Blog

3 things to know about cookies and Swedish law

Cookies – what are the rules in Sweden? We asked lawyer Emilia Larson from Delphi law. She gave 3 pieces of advice about cookies and consent.

It can be confusing to know exactly how to navigate the European and Swedish laws, when all you want to do is to measure the performance of your website and ads.

So, here are 3 quick pieces of advice from privacy lawyer Emilia Larson from Delphi law firm on how to obtain valid consent to cookies in Sweden.

3 quick pieces of advice from lawyer Emilia Larson

  • Know what cookies and tracking technologies.
  • Know the rules for using cookies and processing personal data.
  • Know what cookies you use [checklist].

Take a sneak preview on which cookies you’re using?

1) Why is it relevant to know about the cookies and tracking technologies?

Emilia Larson highlights 4 major reasons you should concern yourself with the Swedish cookie law.

• Cookies are a hot topic

Cookies are a hot topic right now.

Recently, Austrian lawyer Max Schrems and privacy organization noyb.eu filed 560 draft complaints to major European companies for using non-compliant cookie banners.

10,000 more complaints are being made and are ready to be send to the authorities if cookie banners are not brought into GDPR compliance.

LINK: Privacy Group NOYB challenges businesses’ unlawful cookie banners

Cookies have become much more relevant. We see more decisions, more sanctions, authorities are looking at this . We have had EU judgements regarding how to use cookies and consents.

Emilia Larson, Delphi Law

• More decisions and sanctions

Data Protection Authorities like the French CNIL and the Danish Datatilsynet are very proactive in finding companies that do not meet the GDPR guidelines for collecting consent to cookies.

This results in both fines and sanctions.

 

CountryCompanyIssueFine €
FranceGooglePlacing marketing cookies without users’ consent€100M
FranceAmazonSetting cookies without users’ consent and for not informing about the purpose of these cookies€35M
FranceCarrefourFailing to obtain users’ consent before setting advertising cookies€2.250.000
SpainVuelingUnlawful use of cookies on website€30.000
BelgiumJubel.beLack of transparent information in cookie banners€15.000

This data is available on GDPR enforcement tracker

The CNIL has handed out millions of euros in fines to especially Google and Amazon but are also targeting smaller company websites in their latest sweep.

LINK: CNIL begins to enforce cookie rules

• Many companies forgot about cookies during the GDPR project

After May 2018, where everyone was concerned about permission to store email lists, cookie compliance was forgotten.

From my point of view, a lot of companies and organizations forgot about cookies during the GDPR project.
This is becoming evident now. We are getting flooded with questions on how to obtain valid consent for cookies.

Emilia Larson, Delphi Law

But cookie compliance is being taken very seriously by the EU. 

We saw that, when the European high court ruled against German online lottery Planet49 and clarified the rules for how to collect valid consent to cookies.

LINK: EU court: Using cookies requires user consent

• New regulations coming up

Something is cooking in the EU.

A new ePrivacy Regulation (new European cookie legislation) is being made and approved this year.

The ePrivacy Regulation will become the European set of rules on using cookies on websites and it will apply for all member states.  

Link: What is ePrivacy?

2) Know the rules for using cookies

Today we already have a Swedish cookie regulation.

In Sweden we have the Lagen om Elektronisk Kommunikation - LEK. 

Are we required to inform about using cookies, she askes? Yes! is the answer. 

Emilia Larson, Delphi Law

So here’s a brief overview of what cookies are and what the rules for using cookies are. 

• What are cookies really?

Cookies are to be understood in quite a broad sense.

Basically, a “cookie” is an umbrella term for all techniques and tracking technologies that can access and store information on a user’s device.

That is “cookies”, “pixels”, “trackers”, “plug-ins”.

Image of a cookie through a magnifying glass with text: cookies often collect personal data.

• What are the Swedish cookie rules?

When using “cookies”, the LEK applies. The LEK is the Swedish Law on Electronic Communication (Lag (2003:389) om Elektronisk Kommunikation).

The rules are adopted from the European ePrivacy Directive from 2002.

Uppgifter får lagras i eller hämtas från en abonnents eller användares terminalutrustning endast om abonnenten eller användaren får tillgång till information om ändamålet med behandlingen och samtycker till den.

.. to store information or to gain access to information (..) is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information (..) and is offered the right to refuse…

It means that you are required to inform your user about using cookies.

Why? Because cookies can store and gain access to information on your users’ computer.

This applies for both the first-party cookies you use and all the third-party services you may use, e.g., Google Analytics, Facebook Pixel, Hotjar, LinkedIn’s insight tag, Hubspot, Salesforce etc.

• How does the GDPR come into play?

Most people associate cookie banners with the GDPR.

And yes, we have seen a lot of banners on the internet after May 2018.

When looking at cookies, both the LEK and the GDPR apply at the same time. They are supplementing each other. 

Why? Because cookies process personal data. Cookies are just a technique, not personal data in themselves. 

Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes

• What is personal data?

Now that you know what cookies you’re using and what the rules are, now comes the question of personal data. 

Personal data in the GPDR is anything that can directly or indirectly (combined with other tracking information) identify a person.

That can be:

  • IP address together with other information
  • Geo-location
  • User-ID
  • Device-ID
  • Email address
  • And much more!

But you may say: I don’t collect or process any personal data!

No, but many of the cookies that third-party providers – like Google – set through your website do. And you are responsible for collecting the necessary consent. 

LINK: What is a data controller under the GDPR?

• How can you check which cookies you use?

You may use services like Google Analytics or Hotjar to measure your website’s performance.

Or you may use Facebook and LinkedIn pixels to measure your ads’ performance.

All these services set cookies or use pixels to track your users’ behavior across the internet.

If you want to see which cookies a website use, here’s a short guide from team Cookie Information. 

Go to your website in incognito mode –> double click anywhere on the page –> choose Inspect –> Go to “Application” in the newly opened menu bar in the inspect mode –> choose “cookies” in the sidebar menu of the inspect menu and there you go.

Image showing a list of cookies in a browser using inspect function

LINK: Get a free check of your website’s cookie compliance

But let’s finish off with a checklist for how you can collect valid consent to cookies.

3) Know what cookies you use [checklist].

A question Emilia Larson always asks early on in a cookie project is: 

  • Are you using all this tracking your cookies collect?

If you feel like you have no clue about what you're doing about cookies, well that has been the case for quite a few companies.

And in the spring, we have seen quite a lot of authorities being asked by newspapers: You're using Google Analytics and other services, so you're sending IP-adresses to the US. And the answer for many was: Well, we didn't know that. 

Emilia Larson, Delphi Law

So, Emilia Larson highlights questions to ask yourself when using cookies. 

  • Who is responsible for the cookies you use?
  • What shall you inform about? 
  • What are you allowed to do? 
  • What do you need consent for? 
  • How do you accommodate the right of the visitor?

If you need legal advice about the cookies you have on your website, you can always get in contact with Emilia Larson.

Or you can go this short checklist to discover, if your current cookie banner is compliant with LEK and the GDPR. 

Checklist for collecting
valid consent to cookies

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on email
Email

No credit card needed

Start your free trial

250,000 clients already trust us with their website's cookie compliance ​

Is your website GDPR cookie compliant?

We'll give you the answer quickly - completely free
Free Webinar

How to perform GDPR compliant analytics and digital marketing

The guide to cookie consent in Sweden, Norway & Finland