How Denmark Regulates Cookies
Denmark applies two overlapping legal frameworks to cookie consent. The Cookiebekendtgorelsen (Executive Order no. 1148 of 09/12/2011) is the Danish implementation of the ePrivacy Directive, covering the technical act of storing or accessing information on a user's device. The GDPR then governs the processing of any personal data collected through those cookies.
This dual framework means two separate authorities share oversight. Digitaliseringsstyrelsen (the Danish Agency for Digital Government) supervises compliance with the Cookiebekendtgorelsen. Datatilsynet, the data protection authority, enforces the GDPR side.
For practical purposes, both sets of rules demand the same thing: informed, prior consent before non-essential cookies are placed.
What the Cookiebekendtgorelsen Requires
The Cookiebekendtgorelsen transposes Article 5(3) of the ePrivacy Directive into Danish law. It establishes two core obligations: information and consent.
Before setting any cookie or similar tracking technology, your site must tell visitors what data is being collected, why it is collected, and who receives it. Consent must then follow - an active, positive action from the user. Pre-ticked checkboxes do not count. Scrolling or continued browsing does not count.
Strictly necessary cookies are exempt. Session cookies that maintain login status, shopping cart cookies like PHPSESSID, and language preference cookies such as pll_language may be set without consent because the site cannot function properly without them.
Everything else - analytics trackers like _ga, advertising pixels such as _fbp, and social media widgets - requires explicit opt-in before activation.
Datatilsynet's 2026 Enforcement Priority
Datatilsynet announced that website tracking will be an enforcement priority in 2026, specifically examining whether users have a genuine opportunity to decline cookies. The authority is coordinating directly with Digitaliseringsstyrelsen, meaning both regulators will scrutinise cookie consent practices simultaneously.
The focus targets several common violations:
Dark patterns - making the "Accept" button prominent while hiding the reject option
Cookie walls that block content unless visitors accept all tracking
Pre-checked consent boxes
Asymmetric designs requiring one click to accept but multiple clicks to decline
Missing granular consent options for different cookie categories
This coordinated approach from two regulatory bodies significantly increases the likelihood of enforcement action against non-compliant sites.
Notable Danish Cookie Enforcement Actions
Datatilsynet has already taken action in several cookie-related cases that illustrate how the rules are applied in practice.
| Case | Year | Issue | Outcome |
|---|---|---|---|
| Danish Meteorological Institute (DMI) | 2021 | Processing personal data for behavioural advertising without valid consent | Reprimand issued |
| JP/Politik (eb.dk) | 2021 | Cookie banner used colours and design to influence user choice; consent was not informed under Articles 6 and 4(11) GDPR | Reprimand issued |
| GulogGratis (Gul og Gratis) | 2023 | Cookie wall requiring consent or payment; statistical data processing not justified | Ordered to demonstrate lawful basis for statistical processing |
| Jysk Fynske Media | 2024 | Cookie wall implementation | Under investigation |
The GulogGratis case is particularly instructive. Datatilsynet ruled that a "consent or pay" model can be acceptable in principle, but the site must still demonstrate that each category of data processing is necessary and proportionate. When GulogGratis requested the case be reopened in 2024, Datatilsynet declined.
One procedural detail matters for risk assessment: Danish data supervisors cannot issue administrative fines directly. Cases are transferred to the police, examined for potential charges, and any financial penalty is decided by a court. This process is slower than the direct fines seen in France under CNIL, but the GDPR maximum of 4% of global annual revenue still applies.
Cookie Banner Requirements for Danish Sites
Based on Datatilsynet's guidance, a compliant cookie banner for Danish visitors must meet specific standards.
The first layer of the banner must include a clear option to refuse all non-essential cookies. A banner showing only "Accept" and "More information" buttons does not meet this requirement. Both acceptance and rejection must be equally accessible - same prominence, same number of clicks.
Granular control is required. Visitors must be able to consent to individual purposes (analytics, marketing, functional) rather than facing an all-or-nothing choice. Each purpose must be explained in plain language.
No cookies may fire before consent is recorded. If your site loads _ga or _fbp on page load and only asks for consent afterwards, that violates both the Cookiebekendtgorelsen and the GDPR.
Language Considerations
Datatilsynet has not mandated that cookie banners appear in Danish, but the information must be understandable to the target audience. If your site is aimed at Danish consumers, providing consent information in Danish is the practical choice. For international sites, English is generally acceptable.
How Denmark Compares to Other Nordic Countries
Denmark's cookie rules share the same EU foundation as its neighbours, but enforcement styles differ.
| Country | DPA | ePrivacy Implementation | Enforcement Approach |
|---|---|---|---|
| Denmark | Datatilsynet + Digitaliseringsstyrelsen | Cookiebekendtgorelsen (Executive Order 1148/2011) | Reprimands; fines via court |
| Sweden | IMY | Electronic Communications Act (LEK) | Direct administrative fines |
| Finland | Traficom + Data Protection Ombudsman | Act on Electronic Communications Services | Shared oversight model |
| Netherlands | Autoriteit Persoonsgegevens | Telecommunicatiewet | Direct administrative fines |
Denmark's split oversight between Datatilsynet and Digitaliseringsstyrelsen resembles Finland's shared model between Traficom and the Data Protection Ombudsman. The key difference for website owners is that Danish enforcement has historically relied on reprimands rather than large fines - though that could change as cookie compliance becomes a stated enforcement priority in 2026.
Compliance Checklist for Danish Cookie Consent
Use this checklist to verify your site meets Danish requirements:
No non-essential cookies fire before explicit consent is given
The cookie banner displays a reject option on the first layer, equally prominent to the accept button
Granular category selection is available (analytics, marketing, functional)
Cookie information is clear, specific, and in a language your Danish audience understands
Pre-ticked boxes are not used anywhere in the consent flow
Consent records are stored and can be demonstrated to regulators
Visitors can withdraw consent as easily as they gave it
Your cookie policy lists all cookies by name, purpose, duration, and provider
Cookie scanning is performed regularly to catch new trackers added by third-party scripts
Google Consent Mode v2 is implemented if you use Google advertising or analytics services
Frequently Asked Questions
Does Denmark require cookie consent in Danish?
Datatilsynet has not mandated a specific language for cookie banners. The requirement is that information must be understandable to your audience. Sites targeting Danish consumers should use Danish; international sites may use English.
Can Danish websites use cookie walls?
Datatilsynet's GulogGratis decision suggests that "consent or pay" cookie walls can be acceptable in principle. However, each data processing purpose must be justified as necessary and proportionate. A blanket cookie wall with no alternative is unlikely to comply.
Who enforces cookie law in Denmark?
Two authorities share responsibility. Digitaliseringsstyrelsen enforces the Cookiebekendtgorelsen (the ePrivacy implementation), while Datatilsynet enforces the GDPR. Both are coordinating on cookie consent enforcement in 2026.
What fines can Datatilsynet impose for cookie violations?
Datatilsynet cannot issue administrative fines directly. Cases are referred to the police and any fine is decided by a court. The GDPR maximum of 4% of global annual revenue or 20 million euros (whichever is higher) applies.
Are analytics cookies exempt from consent in Denmark?
No. Analytics cookies like _ga require prior consent under Danish law. Only strictly necessary cookies - those essential for the site to function - are exempt from the consent requirement.
Does the Danish cookie law apply to sites outside Denmark?
If your website targets Danish users or processes personal data of individuals in Denmark, the GDPR applies regardless of where your business is based. The Cookiebekendtgorelsen applies to services directed at Danish users.
Take Control of Your Cookie Compliance
If your site receives visitors from Denmark, a compliant cookie banner is not optional - especially with Datatilsynet's 2026 enforcement focus. Kukie.io detects and categorises every cookie on your site, supports geo-targeted consent banners, and helps you stay compliant across jurisdictions.
