Blog

6 things to know about cookies and Swedish law

Cookies – what are the rules really in Sweden? We asked Swedish lawyer Emilia Larson from Delphi law firm 6 key questions about cookies and consent.

Cookies? Why do you need to collect valid cookie consent?

It can be confusing to know exactly how to navigate the European and Swedish laws, when all you want to do is to measure the performance of your website and ads.

Unfortunately, not being on top of the rules on cookies, can cost your business quite a lot of money if you end up in an inspection by the Swedish Data Protection Authority Integritetsmyndigheten.

So, here are 6 key insights from privacy lawyer Emilia Larson from Delphi law firm on how to obtain valid consent to cookies in Sweden.

3 quick pieces of advice from lawyer Emilia Larson

  • Know what cookies you are using.
  • Know the rules for using cookies and other tracking technologies.
  • Make sure you collect valid GDPR consent by using a professional cookie banner

Which cookies am I using?

1) Why is it relevant to know about the cookie rules?

Since it is very easy to see whether your website is GDPR cookie compliant or not, Emilia Larson highlights 4 major reasons you should concern yourself with the Swedish cookie law.

• Cookies are a hot topic

Cookies are a hot topic right now. Not only because both Google and Apple are becoming serious about privacy, but an entire movement is now focusing on how the data cookies collect invade user privacy.

Recently, Austrian lawyer Max Schrems and privacy organization noyb.eu filed 560 draft complaints to major European companies for using non-compliant cookie banners.

10,000 more complaints are being made and are ready to be send to the authorities if cookie banners are not brought into GDPR compliance.

LINK: Privacy Group NOYB challenges businesses’ unlawful cookie banners

• More decisions and sanctions

Data Protection Authorities like the French CNIL and the Danish Datatilsynet are very proactive in finding companies that do not meet the GDPR guidelines for collecting consent to cookies.

This results in both fines and sanctions.

 

CountryCompanyIssueFine €
FranceGooglePlacing marketing cookies without users’ consent€100M
FranceAmazonSetting cookies without users’ consent and for not informing about the purpose of these cookies€35M
FranceCarrefourFailing to obtain users’ consent before setting advertising cookies€2.250.000
SpainVuelingUnlawful use of cookies on website€30.000
BelgiumJubel.beLack of transparent information in cookie banners€15.000

The CNIL hands out millions of euros in fines to especially Google and Amazon but are also targeting smaller company websites in their latest sweep.

LINK: CNIL begins to enforce cookie rules

• Many companies forgot about cookies during the GDPR project

After May 2018, where everyone was concerned about permission to store email lists, cookie compliance was forgotten.

And national guidelines didn’t help a lot at the time.  

It is becoming evident now, Emilia Larson says. We are getting flooded with questions on how to obtain valid consent for cookies. 

And cookie compliance is being taken very seriously by the EU. 

We saw that, when the European high court ruled against German online lottery Planet49 and set new standards for how to collect valid consent to cookies.

LINK: EU court: Using cookies requires user consent

• New regulations coming up

Something is cooking in the EU.

A new ePrivacy Regulation (new European cookie law) is being made and approved this year.

The ePrivacy Regulation will become the pan-European set of rules on using cookies on websites. No more confusing national guidelines to care about.

Link: What is ePrivacy?

2) What are cookies really?

Basically, a “cookie” is an umbrella term for all techniques and tracking technologies that can access and store information on a user’s device.

That is, read and write small data files on your computer!

Image of a cookie through a magnifying glass with text: cookies often collect personal data.

Cookies basically do one of two things: they can improve your visitors’ experience of your website, or they can track your users across your site and across the internet.

They do that by collecting and storing large amounts of information about your website visitors and their behavior.

Therefore, the rules for consent also include ‘trackers’, ‘pixels’, ‘browser fingerprinting’, etc.   

LINK: What is a cookie?

3) What are the Swedish cookie rules?

When using “cookies”, the LEK applies. The LEK is the Swedish Law on Electronic Communication (Lag (2003:389) om Elektronisk Kommunikation).

The rules are adopted from the European ePrivacy Directive from 2002.

Uppgifter får lagras i eller hämtas från en abonnents eller användares terminalutrustning endast om abonnenten eller användaren får tillgång till information om ändamålet med behandlingen och samtycker till den.

.. to store information or to gain access to information (..) is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information (..) and is offered the right to refuse…

But what does all this mean, Emilia Larson from Delphi asks.

It means that you must ask your user permission to use cookies.

Why? Because cookies can store and gain access to information on your users’ computer.

This applies for both the first-party cookies you use and all the third-party services you may use, e.g., Google Analytics, Facebook Pixel, Hotjar, LinkedIn’s insight tag, Hubspot, Salesforce etc.

4) How does the GDPR come into play?

Most people associate cookie banners with the GDPR.

And yes, we have seen a lot of banners on the internet after May 2018.

But the GDPR only mentions cookies once.

However, the GPDR applies when the data that cookies collect is processed.

Cookies in themselves are not personal data, Emilia Larson continues, but the information they collect often is.

And most third-party cookies collect users’ personal data to create user profiles to better target ads to them.

You know, like when you search for hotels in Lisbon and suddenly you see a lot of ads on Facebook for hotels. In Lisbon.

The processing of this information requires consent, and this is where the GDPR comes into play.

Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes

So, if you use cookies, you need to collect valid consent. And you need to be able to document all users’ consents if the Swedish Data Protection Authority wants to see them.

LINK: What is the GDPR?

5) What is personal data?

Personal data in the GPDR is anything that can directly or indirectly (combined with other tracking information) identify a person.

That can be:

  • IP address
  • Geo-location
  • User-ID
  • Device-ID
  • Email address
  • And much more!

But you may say: I don’t collect or process any personal data!

No, but many of the cookies that third-party providers – like Google – set through your website do. And you are responsible for collecting the consent. Because you are the data controller.

LINK: What is a data controller under the GDPR?

6) How can you check which cookies you use?

You may use wonderful services like Google Analytics or Hotjar to measure your website’s performance.

Or you may use Facebook and LinkedIn pixels to measure your ads’ performance.

All these services set cookies or use pixels to track your users’ behavior across the internet.

It’s easy to see which cookies your site uses.

Go to your website in incognito mode –> double click anywhere on the page –> choose Inspect –> Go to “Application” in the newly opened menu bar in the inspect mode –> choose “cookies” in the sidebar menu of the inspect menu and there you go.

Image showing a list of cookies in a browser using inspect function

We can also support you with a professional check.

We’ll go through your site manually and search for cookies, trackers, and risks to your GDPR compliance.

LINK: Get a free check of your website’s cookie compliance

But let’s finish off with a checklist for how you can collect valid consent to cookies.

Checklist for collecting
valid consent to cookies

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on email
Email
We have already helped more than 2,500 clients

Start your free trial

No credit card needed

client_logos

Not Sure Yet?

Get a free compliance check to see if you need a consent solution.