Cookies, and compliance when starting up an online business

Stine Mangor Tornmark
Written by
Stine Mangor Tornmark
on
April 22, 2020
Alexander Høy from Raadgiver.dk

A podcast with Stine Mangor Tornmark from Openli, and Alexander Høy from Raadgiver.dk, a consulting company offering advice on business and legal matters.

Stine interviewed Alexander to hear his perspective about what you should be aware of when starting an online business. In the podcast Alexander gives us some insights into his work at Raadgiver.dk, how they help start-ups, and tips on how you can ensure compliance when using cookies on your website.

The podcast is recorded in Danish, and you can read an English written translation of the transcript below.

Could you tell us a bit about who you are and your background?
My name is Alexander and I come from Raadgiver.dk, a company where we work with legal compliance, e.g. the GDPR rules, and a few other things like that. I am a legal and business consultant in that context, and also advise clients on economic matters. We work to give our clients an overview of current legislation with a financial perspective, and try to make the subject as easy to understand as possible.
Which types of clients do you usually help?
We usually help newly started businesses and recently started businesses that need a legal or economic boost. We also have a few larger clients who need a one off solution, but our key customers are the ones who are just starting up. We help them with many things including corporate law, employment, and labour law, accounting, and also the GDPR.
You started up in 2015 before GDPR, and have 5 years of experience in this area. We met at a GDPR conference, because of a shared interest in privacy and compliance and data ethics. Some of the things we talked about then, was the value in being able to provide companies with hands-on and implementable advice when starting a new business.
Yes, exactly, well it is really about getting out there and doing something. If the authorities come by and see that you have been passive and done nothing, then they are more likely to impose sanctions or fines. So the more that you do, and the more you can implement the correct solutions in your company to be compliant, the better.
Sounds great, well let us get started, when you as an advisor are helping out clients who are starting up an online business, what are some of the initial things that you talk about with them?
We start by getting an overview of the company. There are many things to think about when you are starting a business, so we need to figure out where we should prioritise our time. Depending on the type of business it is, we focus on key areas, which could be data for some companies, or if it is a webshop we might look at the Terms & Conditions, or if the company sells a service then we would focus on potential legal issues that could arise here.
It is very much dependent on the type of business the client has. We always strive to meet them at eye level and to keep things as simple as possible. If the client is interested, then we will teach them what they need to do, or we can solve the problem for them. We try to communicate with the clients about these things in an accessible way, so they also gain an understanding of how to do these things in the future.
Are there any common challenges faced by your clients, or is it dependent on the type of business they are starting?
The main thing for most start-ups is getting an overview, as there are many things to consider at this stage in the business. We typically begin with a meeting to identify what is important right now, and what to prioritise.
We are hearing a lot about cookies at the moment, is this something that your clients need help with?
Yes, it is a part of the GDPR package we offer our clients, and cookies are very important in this regard.
What are some of the biggest challenges your clients face in relation to cookies?
In relation to cookies, most of our clients need help understanding the rules, it’s an area in steep development. Just a few months ago we got new guidelines from the authorities. Businesses have to keep up with these changes and recommendations as they come into force.
If we have some listeners who have a webshop or a website, who want to make sure they are compliant, what should they be aware of?
Well, they need to start by creating an overview and look at what the function of the website is and ask themselves, if they need to use cookies. There are some websites where cookies are irrelevant, and in this case, it is not a consideration. If you don't track people who use the website, then you don't have to think about cookies.
But, as soon as you start collecting user-data, or start placing cookies on website visitor's devices, then you have to start looking into the area. In this instance, we would talk to our clients about the types of consent they need to make sure that their cookie use is legal.
Would you be able to give our listeners five tips for working with cookies?
Yes, start by getting an overview of what your website does, and what type of cookies you are using. And then ask yourself, why are you using cookies? What do you need them for? And finally, have you got the right permission, and consent to collect this data. There are different types of cookies, and one of these is information-based. This helps the website determine, which language should be shown in the browser, which you don’t need consent for. But, if you are using cookies to collect analytical data or for marketing purposes, then you need to make sure you have the correct consent.

**You mention consent, is this something you see a lot of people doing the wrong way?

I see this very often, I would say at least 50% of all websites have an issue with meeting the consent requirements. You should obtain consent from your website user, before e.g., starting to track how they use the website.
Are there other risks businesses should consider?
There are a lot of risks involved in this instance. If you have obtained data from a website user without consent, then you might be breaking the rules, which can result in negative consequences such as sanctions and fines.
If you were going to provide our listeners with some concrete advice in relation to data collection, cookies and consent, what would that be?
You can collect data, but you need to make sure you obtain the right consent. I would suggest that you remove any cookies plugins you don’t need. You need to ensure you have a proper cookie banner that pops up to make sure the user reviews the banner before using the website. There also has to be a description relating to the consent. The cookie banner should make it easy for the user to get an overview of how you use cookies and how to give consent or opt-out.
We are seeing quite a few tech solutions, which can help companies, but also may leave them not quite knowing what the right settings are, or how to form things like a cookie policy. Is this something you help with?
This is exactly the sort of thing we can help companies with. You must communicate clearly, precisely and comprehensively what the purpose of the consent is. It is not enough just to write, “By using our website, you accept our Cookie Terms and Conditions”. It has to be much more specific, so that the user knows what happens to the data. This is something we have seen in a number of cases. The rules state it must be just as easy to say no to cookies as saying yes to cookies. The data is worth a lot for companies, but you have to obtain it the right way.
Do you have any last tips for any start-ups out there in regards to going online?

If I had to focus on the essentials, then I would say that they need to:

  • Make sure you obtain active consent from your users in relation to cookies,
  • Make sure you have a log of your obtained consents, so you can prove you have acquired the data correctly,
  • Make sure that your users can easily change their minds and opt-out of being tracked,
  • Make sure that you don’t place cookies or track your users until you have obtained consent,
  • Be sure that your cookie policy also reflects what you actually do, it is not worth anything if you just use a template and then do something different to what is stated in your cookie policy.

About Alexander and Raadgiver.dk

Alexander studied business law and economics at Copenhagen Business School with a focus on the GDPR, and is a founding member of the non-profit organisation Danish DPO society. He has worked as a consultant and partner in Raadgiver.dk since 2017, focusing primarily on GDPR and privacy.

You can contact Alexander via the Raadgiver.dk website, if you are interested in hearing more about what he can do for your company.

Join our in-house legal & privacy community

Join one of the fastest growing legal communities in Europe. Learn, share, connect and meet inspiring legal professionals, leaders and experts all for free.
Openli community
Apply to join

Privacy Newsletter

Sign up for a regular dose of news and updates from the legal landscape.