As the updated 2025 Norwegian E-Com Act (Norwegian Electronic Communications Act, also known as Ekom) took effect on January 1, 2025, businesses across industries are racing to adapt to stricter consent requirements. But what do these changes really mean for your organization? To provide clarity and actionable guidance, we turned to Jan Sandtrø, an independent lawyer specializing in legal technology, digitalization, personal data/privacy, and marketing law, among other fields.
In this interview, Jan delves into the legal nuances of the new E-com Act, offering practical advice for businesses of all sizes. Dive into the Q&A to learn how to prepare your business for the new law.
Can you introduce us to the 2025 E-Com Act update? What is it about, why is it being introduced now, and what is its overarching goal?
The E-Com Act 2025 is Norway’s response to growing concerns about user privacy and the misuse of tracking technologies like cookies. At its core, the updated Act aims to give Norwegian users – data subjects – more control over their personal data and ensure transparency in how businesses collect and process it.
The timing aligns with a global push toward stricter consent requirements, building on the foundation of the General Data Protection Regulation (GDPR) and better aligning Norwegian legislation with the ePrivacy Directive.
The law addresses long-standing gaps in aligning the Norwegian cookies consent regulation with the EU regulation, particularly with outdated practices like implied consent or insufficient cookie disclosures.
Its broader goal is to create a digital ecosystem where users can trust that their data is handled responsibly while businesses operate transparently.
By enforcing explicit consent and holding organizations accountable, the updated Norwegian Electronic Communications Act reflects a global trend toward prioritizing privacy as a fundamental right.
What qualifies as "explicit consent," and how can companies ensure their consent management platforms meet this standard?
Explicit consent under the 2025 E-Com Act update requires that users actively and knowingly agree to the use of cookies or other online tracking technologies. This means no pre-ticked boxes, implied consent, or vague language.
You must ensure users can make granular consent options, such as accepting or rejecting specific cookie categories (e.g., marketing or analytics).
Clear explanations about the purpose of each cookie, written in plain language, are critical. For example, “We use analytics cookies to improve site functionality” is compliant, while “We use cookies for your convenience” is too ambiguous.
— Jan Sandtrø
What nuances of the 2025 Norwegian E-Com law update should businesses pay special attention to, beyond the basics of cookie consent?
According to the new Act, the use of all cookies – except for “strictly necessary cookies” – requires valid consent, and the consent shall be in accordance with the GDPR consent requirements.
This places a strong emphasis on the granularity of consent and the information given by using the consent and the personal data processing that’s collected through the use of cookies. You should ensure users can accept or reject cookies by category (e.g., marketing, analytics) and provide information on the cookies used.
Another nuance is the expectation that users should be able to withdraw consent just as easily as they give it. This means prominently placed “manage cookies” options on every page.
What are the legal best practices for drafting a compliant cookie policy under the new E-Com Act update?
A compliant cookie policy under the 2025 E-Com Act update should include detailed information on the types of cookies used, their purposes, the duration of data storage, and whether third parties have access to the consumer data.
The policy must be easily accessible, written in clear, non-technical language, and updated regularly to reflect practice changes. Integrating automatic updates through tools like consent management platforms (CMPs) ensure accuracy and compliance.
You should also provide links to manage consent preferences directly from the policy. In addition, the cookie policy, or the privacy notice, shall include information on what personal data is collected by the use of cookies and how this data is processed.
— Jan Sandtrø
What legal risks do companies face when relying on third-party cookie vendors?
Using third-party vendors introduces shared legal responsibility for data protection. Businesses must ensure their vendors comply with the new Norwegian law update and GDPR. This involves conducting thorough due diligence, maintaining data processing agreements (DPAs), and regularly auditing vendor practices.
If a vendor fails to comply, the business may still be held liable, emphasizing the need for careful selection and oversight of third-party providers.
What are the legal risks for companies that fail to comply with the Norwegian E-Com Act 2025 update?
The Norwegian regulatory authorities, including Datatilsynet (Norwegian Data Protection Authority) and Nkom (Norwegian Communications Authority), can impose sanctions, such as fines for non-compliance.
Beyond financial repercussions, businesses risk reputational damage and public scrutiny, especially for repeat violations. Ignorance of the law is not considered a valid defense, so proactive compliance is essential.
What steps should a company take to demonstrate compliance during an audit?
To prepare for an audit, you should maintain detailed records of user consents, including timestamps, cookie categories, and purposes. You should also regularly review and update your website’s privacy and cookie policies to reflect any changes in data collection practices or the law, and ensure you’re obtaining valid consent in a transparent and verifiable way.
A comprehensive framework for compliance and robust tools, such as a cookie banner integrated with analytics systems, can streamline the audit process and demonstrate your commitment to the law.
What specific challenges do international companies face when complying with the E-Com Act, and how can they address them?
International companies targeting Norwegian users must align their cookie practices with the updated E-Com law, even if their primary operations are outside Norway. This includes ensuring your cookie consent banners meet Norwegian standards and that you process personal data within GDPR’s and the new law’s guidelines.
Challenges often arise from conflicting regulations across jurisdictions, but implementing tailored cookie banners for Norwegian users and leveraging localization strategies can address these complexities.
You should also evaluate their data transfer agreements in 2025 to ensure compliance with both GDPR and the updated E-Com Act. Collaborating with legal experts familiar with Norwegian law can provide valuable guidance in navigating these complexities.
What types of websites or industries are most impacted by the changes imposed by the new E-Com Act in Norway?
The new Act update significantly impacts websites and industries that rely heavily on user data for personalization, tracking, and analytics. This includes:
- Ecommerce platforms:
These websites often use cookies for personalized shopping experiences, retargeting ads, and abandoned cart recovery, all of which require explicit user consent under the new rules. - Media and news outlets:
These sites frequently use cookies for content personalization, audience analytics, and subscription tracking. Compliance will involve rethinking how cookies are deployed and ensuring users have clear consent options. - Travel and hospitality websites:
Platforms like booking engines and travel agencies often use cookies for dynamic pricing, user preferences, and retargeting, which are now subject to stricter requirements for obtaining user consent. - Social media and content-sharing platforms:
These rely on extensive tracking for user engagement, advertising, and algorithmic content delivery. They will need robust consent mechanisms to continue operating within the law. - SaaS (software as a service) platforms:
Many SaaS providers use cookies for user analytics, onboarding, and feature usage tracking. Explicit, informed consent is now required for all cookies except for strictly necessary ones.
How should ecommerce platforms adapt their cookie practices to comply with the updated Norwegian E-Com Act from 2025?
As I mentioned above, ecommerce platforms often utilize cookies for personalized shopping experiences, tracking user behavior, cart functionalities, and targeted advertising – and don’t forget that in these cases Google Consent Mode v2 also applies.
Under the 2025 Norwegian Electronic Communications Act update, they must obtain explicit consent for non-essential cookies, such as those used for marketing or analytics, before they’re fired.
Essential cookies, necessary for basic, necessary site functions like shopping carts, may not require consent but should also be clearly disclosed in the cookie policy.
Implementing a comprehensive consent management platform can help ensure compliance by offering, for example, a customized cookie policy text, or control over which cookies are fired and when.
How does the updated E-Com Act impact mobile apps differently than traditional websites, and what steps should app developers take to ensure compliance?
Mobile apps often access device information and use tracking technologies similar to cookies. The 2025 E-Com Act requires that users provide explicit, informed consent for any data collection beyond what is strictly necessary for the app’s core functionality, regardless of the technology and platform the cookies (or similar technology) use.
App developers should implement in-app consent mechanisms that clearly explain data collection purposes and allow users to manage their preferences easily. Additionally, apps should present users with privacy and cookie policies in a transparent and readily accessible way.
What are the legal implications of combining consent data across platforms (e.g., website and mobile app)?
Synchronizing consent data across platforms requires careful handling to ensure user preferences are respected everywhere. So, businesses must explicitly inform users if their cookie consent applies to multiple platforms and provide options for managing preferences individually.
Improper synchronization could lead to non-compliance if users feel their rights are infringed. Implementing centralized consent management tools that comply with the updated E-Com Act is essential.
What are the legal boundaries for designing cookie banners that are both compliant and user-friendly?
Cookie consent banners should be visually appealing, accessible, and provide easy-to-understand information about cookies. Respecting user autonomy also requires avoiding dark patterns, such as making the “accept all” button more prominent than “reject all.”
Allowing users to manage preferences at any time through persistent links also enhances trust and ensures compliance. Non-compliance with accessibility laws could result in additional legal liabilities beyond the 2025 E-Com Act requirements. Organizations can balance these elements by working closely with legal and UX design teams.
Who holds legal responsibility for ensuring compliance with the new E-Com Act requirements within an organization?
What role do user education and communication play in data protection compliance?
User education is crucial to promote transparency and trust. Beyond implementing compliant consent mechanisms, businesses should communicate the purpose of cookies and user rights in plain, accessible language. Efforts like FAQs or in-banner explanations can reduce complaints and improve user experience. While not a strict legal requirement, proactive communication often strengthens a company’s legal position and reputation.
Are there legal trends or upcoming regulations that could further impact data privacy and cookies in Norway or Europe?
The 2025 E-Com Act signals a broader shift toward stricter data protection laws and legal frameworks that strengthen consumer rights across Europe. You can expect similar legislation to emerge in other jurisdictions, such as what’s happening in France.
One trend is the growing push for “privacy by design,” where privacy considerations are integrated into technologies from the outset. This makes consent easier for users to understand and provides better information on what the consent comprises.
In addition, the new Norwegian Electronic Communications Act and ePrivacy regulation also encompass other tracking technologies besides “traditional” cookies, so obtaining valid consent is, and will be, necessary as tracking technology evolves.
We’re also seeing discussions around the future of tracking technologies, potentially phasing out traditional tracking technologies like third-party cookies altogether and using solutions like fingerprinting or server-side tracking.
However, these methods are also under increasing scrutiny, meaning the regulatory landscape will likely continue to evolve toward stricter rules regarding privacy and user protection.
Preparing now by investing in privacy-first technologies and focusing on first-party data ensures you remain compliant and competitive as these trends evolve.
Is your website ready for the
2025 Norwegian E-Com Act update?
With Cookie Information Cookie Banner for Websites, you can stay compliant, protect your business from financial risks, and keep your marketing performance on track.
Is your website ready for the
2025 Norwegian E-Com Act update?
With Cookie Information Cookie Banner for Websites, you can stay compliant, protect your business from financial risks, and keep your marketing performance on track.
