Pass Denmark's cookie rules: prove no tracker fires before consent, the way Datatilsynet checks.
Denmark regulates cookies through the Executive Order on Cookies No. 1148 of 9 December 2011 (cookiebekendtgørelsen), which transposes Article 5(3) of the EU ePrivacy Directive and requires prior, specific, informed consent before any non-essential cookie or tracker is stored on or read from a visitor's device. Because cookies also process personal data, the order operates alongside the GDPR and the Danish Data Protection Act (Databeskyttelsesloven), supervised by Datatilsynet (the Danish Data Protection Agency). In May 2025 Datatilsynet and the Danish Agency for Digital Government (Digitaliseringsstyrelsen) issued joint guidance confirming the overlap, and Datatilsynet has named website tracking — whether users have a real opportunity to say no — an enforcement priority for 2026.
Prior specific and informed consent is required before storing or accessing non-essential cookies or trackers on a user's device (Executive Order No. 1148, §3), with strictly necessary cookies exempt.
Applicable laws
Supervisory authority
Datatilsynet
Datatilsynet (the Danish Data Protection Agency)
www.datatilsynet.dk/english94%
of analysed Danish websites display a cookie banner (up from 91% in 2023)
Cookie Information, Denmark Compliance Report 2024
84%
of those Danish sites still have cookie-consent compliance issues
Cookie Information, Denmark Compliance Report 2024
70%
of Danish sites set non-essential cookies before consent is given
Cookie Information, Denmark Compliance Report 2024
2011
year the Danish cookie order (No. 1148) took effect, transposing ePrivacy Art. 5(3)
Executive Order on Cookies No. 1148 of 9 December 2011
Under §3 of Executive Order No. 1148, you must obtain consent before any cookie or similar technology used for statistics, marketing, or other non-essential purposes is stored on or read from the device. Cookies that are strictly necessary to deliver the service the user requested are exempt.
Pre-ticked boxes, implied consent, or continued use of the site do not count. The visitor must take a clear affirmative action, and consent must be specific and informed, with clear information about each purpose and the parties involved before any tracker fires.
Datatilsynet's 2026 priority targets whether users have a 'real opportunity to say no.' Asymmetric designs, cookie walls, dark patterns, and an Accept button without an equally prominent Reject option are treated as invalid consent.
Consent cannot be bundled. Users must be able to accept or refuse separate purposes — for example statistics versus marketing — rather than being forced into all-or-nothing acceptance.
You must be able to demonstrate that valid consent was obtained, and withdrawing consent must be as easy as giving it. Records of what was set, when, and on what basis are central to defending against a complaint or inspection.
Denmark's cookie regime sits on two pillars. The cookiebekendtgørelsen (Executive Order No. 1148 of 2011) implements Article 5(3) of the ePrivacy Directive and governs the technical act of storing or reading information on a device. Because those cookies almost always involve personal data, the GDPR and the Danish Data Protection Act apply in parallel, setting the standard for what counts as valid consent.
Supervision is shared. The cookie order was originally administered by the Danish Business Authority (Erhvervsstyrelsen), which issued cookie guidance in 2013 and 2019; since December 2022 that supervision has sat with the Danish Agency for Digital Government (Digitaliseringsstyrelsen), while Datatilsynet enforces the GDPR consent standard. In May 2025 the two authorities published joint guidance acknowledging the overlap and coordinating their approach — meaning a single non-compliant banner can attract attention from both.
Datatilsynet has made website tracking a stated enforcement priority for 2026, framing the test around whether citizens have a genuine, real opportunity to decline tracking. The authority has singled out dark patterns, cookie walls, pre-checked boxes, asymmetric Accept-versus-Reject layouts, and missing granular choice as the practices it intends to scrutinise.
The most common — and most consequential — failure is technical, not cosmetic: cookies and trackers that fire before the visitor has consented. Cookie Information's 2024 report found 70% of Danish sites set non-essential cookies before consent and 84% had compliance issues despite 94% having a banner. A polished banner does not help if scripts have already loaded; that gap between what the banner promises and what the page actually does is exactly what an inspection exposes.
CookieSentry is not a consent banner and not a CMP — keep the banner you already run. What it adds is the evidence layer Danish enforcement turns on. The free public scanner loads your live URL the way a real visitor's browser does and flags every cookie and tracker that fires before consent, naming its source, so you can see precisely what a Datatilsynet-style review would see.
From there you get an exportable report and PDF evidence documenting your pre-consent state, plus GDPR document generation for privacy and cookie policies localized to national requirements. Together that lets you find the trackers leaking before consent, fix them, and keep a dated record proving the page behaves the way your banner claims — the proof an inspection asks for.
Studies are still being published regularly showing that extensive collection of personal data continues on Danish websites, and where citizens do not have a real opportunity to say no to tracking technologies.
Executive Order on Cookies No. 1148 of 9 December 2011 (cookiebekendtgørelsen), issued under the Danish Act on Electronic Communications Networks and Services, transposes Article 5(3) of the ePrivacy Directive and requires prior informed consent before non-essential cookies.
Datatilsynet enforces the GDPR consent standard; the Danish Agency for Digital Government (Digitaliseringsstyrelsen) supervises the cookie order (a role held by Erhvervsstyrelsen until December 2022). The two issued joint cookie guidance in May 2025.
Datatilsynet cannot impose administrative fines directly. Serious cookie and data-protection breaches are reported to the police and decided by the courts, with the GDPR ceiling of EUR 20 million or 4% of global annual turnover, whichever is higher.
CookieSentry scans your live site and flags every cookie and tracker that fires before consent — the failure Datatilsynet is most likely to act on — and names the source so you can fix it. Run the free public scan to get exportable evidence of what fires before consent, mapped to Denmark's rules. It is not a consent banner — keep your banner and add the audit and evidence layer on top.
Cookies are governed by the Executive Order on Cookies No. 1148 of 9 December 2011 (cookiebekendtgørelsen), which transposes Article 5(3) of the EU ePrivacy Directive, together with the GDPR and the Danish Data Protection Act. They require prior, specific, informed consent before any non-essential cookie or tracker is placed on or read from a visitor's device.
Datatilsynet (the Danish Data Protection Agency) enforces the GDPR consent standard, while the Danish Agency for Digital Government (Digitaliseringsstyrelsen) supervises the cookie order — a role previously held by the Danish Business Authority (Erhvervsstyrelsen) until December 2022. The two authorities published joint guidance in May 2025 and coordinate enforcement.
Yes. Consent must be obtained before any non-essential cookie or tracker fires. Strictly necessary cookies needed to deliver the service the user requested are exempt, but statistics and marketing cookies require active, unambiguous consent — pre-ticked boxes or continued browsing do not count.
CookieSentry is not a banner or CMP — keep your existing banner. Its free scanner loads your live site like a real visitor and flags every cookie or tracker that fires before consent, naming the source, then gives you an exportable report, PDF evidence, and GDPR documents localized to national requirements so you can prove your page matches what your banner promises.
Operating across the EU? The rules differ by market — check the country that applies to you.
Run a free CookieSentry scan on your live pages, catch cookies firing before consent, and export evidence mapped to Denmark's rules — no signup required.
Run a free scan →Last reviewed 2026-06-14. General information on Denmark cookie rules, not legal advice; verify current requirements with Datatilsynet or qualified counsel.