Cookie Consent and Analytics in Denmark: What Danish Website Owners Need to Know in 2026

84% of Danish websites violate cookie consent rules. 70% fire tracking cookies before asking permission. Datatilsynet just made cookie enforcement a 2026 priority. If you run a website in Denmark and use cookie-based analytics, the question is not whether you're compliant. It's whether you get caught before you fix it. And Google Analytics is not in the clear.

The rules you're actually subject to

Cookie consent in Denmark is governed by two overlapping laws, enforced by two separate authorities.

The first is the Cookiebekendtgorelsen (BEK nr 1148 af 09/12/2011), Denmark's implementation of the EU ePrivacy Directive. Issued under Section 9 of the Teleloven (Telecommunications Act), it requires consent before any non-essential data is stored on or read from a visitor's device. Supervised by Digitaliseringsstyrelsen (the Danish Agency for Digital Government, which took over from the Danish Business Authority in December 2022).

The second is the GDPR, enforced by Datatilsynet. It governs how you process any personal data collected through those cookies. The two operate in parallel. You need to comply with both.

In May 2025, Datatilsynet and Digitaliseringsstyrelsen published joint guidance on cookies and tracking technologies, confirming the overlap and coordinating their enforcement approach for 2026.

Only two exemptions exist. A cookie is exempt if its sole purpose is transmitting a communication over a network, or if it's strictly necessary to deliver a service the user explicitly requested. Session management, shopping carts, language settings, consent status storage. That's it. The Cookiebekendtgorelsen Section 4 is exhaustive.

Analytics cookies are not exempt. Not for first-party analytics. Not for privacy-friendly analytics. Not for self-hosted analytics. If your tool stores data on or reads data from the visitor's device, you need consent.

This is the critical difference from France. CNIL maintains a formal consent exemption for analytics: 22 tools can operate without a cookie banner if they meet strict conditions (first-party only, no cross-site tracking, 13-month cookie limit). Denmark has no such framework. No approved list. No exemption criteria. Every analytics cookie requires consent, period.

"Legitimate interest" does not bypass this. Even if you argue legitimate interest as your GDPR legal basis, the Cookiebekendtgorelsen consent requirement applies independently at the device-access layer. Consent is the only legal basis for placing a non-essential cookie on a Danish visitor's device.

And the rules are technology-neutral. Cookies, local storage, fingerprinting, pixel tags, device identifiers, SDKs. If it reads from or writes to the visitor's device, consent is required.

Datatilsynet: 74 people, a unique enforcement model, and a Supreme Court judge

Datatilsynet is Denmark's data protection authority. It has 74 employees working on a budget of DKK 59.1 million (~EUR 7.9 million). In 2024, they handled 18,816 new cases, including 9,624 data breach notifications. The caseload has nearly doubled since 2020.

What makes Denmark truly unusual is its enforcement model. Under the Danish Constitution, administrative fines are not permitted. GDPR Recital 151 explicitly carves out Denmark (and Estonia) from the standard EU administrative fine system. Datatilsynet cannot issue fines. It investigates, concludes, and then files a police report with a recommended fine amount. The police investigate further. If charges are brought, the case goes to a court that determines guilt and the fine.

This three-step process creates a dramatic gap between what Datatilsynet recommends and what courts impose.

IDdesign: proposed DKK 1.5 million, court imposed DKK 100,000. Taxa 4x35: proposed DKK 1.2 million, court imposed DKK 250,000 on appeal. Courts consistently reduce fine recommendations by 75-95%. An INPLP analysis warned that Denmark risks becoming a "safe haven" for GDPR violations because "the fine for non-compliance is much lower than the costs" of compliance.

But don't let the fine gap mislead you. Datatilsynet's approach is shifting. As Danish privacy consultant Henrik Rubaek Jorgensen told Openli: "There used to be an understanding in the Danish Data Protection Agency that the rules were complex and difficult to understand, and at that time they wanted to be more of a guiding authority than a sanctioning one. But the approach has now started to change, and they are now reporting companies and municipalities to the police."

The Data Council that decides precedent-setting cases is chaired by Supreme Court Judge Kristian Korfits Nielsen. When the regulator's decision-making body is led by a Supreme Court judge, the guidance carries weight beyond the fines.

Google Analytics: declared non-compliant, never cleared

On September 21, 2022, Datatilsynet declared Google Analytics non-compliant with GDPR. Denmark became the fourth EU country to reach this conclusion, after Austria (December 2021), France (February 2022), and Italy (June 2022). The rulings were coordinated through an EDPB task force responding to noyb's 101 complaints filed in August 2020.

Datatilsynet's chief consultant Makar Juhl Holst stated: "We have carefully reviewed the possible settings of Google Analytics and have come to the conclusion that you cannot use the tool in its current form without implementing supplementary measures."

The ruling explicitly covered both Universal Analytics and GA4. Datatilsynet evaluated GA4's privacy settings released in summer 2022 and found them insufficient. Even though GA4 uses IP addresses only to determine location and then discards them, there's still a direct connection to American servers before discarding occurs. US authorities could access the data during that window.

The only approved supplementary measure: a reverse proxy server that strips all identifying data before it reaches Google. Dansk Erhverv (the Danish Chamber of Commerce) estimated that at least 8 out of 10 Danish companies used GA at the time. Their digital commerce director Carsten Rose Lundberg called the proxy approach "cost-heavy" and warned it produces "a worse end product."

Then came the Data Privacy Framework. In July 2023, the European Commission adopted the EU-US Data Privacy Framework (DPF). Google certified. The specific transfer problem that Datatilsynet flagged was technically resolved.

But Datatilsynet's response was not "Google Analytics is legal again." Their July 31, 2023 statement pushed back: Datatilsynet "has not taken a position on whether Google Analytics is lawful" and stressed that organizations must still satisfy every other GDPR requirement. Legal basis for processing (consent). Data processor agreements. Data subject rights. Transparency. The 2022 ruling was never withdrawn.

The DPF's durability is uncertain. The US Privacy and Civil Liberties Oversight Board (PCLOB), referenced 31 times in the European Commission's adequacy decision, was gutted by the Trump administration in January 2025. It can't form a quorum, can't conduct investigations, and can't perform the annual DPF review the adequacy decision relies on. French MP Philippe Latombe's appeal to the CJEU is pending. This is the same court that struck down both Safe Harbor and Privacy Shield.

If the DPF falls, every Danish website using Google Analytics would face the same situation as September 2022. No legal basis for transfers. No transition period. Norway's Datatilsynet has already warned businesses to prepare exit strategies.

The cookie consent gap: 84% non-compliant

Datatilsynet's 2026 enforcement plan is blunt: "Studies are still being published regularly showing extensive collection of personal data continues on Danish websites, and where citizens do not have a real opportunity to say no to tracking technologies."

The numbers back this up. Cookie Information's 2024 compliance report found that 94% of Danish websites have a cookie banner (up from 91% in 2023). But 84% of those banners have compliance issues (up from 79% in 2023). The direction is wrong: more banners, more violations. And the most common violation is the most serious one: 70% of analyzed sites set non-essential cookies before the visitor makes any choice at all.

The worst sectors: Sports (89% violation rate), E-commerce (83%), Arts and Culture (82%).

Datatilsynet has already acted on cookie violations. JP/Politikens Hus (publisher of eb.dk) was reprimanded for a cookie banner that used a traffic-light color scheme: green "Accept All," red "Only necessary," grey "Customize." Datatilsynet ruled the color coding was impermissible nudging. Consent information was hidden behind a second layer. The consent was invalid.

Berlingske was ordered to change its practice of blocking embedded video and blog content unless users consented to statistics and marketing cookies. Datatilsynet found that forcing users to accept analytics tracking as the price for watching a video does not produce valid consent.

DMI (Denmark's Meteorological Institute, the national weather service) received "serious criticism" for running Google's advertising platform on dmi.dk. Consent was bundled into a single "OK" button, with insufficient information and asymmetric friction for declining. A government weather website, running behavioral advertising, with invalid consent. That's where the bar is in Denmark.

Anette Hoyrup of the Danish Consumer Council (Forbrugerradet Taenk) put it plainly: "The law doesn't work. Five years have passed, and consumers simply do not know what is going on."

What you actually lose when visitors click "Reject"

Even if your cookie banner is perfectly compliant, it's costing you most of your data.

Denmark's population is among the most digitally sophisticated in the EU. The country ranks number one globally in e-government for the fourth consecutive year. 99% internet penetration. 96% of adults use MitID, the national digital ID. 46% of Danish internet users actively manage cookie settings according to Eurostat, well above the EU average.

This is not a population that blindly clicks "Accept All."

Under a compliant cookie banner (equal-prominence accept and reject buttons, no dark patterns), the majority of Danish visitors will decline. Combined with ad blocker adoption in the high 30s for Nordic countries and Safari at 28.4% of Danish browser traffic (with Intelligent Tracking Prevention blocking third-party cookies), cookie-based analytics on a Danish website see a fraction of actual traffic.

If Clickport tracks your site, you would see 100% of your visitors from day one. No consent needed, no scripts to block, no data lost to rejection or ad blockers.

Carsten Rose Lundberg of Dansk Erhverv captured the practical impact: "Data has value only if it can be compared with something." When your analytics see 22% of your traffic, you're not just missing data. You're making decisions on a sample that's systematically biased toward visitors who accept cookies, which skews toward repeat visitors, loyal customers, and the least privacy-conscious segment of your audience. New visitors, privacy-aware users, and the majority of your actual traffic are invisible.

The country that armed both sides

Here's the part of Denmark's privacy story that nobody connects.

Denmark produced two of the world's largest cookie consent platforms. Cookiebot (Cybot A/S) was founded in Copenhagen in 2012 by Daniel Johannsen. It now runs on over 2 million websites globally and merged with Usercentrics in 2021 to become the world's largest consent management platform. Cookie Information launched its consent management platform in Copenhagen in 2017, became the second-largest third party on the 100 most visited Danish websites (surpassed only by Google), and merged with Piwik PRO in 2023 to create a combined consent-plus-analytics platform.

Two of Europe's most significant consent management companies, both from Copenhagen.

And there's a deeper irony. Between 2015 and 2020, Denmark's own tax portal (TastSelv Borger) leaked the CPR numbers of 1.26 million Danish citizens through Google Analytics. A software bug appended citizens' national ID numbers to the URL every time they updated account settings, sending those numbers to Google and Adobe analytics. One-fifth of Denmark's population. For five years. The country learned firsthand what happens when analytics tools access data they shouldn't.

Denmark doesn't just regulate cookie consent. It experienced the consequences of getting it wrong, built the tools to fix it, and then set some of the strictest rules in Europe. That history is why Datatilsynet's 2026 enforcement push is not just regulatory posturing.

What's coming: the Digital Omnibus and Denmark's own push

Denmark is simultaneously enforcing strict cookie consent rules domestically while pushing to loosen them at the EU level. That's not a contradiction. It's strategy.

During its EU Council Presidency (July-December 2025), Denmark circulated a non-paper proposing targeted revisions to the GDPR and ePrivacy Directive. The key proposal: exempt companies from cookie consent where personal data is collected for "technical purposes and simple statistics." Justice Minister Peter Hummelgaard told Euronews: "We will set a focus on modernising the regulatory landscape, by specially focusing on the GDPR."

The European Commission's Digital Omnibus (proposed November 2025) reflects Denmark's push. The proposed Article 88a(3)(c) would permit storing or accessing data on a user's device without consent for:

"creating aggregated information about the usage of an online service to measure the audience of such a service, where this is carried out by the controller of that online service solely for its own use"

The exemption is narrow. It covers aggregated audience measurement by the site owner, for their own service, for their own internal use only. Google Analytics would not qualify because data flows to Google's ecosystem and operates across multiple services. Self-hosted or privacy-first analytics that produce aggregate statistics for the site owner's use would.

Until the Omnibus passes, Denmark's current rules remain in force. Every analytics cookie requires consent. The fastest way to get 100% visitor visibility without waiting for EU legislation: use analytics that don't store anything on the visitor's device in the first place.

What this means for your website

If you run a website that serves Danish visitors, here's where you stand.

If you're using Google Analytics with a cookie banner: Your US data transfers are covered by the DPF (for now), but you need valid cookie consent under the Cookiebekendtgorelsen. That means equal-prominence accept and reject buttons, no pre-loaded cookies, granular purpose selection, and easy withdrawal. If your banner fails any of these, Datatilsynet's 2026 enforcement priority targets exactly this. And even with a perfect banner, the majority of your Danish visitors will be invisible.

If your cookie banner isn't compliant: You're in the 84%. Datatilsynet and Digitaliseringsstyrelsen are coordinating inspections in 2026. The most common violation (cookies before consent) affects 70% of Danish sites. Even under Denmark's court-based enforcement model, non-compliance carries real consequences: reprimands, compliance orders, police reports, and fines up to 4% of global revenue under GDPR.

If you want accurate data without the compliance risk: Switch to analytics that don't touch the visitor's device. No cookies, no fingerprinting, no cross-site tracking means the Cookiebekendtgorelsen consent requirement does not apply. 100% of traffic visible. No banner needed for analytics. No dependency on the Data Privacy Framework staying valid. No enforcement risk from cookie-focused audits.

Denmark ranks number one in the world for digital government. Its citizens are among the most digitally literate in Europe. That sophistication is why cookie-based analytics fail harder here than almost anywhere else. The visitors you're missing aren't random. They're the ones who know what "Reject All" means and aren't afraid to click it.

Start your free 30-day trial at clickport.io/register. No credit card required. See your real Danish traffic in under two minutes.

Frequently asked questions

Is Google Analytics legal in Denmark?

Datatilsynet declared Google Analytics non-compliant with GDPR in September 2022. The EU-US Data Privacy Framework (July 2023) resolved the specific data transfer issue, but Datatilsynet has never reversed its position and says calling GA "legal" is "an oversimplification." You still need valid cookie consent under the Cookiebekendtgorelsen, a data processor agreement with Google, and compliance with all GDPR requirements. The DPF itself is being challenged at the CJEU.

Do I need cookie consent for analytics in Denmark?

Yes, for any analytics tool that stores data on or reads data from the visitor's device (cookies, local storage, fingerprinting). The Cookiebekendtgorelsen Section 4 provides only two narrow exemptions: cookies for transmitting communications and cookies strictly necessary for a requested service. Analytics cookies are explicitly not exempt. Unlike France, Denmark has no consent exemption framework for privacy-friendly analytics tools. Cookieless analytics that don't touch the visitor's device fall outside the Cookiebekendtgorelsen entirely.

What is the Cookiebekendtgorelsen?

The Cookiebekendtgorelsen (BEK nr 1148 af 09/12/2011) is Denmark's implementation of the EU ePrivacy Directive. It requires prior informed consent before storing information on or accessing information from a user's terminal equipment. It's supervised by Digitaliseringsstyrelsen (not Datatilsynet). The GDPR applies on top of it for any personal data processing. A non-compliant cookie banner can trigger enforcement from both authorities simultaneously.

Can I use cookieless analytics without consent in Denmark?

Analytics tools that don't set cookies, don't fingerprint visitors, and don't track across sites avoid the Cookiebekendtgorelsen's consent trigger. The law applies to "storage of or access to information on end-user terminal equipment." If the tool also processes no personal data (anonymous aggregation only), the GDPR consent requirement doesn't apply either. This is why cookieless, privacy-first analytics can operate without a consent banner in Denmark.

What are the penalties for cookie violations in Denmark?

Denmark has a unique enforcement model: Datatilsynet cannot issue fines directly (GDPR Recital 151). It recommends fines to police, who prosecute through courts. Courts have historically imposed much lower fines than recommended (IDdesign: DKK 1.5M proposed, DKK 100K imposed). The largest court-imposed GDPR fine is DKK 1 million (Arp-Hansen Hotels, 2023). Datatilsynet's largest recommendation is DKK 15 million against Netcompany (2024, court pending). Under GDPR, fines can reach 4% of global annual turnover or EUR 20 million.

Does the EU-US Data Privacy Framework make Google Analytics legal in Denmark?

The DPF (adopted July 2023) resolved the specific US data transfer issue from Datatilsynet's September 2022 ruling. But Datatilsynet explicitly warned that "using Google Analytics requires not only lawful transfers to the USA." You still need valid cookie consent, a data processor agreement, and compliance with all GDPR requirements. And the DPF's durability is uncertain: the PCLOB has been gutted, and the framework is being challenged at the CJEU. If it falls, there would likely be no transition period.