Norwegian cookie guidelines

What are the rules for using cookies in Norway? And how do you collect valid consent to cookies? Here’s everything you need to know about the Norwegian cookie guidelines.

What are the Norwegian cookie guidelines?

In Norway, the use of cookies are regulated by two legal frameworks:

The E-com Act is the national implementation of EU’s ePrivacy Directive, while the Personal Data Act implements the provisions from the GDPR — because even though Norway is not part of the EU, the country is still part of the EEA, meaning the GDPR still applies.

While this legal setup is quite common, there’s been some confusion around which of the two frameworks you should rely on in different contexts.

And why is that?

It all starts with the E-com Act.

The Electronic Communications Act

The Electronic Communications Act concerns the use of cookies and other tracking technologies, i.e., storing information and gaining access to information on the end user’s device.

The Norwegian Communications Authority (Nkom) supervises compliance with the Electronic Communications Act.

§ 2-7b of the Electronic Communications Act states the following:

The storage of data in the user’s communication equipment, or gaining access to such data, is not permitted unless the user has been informed of what data is being processed, the purpose of the processing, who is processing the data, and has consented to this. The first point is not an obstacle for technical storage of or access to data:

  1. solely for the purpose of transmitting communication in an electronic communications network
  2. necessary for the provision of an information society service at the explicit request of the user.

So, the bottom line is that you’re required to inform your users of the cookies you use, and obtain user consent.

For a cookie consent to be valid under the E-com Act, it must contain clear information about:

  • Which cookies you use.
  • What information/data they collect and process.
  • What the purpose of data processing is.
  • Who processes the information.

But, there are two scenarios where you don’t need to obtain user consent:

  • Setting functional/essential cookies (such as shopping cart cookies, login cookies etc.).
  • When accessing information the user has explicitly requested.

Confusion regarding pre-set consents

When it comes to consent, Norway is a bit of an outlier.

Because the E-com Act allows you to rely on passive consent mechanisms, such as pre-set consents in the web browser’s settings.

Specifically, in the E-com Act Section 2-7b, which implements the ePrivacy Directive Article 5 (3), the definition of “consent” is different from the one in the Norwegian Personal Data Act (the national implementation of GDPR).

For instance, in the case against German lottery website Planet49, the Court of Justice of the European Union (CJEU) concluded that “consent” in relation to the ePrivacy Directive Article 5 (3) should align with the definition found in Article 4 (11) of the GDPR.

The CJEU explicitly concluded that a consent is not valid when it has been obtained via a pre-ticked checkbox.

So Norway has different rules than the rest of the EU, which has created confusion amongst website administrators.

In 2020, the Nkom released a guide on cookies, recommending that website administrators obtain user consents in line with the GDPR when in doubt about the requirements.

Although the rules have not officially changed, they might soon.

Proposed changes to the E-com Act

On 12 April 2024, The Norwegian Ministry of Digitalisation and Public Governance submitted a proposal for a new E-com Act.

The proposal stipulates that a cookie consent must fulfill the same requirements as under the GDPR to be valid.

This means that you can no longer rely on passive consent if the new proposal is put into effect.

The Personal Data Act

The Personal Data Act concerns the processing of personal data.

Compliance with the Personal Data Act is supervised by the Norwegian Data Protection Authority (Datatilsynet).

The Personal Data Act applies when the cookies you use collect personal data from your end users. For example via cookies from services like Google Analytics, Facebook, Instagram, LinkedIn or any other third-party.

In such cases, the consent requirements are aligned with those of the GDPR.

What is a valid GDPR consent?

According to Article 4 (11) in the GDPR valid consent is:

  • Freely given: You must give your visitors the option to accept or decline consent to cookies.
  • Specific: Consent must be granular. You may only ask for consent to one specific purpose at a time.
  • Informed: You must inform your visitors about which cookies you use; what data they collect; for what purpose; by whom; and for how long they are stored.
  • Unambiguous: Your visitor must actively consent by clicking a box/button in your cookie banner.

According to the GDPR, as the website owner, you are the data controller, therefore you must collect and document valid consent.

How do you comply with the Norwegian rules for cookies?

To comply with the Norwegian E-com Act and Personal Data Act when using cookies on your site, make sure you follow these steps:

  • Inform your users of the cookies you use
    Inform your users about which cookies you use on your website, who owns the cookies (third parties), what data they collect, for what purpose, and for how long (lifespan).
  • Obtain active user consent for your use of cookies
    Consents should be in line with the GDPR requirements; you must give users the option to accept or decline cookies, and users must do so actively for the consent to be valid.
  • Collect valid consent before setting cookies
    You must obtain valid consent from those visiting your website or app before using any cookies, except for technically necessary ones.
  • Granular consent preferences
    You don’t have to collect consent for every single cookie, but you are required to collect consent by purpose/category. That is one consent for every main purpose (functional, statistics, marketing).
  • Withdraw or change consent
    Users must be able to change or withdraw consent to cookies and tracking as easy as it was to give.
  • Document and store all user consents
    You should document and store all your users’ consents to cookies so you can document to the Data Protection Authorities that you have collected valid consent. Should you be subject to an audit, you need this documentation to prove you have lawfully collected and processed data.

How do I collect consents on my website?

With a Consent Management Platform (CMP) like Cookie Information’s, you can easily collect and document valid user consents to ensure your compliance with the E-com Act and the Personal Data Act.

It gives you a cookie banner and pre-built cookie policy, providing your users with all the information they need to give their informed consent. Granular consent options and a cookie banner widget gives your users full control over their consent preferences at all times.

Through the seamless integration with Google’s Consent Mode v2 you can gain additional insights when users reject cookies; use these additional insights to improve your reporting, attribution, and bidding strategies.

Ultimately Cookie Information’s CMP enables you to protect user privacy without compromising your marketing goals. And right now, you can test it out for 30 days – completely free, no strings attached.
Get started here