar issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Datatilsynet examined a complaint regarding the processing of personal data on the website of the Danish Meteorological Institute (DMI), [https://www.dmi.dk www.dmi.dk], with the purpose of displaying ads based on user behaviour. The ads were embedded as third-party plugins from Google's ad platform which uses cookies for tracking users. First-time visitors to the site were prompted for consent to the use of cookies. However, cookies were used and personal data was processed even before the visitor had given consent. When the complaint was filed on 29 August, 2018, consent was gathered via a non-intrusive banner at the bottom of the page containing only a short text about the use of cookies and an “OK” button. There was no way to refuse consent. A few months later, while Datatilsynet was still processing the complaint, DMI launched a redesign of their website. New visitors were now prompted for consent in an overlay which blocked access to the site, until the visitors had either given or refused consent. Visitors could click “OK” to give consent. To refuse consent, the visitor had to click “Show details” to reveal several pre-checked checkboxes representing different processing purposes. The visitor should uncheck these and then press “Update consent”. The question for Datatilsynet was whether DMI had a legal basis for the processing personal data. Datatilsynet considered both the old and the new way of gathering consent (before and after the redesign of www.dmi.dk). Datatilsynet found that DMI and Google were joint controllers, but that DMI was responsible for gathering consent. This should have be gathered before any processing took place. Datatilsynet found that consent was the appropriate basis for this processing. DMI is a public authority, so they could not rely on legitimate interest as legal basis. Consent to processing and to the use of cookies was gathered through the same user interface. The consent, however, was not valid for the following reasons: *
Outcome
Reprimand
A formal reprimand: the DPA found a violation and issued a formal censure.
Violations (5)
Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.
Art. 7 GDPR
Refusing cookies requires more clicks or steps than accepting them, or the reject option is less visually prominent.
Art. 7 GDPR
Cookie consent checkboxes are pre-selected by default, violating the requirement for active, affirmative consent.
Art. 4(11) GDPR
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for DMI in DK
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. DMI - Denmark (2020). Retrieved from cookiefines.eu
Last updated: