What are the Norwegian cookie guidelines?

In Norway, the use of cookies are regulated by two legal frameworks:

The E-com Act is the national implementation of EU’s ePrivacy Directive, while the Personal Data Act implements the provisions from the GDPR — because even though Norway is not part of the EU, the country is still part of the EEA, meaning the GDPR still applies.

While this legal setup is quite common, there’s been some confusion around which of the two frameworks you should rely on in different contexts.

And why is that?

It all starts with the E-com Act.

The Electronic Communications Act

The Electronic Communications Act concerns the use of cookies and other tracking technologies, i.e., storing information and gaining access to information on the end user’s device.

The Norwegian Communications Authority (Nkom) supervises compliance with the Electronic Communications Act.

§ 2-7b of the Electronic Communications Act states the following:

The storage of data in the user’s communication equipment, or gaining access to such data, is not permitted unless the user has been informed of what data is being processed, the purpose of the processing, who is processing the data, and has consented to this. The first point is not an obstacle for technical storage of or access to data:

  1. solely for the purpose of transmitting communication in an electronic communications network
  2. necessary for the provision of an information society service at the explicit request of the user.

So, the bottom line is that you’re required to inform your users of the cookies you use, and obtain user consent.

For a cookie consent to be valid under the E-com Act, it must contain clear information about:

But, there are two scenarios where you don’t need to obtain user consent:

Confusion regarding pre-set consents

When it comes to consent, Norway is a bit of an outlier.

Because the E-com Act allows you to rely on passive consent mechanisms, such as pre-set consents in the web browser’s settings.

Specifically, in the E-com Act Section 2-7b, which implements the ePrivacy Directive Article 5 (3), the definition of “consent” is different from the one in the Norwegian Personal Data Act (the national implementation of GDPR).

For instance, in the case against German lottery website Planet49, the Court of Justice of the European Union (CJEU) concluded that “consent” in relation to the ePrivacy Directive Article 5 (3) should align with the definition found in Article 4 (11) of the GDPR.

The CJEU explicitly concluded that a consent is not valid when it has been obtained via a pre-ticked checkbox.

So Norway has different rules than the rest of the EU, which has created confusion amongst website administrators.

In 2020, the Nkom released a guide on cookies, recommending that website administrators obtain user consents in line with the GDPR when in doubt about the requirements.

Although the rules have not officially changed, they might soon.

Proposed changes to the E-com Act

On 12 April 2024, The Norwegian Ministry of Digitalisation and Public Governance submitted a proposal for a new E-com Act.

The proposal stipulates that a cookie consent must fulfill the same requirements as under the GDPR to be valid.

This means that you can no longer rely on passive consent if the new proposal is put into effect.

The Personal Data Act

The Personal Data Act concerns the processing of personal data.

Compliance with the Personal Data Act is supervised by the Norwegian Data Protection Authority (Datatilsynet).

The Personal Data Act applies when the cookies you use collect personal data from your end users. For example via cookies from services like Google Analytics, Facebook, Instagram, LinkedIn or any other third-party.

In such cases, the consent requirements are aligned with those of the GDPR.

What is a valid GDPR consent?

According to Article 4 (11) in the GDPR valid consent is:

According to the GDPR, as the website owner, you are the data controller, therefore you must collect and document valid consent.

How do you comply with the Norwegian rules for cookies?

To comply with the Norwegian E-com Act and Personal Data Act when using cookies on your site, make sure you follow these steps:

How do I collect consents on my website?

With a Consent Management Platform (CMP) like Cookie Information’s, you can easily collect and document valid user consents to ensure your compliance with the E-com Act and the Personal Data Act.

It gives you a cookie banner and pre-built cookie policy, providing your users with all the information they need to give their informed consent. Granular consent options and a cookie banner widget gives your users full control over their consent preferences at all times.

Through the seamless integration with Google’s Consent Mode v2 you can gain additional insights when users reject cookies; use these additional insights to improve your reporting, attribution, and bidding strategies.

Ultimately Cookie Information’s CMP enables you to protect user privacy without compromising your marketing goals. And right now, you can test it out for 30 days – completely free, no strings attached.