How E-Com compliance became a trending keyword in Norway
Since January 1, 2025, the Norwegian E-Com Act is in force with stricter rules around cookies and user consent.
Fast forward to April, and the Norwegian Data Protection Authority (DPA) – Datatilsynet – published new comprehensive guidance to help marketers become E-Com compliant.
And they’re already acting on enforcement of the new cookie rules: Datatilsynet has begun inspecting websites that may be sharing sensitive personal data – such as health, political views, or religious beliefs – via tracking technologies like pixels, to assess whether those sites are complying with data protection rules.
Non-compliance could mean hefty fines and reputational damage. Are you ready?
If you’re a marketer, website administrator, or app developer targeting Norwegian users, these changes aren’t just another bureaucratic hurdle – they’re a wake-up call for how you manage consent and tracking.
The updated rules demand transparency, respect for user privacy, and alignment with European standards like the General Data Protection Regulation (GDPR) and the ePrivacy Directive.
Here’s everything you need to know to ensure your websites, apps and web analytics setup meet the requirements of the updated Norwegian Electronic Communications Act (Ekomloven). Don’t wait until it’s too late to act – the sooner you act, the safer you are!
Get compliant with the new Norwegian cookie requirements today
Achieve compliance and maintain performance with a cookie banner designed for marketers.
What you need to know about the Norwegian E-Com Act
Navigating the updated Norwegian E-Com Act can feel overwhelming, but getting the answers to key questions is the first step to compliance. From understanding what’s changing to determining who’s responsible, this section breaks it all down so you can focus on what matters most – staying compliant and building trust.
Why are the Norwegian cookie rules changing?
The changes to the Norwegian cookie rules aim to enhance user privacy and align Norway’s regulations with broader European standards, such as the GDPR. The updated guidelines place a stronger emphasis on obtaining valid consent from users and ensuring transparency in how cookies and personal data are handled.
How are the Norwegian cookie guidelines changing?
The new Norwegian E-Com Act replaces the previous “cookie paragraph” (§2-7b) with §3-15, introducing stricter consent requirements.
The revised Norwegian cookie guidelines eliminate the possibility of assumed or implied consent. Pre-ticked boxes, default settings, and any ambiguity in consent collection are no longer acceptable. Users must now explicitly opt in to non-essential cookies. This includes cookies for tracking, marketing, or analytics purposes.
What is considered personal data under the Norwegian E-Com Act?
The Norwegian Electronic Communications Act doesn’t explicitly define “personal data” within its text. Instead, it aligns with existing data protection frameworks, particularly the GDPR and the Norwegian Personal Data Act, which define “personal data” as any information relating to an identified or identifiable natural person.
This includes names, email addresses, IP addresses, behavioral data, and cookie identifiers. Under the E-Com Act, you must obtain explicit consent before collecting or processing such data unless it’s strictly necessary for the basic functionality of your website or app.
Who does the Norwegian E-Com Act apply to?
The Act applies to all organizations that use cookies beyond those strictly necessary for basic website and/or app functionality. If your business operates in Norway or targets Norwegian users and uses cookies for marketing, analytics, or tracking, you must comply. This includes organizations previously ignoring GDPR or relying on outdated consent methods.
In short: the E-Com Act applies to any organization targeting Norwegian users, whether based in Norway or abroad. If your website, app, or marketing efforts collect data from Norwegian residents, you must comply with the Act, regardless of your physical location or company headquarters.
Who’s responsible for Norwegian E-Com Act compliance within a company?
Privacy compliance is typically a shared responsibility. Key stakeholders include legal teams, data protection officers (DPOs), IT specialists, and digital marketers. However, as a marketer, you play a crucial role in ensuring your consent management platform (CMP) and data collection practices are aligned with the E-Com Act.
What does the Norwegian E-Com Act mean for marketers?
For digital marketers, the Norwegian E-Com Act presents both challenges and opportunities. Compliance requires updates to consent mechanisms. Spoiler alert: with the right cookie consent solutions, it’s simpler than you expect (and we’ll go through it below).
But it also enables you to grow trust among users by showing you respect their privacy and preferences. You’ll ensure your campaigns and tracking practices align with these stricter requirements, while at the same time avoiding fines and maintaining a competitive edge.
The stricter consent requirements under the E-Com Act could impact digital marketing strategies by limiting the data available for:
- User analytics
- Campaign tracking
- Audience segmentation
Since this can, in the end, hurt your marketing results, Norwegian marketers should adapt and:
- Leverage first-party data collected through compliant methods
- Focus on building user trust with transparent data practices
- Explore alternatives to cookie-based tracking, such as contextual advertising
New guidance from Datatilsynet: clarifying consent requirements
On April 3, 2025, Datatilsynet released comprehensive guidance detailing how businesses should obtain valid consent for cookies and tracking technologies under the updated E-Com Act. This guidance reinforces the alignment of Norway’s regulations with the EU’s GDPR standards.
Key takeaways from the guidance include:
- Active consent required: Users must provide clear, affirmative consent before any non-essential cookies are set.
- No pre-ticked boxes: Consent obtained through pre-ticked boxes or passive means (e.g., continued browsing) is not valid.
- Equal prominence for choices: Options to accept or reject cookies must be presented with equal prominence, ensuring users can make an informed choice without undue influence.
- Easy withdrawal: Users should be able to withdraw consent as easily as they gave it.
Datatilsynet starts supervision of tracking tools on sensitive websites
Also in April, Datatilsynet initiated supervisory activities focusing on websites that handle sensitive topics, such as health, religion, or political opinions. The authority is examining whether these sites’ use of tracking tools, like pixels, may inadvertently share sensitive user data with third parties, including major international tech companies.
How this can impact your digital marketing:
- Sensitive data handling: Websites dealing with sensitive information must ensure that any tracking technologies used do not compromise user privacy or share data without explicit consent. Tip: If your site touches on topics like health or politics, assume you’re working with sensitive data – and treat consent accordingly.
- Compliance checks: Datatilsynet’s ongoing supervision indicates a proactive approach to enforcing compliance, especially concerning the processing of special category data under GDPR. Tip: Don’t wait until your website is scrutinized under the public eye – audit now, fix fast.
- Best practices: You should conduct thorough audits of their tracking tools and data sharing practices, particularly if operating in sectors involving sensitive user information. Tip: Document what tools you use, where they’re placed, and why – it makes staying compliant (and responding to authorities) a lot easier.
This round of enforcement actions underscores even more the importance of compliant consent and transparent data handling practices.
Achieve privacy compliance with a Norwegian E-Com Act compliance checklist
Getting compliant might sound like a daunting task, but it doesn’t have to be.
Let us simplify the process for you with this E-Com Act compliance checklist, which includes tips for:
- Creating a compliant privacy policy
- Obtaining and managing valid user consent
- And ensuring ongoing compliance through regular updates and audits.
Norwegian E-Com Act compliance checklist: step-by-step guide for marketers
Step 1: Determine if your company is required to comply
Step 2: Create a comprehensive privacy and cookie policy
Draft a clear and detailed privacy policy that explains what data is collected, why it’s collected, and how it’s used. Additionally, develop a specific cookie policy that provides detailed information about the cookies used on your website, their purposes, and how users can manage their preferences.
If you work with Cookie Information’s consent management solutions, you get a tailored and legally valid cookie policy to solidify your brand and put privacy at the heart of your business.
We scan your website and app for cookies and trackers on all your subpages. This information is automatically written into your cookie policy and is updated every single time you have your website scanned.
Ensure both policies are easily accessible through clearly visible links and written in simple, non-technical terms so that they’re easy to understand.
Check your website for free
Step 3: Inform users about their rights
Step 4: Obtain valid consent from users
What does valid consent look like?
Valid consent must meet seven key principles under the EU and Norwegian guidelines. These include:
- Consent must be informed, clear, and freely given.
- Pre-ticked boxes or assumed consent are invalid.
- Users must be able to opt-out or withdraw consent as easily as giving it.
- Provide clear information in plain language.
- Offer accessible tools for changing cookie preferences anytime.
- Keep detailed records of user consent.
Step 5: Ensure user access even if they decline consent
Step 6: Stop data collection or processing as soon as the user opts out
Step 7: Securely document and store consent
Step 8: Review and update your privacy and cookie policies every 12 months
Step 9: Re-offer opt-in consent every 12 months
Step 10: Avoid common cookie compliance mistakes
- Don’t fire cookies before consent is given – this is a leading compliance issue.
- Clearly distinguish between essential and non-essential cookies – for example in your cookie policy and consent pop-up.
- Avoid vague consent banners like “We use cookies. OK.” Instead, use clear and specific messaging that explains the purpose of cookies, offers options to accept or reject them, and directs users to manage preferences easily.
- Integrate your cookie banner with every tool that uses data collected on your website. These can include analytics (e.g. Piwik PRO, GA4, Adobe Analytics, Hotjar), customer relationship management (CRM); personalization or recommendation engines, advertising platforms, marketing automation, as well as a/b testing and conversion rate optimization (CRO) tools.
- Ensure your cookie banner is correctly integrated with Google Consent Mode v2. Here you can scan your website for free to find out if you’ve implemented Google Consent Mode v2 correctly.
Final thoughts on Norwegian E-Com Act compliance
The updated Norwegian E-Com Act is no longer on the horizon – it’s here.
The updated Norwegian E-Com Act introduced stricter cookie and consent requirements to protect user privacy and bring Norway fully in line with European standards. But with Datatilsynet’s new official guidance live and supervisory inspections already underway, it’s no longer about getting ready – it’s about making sure your setup holds up today.
If you’re targeting Norwegian users, compliance isn’t just a legal must-do. It’s also a chance to:
Build trust with your users
Stand out from competitors who haven’t kept up
And strengthen the foundation of your digital marketing efforts
Norway has long been a frontrunner in enforcing GDPR and cookie regulations – and has shown it’s not afraid to impose significant fines. But compliance is about more than avoiding penalties. It’s about transparency, accountability, and the long-term sustainability of your data strategy.
Now is the time to act.
Run a cookie audit. Review your consent setup. And take advantage of tools like Cookie Information’s consent solution, which works seamlessly with your existing stack, including CMSs, Google Tag Manager, Piwik PRO, and Google Consent Mode v2.
Because doing privacy right isn’t just the law – it’s good marketing.
Still have questions?
Get practical tips for implementing these guidelines and get your questions answered by experts in E-Com compliance – watch our webinar, hosted in Norwegian: Ny 2025-cookieveiledning fra det norske Datatilsynet – slik etterlever du den.
How to get started:
Cookie Information offers privacy solutions for websites and apps. Start a free trial today and ensure your consent processes meet Norway’s new cookie requirements. If you need implementation support, check our Support Center or get in touch with our team for a personalized implementation partner recommendation.
Set up a compliant cookie consent banner in minutes with Cookie Information's easy-to-use tools
Don’t let Norwegian DPA Datatilsynet catch you off guard. Start a free trial today and ensure your website is E-Com compliant.
FAQs on Norwegian E-Com Act compliance for marketers
What is the Norwegian E-Com Act?
It’s a law enforcing stricter cookie and consent requirements to enhance user privacy and align with GDPR standards, effective January 1, 2025.
Why is the E-Com Act important for marketers?
It ensures legal compliance, builds user trust, and differentiates compliant businesses from competitors.
Who does the E-Com Act apply to?
Any organization targeting Norwegian users, whether located in Norway or abroad, must comply.
How does the E-Com Act impact marketing campaigns?
Marketers must ensure all tracking and analytics cookies have valid user consent before activation.
Can I personalize ads without user consent?
No, from January 2025 personalizing ads requires explicit user consent under the new cookie rules in Norway.
Do I need explicit consent for all cookies?
No, you only need explicit consent for non-essential cookies, such as those used for analytics, marketing, or tracking. Essential cookies, required for the basic functionality of your website, do not require consent.
Are there exceptions to requiring consent?
Yes, but only cookies strictly necessary for website functionality, like those for login sessions or shopping carts, are exempt from consent requirements.
What happens if my company doesn’t comply with the E-com law?
Non-compliance can result in fines, legal issues, and ultimately loss of user trust.
Do I need a separate cookie policy for my website?
Yes, alongside a privacy policy, you need a specific cookie policy that details the cookies used on your website, their purposes, and how visitors can manage their user preferences. Cookie Information’s consent management solutions can help you create a tailored, legally compliant cookie policy, updated automatically through regular scans.
Can I still track user behavior for analytics?
Yes, but only if the user explicitly consents to analytics cookies.
How do I re-offer opt-in consent?
Set up mechanisms to prompt users to renew their consent annually, ensuring compliance.
Do cookie banners affect conversion rates?
If designed well, cookie banners can maintain user trust without significantly impacting conversions. Learn more about the link between consent rates and marketing performance.
Can cookie compliance solutions impact my website's performance or marketing results?
Marketers may experience challenges like reduced data availability, increased ad spend, and weaker targeting due to stricter cookie opt-ins. To address this, explore anonymous tracking tools like Piwik PRO to collect non-personalized insights while maintaining compliance.
How does the E-Com Act affect mobile app marketing in Norway?
App developers must also implement compliant consent mechanisms for data collection and tracking within apps. Get a cookie banner for your mobile app.
What tools can I use to streamline data privacy compliance?
Consent management solutions like Cookie Information’s cookie consent banners integrate easily with popular CMS, tag managers, and Google Consent Mode to ensure data privacy compliance.
How should I prepare before January 1, 2025?
Conduct a cookie audit, implement or update your cookie consent banner, and ensure your cookie policy is updated, accessible and clear.
Are email marketing tools affected by the E-Com Act?
Users must now explicitly opt in to non-essential cookies. Assumed or pre-ticked consent is no longer valid in Norway from January 1, 2025.
Can I offer incentives to users for consent?
Yes, if email tracking uses cookies or collects personal data, consent is required.
What are the key changes to cookie consent rules?
Incentives can’t be used to force consent; it must be freely given without restrictions on access.
What’s required in a cookie policy?
A cookie policy must clearly outline what cookies are used, their purposes, and how users can manage their preferences.
How often should cookie policies be reviewed?
Both privacy and cookie policies should be reviewed and updated at least every 12 months to ensure compliance.
What happens if users withdraw consent?
Data collection and processing must stop immediately, and the user should still have access to your website’s basic functionality.
How can I document consent?
Securely store consent records, including timestamps and details, to demonstrate compliance during audits.
What tools can help with E-Com compliance?
Tools like Cookie Information’s cookie banners integrate with popular CMS and tag managers, making compliance easier.
Which authorities are responsible for enforcing the Norwegian E-Com Act?
The Norwegian E-Com Act is enforced by The Norwegian Data Protection Authority (Datatilsynet) and The Norwegian Communications Authority (Nkom). These authorities oversee compliance with the rules, investigate potential violations, and have the power to impose penalties or fines for non-compliance.
When does the E-Com Act take effect?
The law is enforced starting January 1, 2025.
What is the Norwegian E-Com Act compliance checklist?
The Norwegian E-Com Act compliance checklist is a guide to help businesses align with the updated Norwegian Electronic Communications Act, effective January 1, 2025. It emphasizes obtaining explicit user consent for non-essential cookies, providing clear information about data collection practices, and ensuring transparency to protect user privacy on your website or app.
What are the key requirements in the Norwegian E-Com Act compliance checklist?
The key requirements in Cookie Information’s Norwegian E-Com Act compliance checklist include:
Explicit consent: Users must actively opt in to non-essential cookies; pre-ticked boxes or implied consent are no longer acceptable.
Transparency: Clearly inform users about the types of cookies used, the data collected, their purposes, and who will process the information.
Granular consent options: Allow users to consent to different categories of cookies separately, enabling specific choices about their data.
Ease of withdrawal: Users should be able to withdraw or modify their consent as easily as it was to give.
Documentation: Store all user consents securely to demonstrate compliance if audited.
Can Cookie Information help me with compliance with Norway cookie law?
Yes, Cookie Information offers consent solutions for compliant cookie banners that can help your business implement and maintain compliance with the Norwegian E-Com Act.
What does Datatilsynet’s new E-Com compliance guidance mean for websites?
The rules themselves haven’t changed – the updated E-Com Act that took effect in January 2025 still applies.
What Datatilsynet’s new guidance does is make those rules easier to understand and apply in practice. It gives website owners and marketers concrete examples of what valid cookie consent looks like and helps you spot where your current setup might fall short.
Think of it as a manual for staying compliant – especially helpful if you’re unsure whether your consent banner, cookie categorization, or tracking tools meet the standard.
If you haven’t reviewed your website’s data privacy setup yet, now’s the time.
