Denmark: first country to implement “cookie”-directive. Here’s the proposed executive order.

  • by

Yesterday the Danish minister of Science and technology issued the first draft of the Danish implementation of article 5 (3) in the EU e-privacy directive. You know – the one about cookies. Up until April 1, 2011 relevant parties are asked to contribute in a public consultation. The new rules will be in effect as of May 25.

Today a conference was held in Copenhagen giving inputs of how to understand the new rules were held. Here’s a recap of the purposed executive order:

1. You do NOT have to accept cookies actively before they’re being set. Usage of the site itself can, depending on the circumstances, count as an accept.

2. You WILL have to inform the users of a. who is setting the cookie, b. why he is setting it and c. how long the cookie is in effect. You’ll have to do this in a clear and  concise manner. The usual “blah, blah” doesn’t count. Also, d. you have to give users a way of deleting cookies being set in case they regret.

3. Cookies which are required to make your site work does not require you to inform and make sure the users accepts. Like shopping basket functionality in a web-shop. Web analytics on the other hand are not OK. Measurement and ad operations will not typically be deemed necessary.

4. If you violating the rules, you’re fined. Rules apply from May 25. 2011.

The rules will affect practically every single website visited by Danes. Big or small, personal blog or corporate site, web-shop, media outlet, search engine or social network. And from the look of it not one single site presently sticks to the new rules.  That is: they’ll all have to change. Soon.

I thought others might want to know what the text actually looks like, and ran the whole thing through Google Translate: I’ve skimmed it, and it looks OK. Here it is:

Executive order on requirements for information and consent for the storage of and access to information in end-user terminal equipment

Pursuant to § 9 and § 81 paragraph. 2 of the Law on electronic communications networks and services in accordance with Law No. (…) of (…) in 2011:

Purpose and Scope

§ 1 Executive Order designed to protect end users against improper storage of information or gaining access to information already stored, in the end user terminal equipment.

Paragraph. 2. The provisions of this decree does not supersede the regulation under other applicable regulations.

Definitions

§ 2 In this Order shall apply:

1) Terminal Equipment:

Telecommunications Terminal Equipment which is a product or a relevant component thereof which enables communication and are intended to be directly or indirectly connected to termination points in public electronic communications network.

2) End User:

Users of electronic communications networks or services not on a commercial basis providing the relevant electronic communications networks or services to others.

3) Information and content service:

Any form of electronic provision of information or content that other end users can access via electronic communications networks or services on the basis of an individual request, which includes information society services.

4) Provider of information and content service:

A natural or legal person providing an information and content service.

5) Third parties:

A natural or legal person shall store information or gaining access to information already stored in an end-user terminal equipment via an information and content service, as the natural or legal person is not a provider.

Paragraph. 2. The above concepts must be understood according to current definitions of the Law on Electronic networks and services and the rules thereunder.

 

Storing and accessing data terminal equipment

§ 3 Natural or legal person may not store information or gain access to information already stored, in a end user terminal equipment or have third-party store information or gain access to information if the end user does not give consent after receiving adequate information about the storage of or access to data.

Paragraph. 2. By consent, cf. 1, means any freely given specific and informed expression of will by which the end user agrees that the stored data or the obtained access to already stored information in the end user terminal equipment.

Paragraph. 3. Information, cf. 1, is appropriate when at least it

1) appears in a clear, concise and understandable language, or similar iconography,

2) contains information about the purpose of storage of or access to data in the end user terminal equipment

3) contains information about how long the information is intended to be stored in the end user terminal equipment

4) contains information about the name of any natural or legal person shall, storing or availability of information

5) contains a readily available access for end users to refuse consent or revoke consent to the storage of or access to data and a clear, precise and understandable instructions on how the end user is using such access and

6) is readily available to end users in comprehensive and clearly being disclosed to it. Moreover, information whenever there is a store or access information on end user terminal equipment through a Information and content service be sustained accessible to end users through a direct and clear selected access to the information and content services.

 

§ 4 Notwithstanding § 3, natural or legal persons store information or gain access to information already

stored in an end-user terminal equipment, if

1) the storage of or access to information has the sole purpose of carrying out communications over an electronic communications or

2) the storage of or access to data is required to enable the provider of information and content service by the end user explicitly requested in a position to deliver this service.

Paragraph. 2. Storage of or access to information in an end-user terminal equipment is required, cf. 1, No. 2, if the storing of or access to information is a technical requirement to provide a service that works in accordance with the purpose of service.

 

Penal Provisions

§ 5 A fine imposed on anyone who violates § 3

Paragraph. 2. There can be imposed on companies, etc. (Legal persons) criminal liability under the Criminal Code fifth chapter.

 

Tags:

2 thoughts on “Denmark: first country to implement “cookie”-directive. Here’s the proposed executive order.”

  1. I was at the conference and trust me you wont get fined if you havent implemented your changes by the 26 of maj.
    Both Charlotte Sahl-Madsen minister of science and Linda Nielsen of IT security committee, both insured that the developers would be given, a reasonable amount of time to implement new features, for accepting cookies and other information storage. Also theres a bunch of public hearings from now on and untill mid april before the executive order, is in its final form.

    A draft can be found at: http://www.itst.dk/sikkerhed/fora/it-sikkerhedskomiteen/copy_of_it-sikkerhedskomiteen/konferencedokumenter-fra-2-3.2011/Exe%20%20order%20in%20Information%20and%20Consent.pdf

    ty

  2. Hi Gumball,

    I think you’re right: the Danish authorities won’t fine anyone by May 26th. Nevertheless this is what the executive order stipulates. You ARE breaking the law if you don’t adhere – even though the authorities wouldn’t want to get down on you to hard.

    Jon

Comments are closed.