Swedish DPA targets dark patterns in cookie banners: is your website compliant?

Blog
Sweden’s privacy authority has issued formal warnings to major companies over misleading cookie banners that failed to meet legal standards. Learn what GDPR violations IMY found and how you can avoid fines, reputational damage, and broken user trust by getting your cookie banner right.
Table of Contents

This Swedish 2025 ruling could change how you collect consent for cookies

If you’re managing digital marketing or website compliance targeting Swedish users, there’s a significant development you need to know about. In April 2025, Sweden’s Authority for Privacy Protection (in Swedish: Integritetsskyddsmyndigheten – IMY) issued formal criticisms against three major companies for their non-compliant cookie banners. This enforcement action serves as a clear warning for any marketer collecting data from Swedish visitors.

The issue at hand? “Dark patterns” in cookie consent flows – design techniques that steer users toward accepting tracking without genuine understanding or choice. These enforcement actions signal Sweden’s intensifying focus on ensuring genuine consent and transparent data collection practices.

In this article, we’ll break down everything you need to know to stay compliant and protect your Swedish market strategy:

  • The background: what triggered IMY’s April 2025 investigation
  • Key findings: dark patterns identified (and why they’re problematic)
  • Sweden’s cookie compliance rules in 2025 – what exactly the law requires now
  • Guidance for marketers and site owners: how to fix your cookie banners (hint: use an EU-based consent management platform (CMP) and drop the deceptive designs)
  • The bigger picture in Europe: how this Swedish crackdown aligns with a broader trend across Belgium, France, the UK and growing skepticism toward U.S.-based adtech.

See how easy cookie consent compliance in Sweden can be

A compliant, user-friendly cookie banner is just a click away. Try Cookie Information free for 14 days. No credit card required, cancel anytime.

What prompted IMY's April 2025 enforcement actions?

The IMY’s April 2025 investigations weren’t spontaneous. They stemmed from a series of individual complaints filed by users regarding cookie consent practices on several popular websites. Unlike a coordinated campaign, these actions represent the IMY’s ongoing commitment to responding to specific privacy concerns raised by individuals.

Sweden’s DPA examined whether cookie consent practices aligned with both the General Data Protection Regulation (GDPR) and Sweden’s Electronic Communications Act (ECA) – or Lagen om Elektronisk Kommunikation (LEK), in Swedish – highlighting that companies of all sizes must comply with privacy regulations, regardless of their market position or visitor numbers.

Before the April 2025 enforcement, IMY’s previous set of decisions – and fines – was released between June and December 2024 and focused on complaints from companies about Meta Pixel malfunctioning and its compliance with GDPR.

Key takeaways:

  • The April 2025 enforcement followed multiple user complaints, not a coordinated sweep.
  • IMY investigated compliance with both the GDPR and Sweden’s Electronic Communications Act (LEK).
  • Businesses of all sizes are expected to meet the same consent requirements.
  • IMY’s earlier rulings (mid–late 2024) focused on Meta Pixel compliance.

The 2025 IMY cases: who was investigated and why

The April 2025 enforcement actions specifically targeted three prominent companies operating in the Swedish market:

1. Major player in Sweden’s gambling and betting sector

Sweden’s major horse racing and betting operator was criticized primarily for its imbalanced cookie banner design. 

The IMY found that their online gambling website prominently displayed an “Accept” button in contrasting colors while relegating the “Reject” option to a less visible text link. This design asymmetry was deemed to create undue influence on user choice, steering visitors toward acceptance rather than presenting balanced options.

2. One of Sweden’s largest magazine and digital media groups

A well-known Swedish media group with several popular magazine and news sites faced criticism for multiple issues in its cookie consent implementation. The IMY specifically highlighted:

  • The use of pre-selected checkbox options for non-essential cookies
  • A multi-step process required to reject cookies (compared to a single click for acceptance)
  • Ambiguous language that obscured the consequences of cookie acceptance

The regulator determined these elements collectively constituted dark patterns designed to maximize consent rates at the expense of genuine user autonomy.

3. Global entertainment brand with a strong presence in Sweden

A major entertainment and music company with a strong presence in Sweden was not cited for dark patterns, but rather for inadequate information disclosure. The IMY found that its cookie banner failed to provide sufficiently detailed information about:

  • The specific purposes of different cookie categories
  • Which third parties would receive data through cookies
  • How long cookie data would be retained

This lack of transparency was deemed to undermine informed consent, as users couldn’t fully understand the implications of their choices.

Key takeaways:

  • Three companies in betting, media, and entertainment were formally criticized.
  • Two used dark patterns to nudge users into accepting cookies.
  • One failed to provide clear, transparent cookie information.
  • Each case highlights a different way consent can fail under GDPR.

Key findings: the dark patterns IMY identified

The IMY’s investigation uncovered several problematic design practices that undermined genuine user consent:

Asymmetrical visual hierarchy

Two of the companies implemented cookie banners with clear visual asymmetry:

  • “Accept” buttons were prominently displayed, using attention-grabbing colors (typically green or blue)
    “Reject” options were significantly less visible – either using muted colors or appearing as plain text links
  • Size differences between accept and reject options created an imbalanced visual hierarchy

The IMY determined this design approach created an artificial “path of least resistance” toward cookie acceptance, steering user behavior through visual manipulation rather than facilitating genuine choice.

Multi-step rejection vs. one-click acceptance

The media publisher’s cookie banner was particularly criticized for implementing different user journeys based on the desired outcome:

  • Accepting all cookies required just a single click on a prominent button
  • Rejecting cookies necessitated navigating through multiple screens, toggling individual settings, and then confirming choices

This asymmetry in effort created what the IMY called “friction by design” – intentionally making rejection more cumbersome than acceptance. The regulator explicitly stated that equal effort should be required regardless of the user’s choice.

Misleading button labels and language

Both the online betting and media websites’ cookie banners used language that the IMY found misleading or manipulative:

  • Vague button labels like “I understand” instead of clear consent language
  • Text suggesting the site “wouldn’t work properly” without accepting non-essential cookies
  • Framing cookie rejection as potentially harmful to user experience

The regulator emphasized that cookie banner language must be clear, accurate, and non-manipulative – allowing users to make truly informed decisions.

Pre-selected options and hidden controls

The media website’s cookie consent banner implementation included pre-selected checkboxes for non-essential cookie categories when users accessed the preference settings.

Meanwhile, the entertainment website banner obscured important privacy controls behind additional layers of navigation. The IMY reiterated that these practices directly contradict GDPR requirements for explicit, affirmative consent and constitute clear violations of Swedish law.

Key takeaways:

  • Visually imbalanced banners (bright “Accept”, dull “Reject”) are non-compliant.
  • Rejecting cookies must not be harder than accepting them.
  • Misleading language (“I understand”, scare tactics) is flagged as manipulative.
  • Pre-checked boxes and hidden privacy controls violate GDPR.

Don’t let Sweden’s DPA IMY catch you off guard

Start a free trial of Cookie Information consent solution today and secure your cookie compliance.

Understanding dark patterns in cookie consent

The practices identified by the IMY are textbook examples of “dark patterns” – manipulative design techniques that subtly guide users toward choices that benefit the service provider rather than respecting user autonomy. But to grasp the significance of these findings, you need to understand the concept of dark patterns and why regulators are increasingly focused on eliminating them from digital interfaces.

What makes these practices "dark patterns"?

Dark patterns exploit cognitive biases and design principles to influence user behavior. In the context of cookie consent, they typically manifest as:

  • Visual hierarchy manipulation: Using size, color, and placement to make “Accept” options more prominent and appealing while de-emphasizing “Reject” options
  • Friction asymmetry: Making acceptance easy while creating additional steps, clicks, or effort for rejection
  • Misleading framing: Presenting cookie acceptance as the obvious or beneficial choice through suggestive language, or using wording that misleads users about the consequences of their choices
  • False dichotomies: Implying that website functionality will be impaired if cookies are rejected (when only essential cookies are actually required)

These techniques don’t just happen by accident – they’re often deliberately implemented to maximize consent rates, even at the expense of genuine user choice.

Why dark patterns matter for user privacy

When users are subtly pushed toward cookie acceptance without understanding the implications, the resulting consent lacks the informed quality required by the GDPR. This creates a situation where data collection occurs without the genuine awareness or agreement of the individual.

Dark patterns exploit information and power asymmetries between website operators and visitors. Most users lack a deep understanding of tracking technologies, making them vulnerable to manipulation through design techniques that exploit cognitive biases.

When users eventually realize they’ve been manipulated into consent, it damages trust in the brand and in digital services more broadly. This creates a negative cycle where users become increasingly suspicious of privacy interfaces.

The spirit of privacy regulations like the GDPR is to give individuals genuine control over their personal data. Dark patterns systematically find a way around this intent while creating the appearance of compliance.

The Swedish DPA's specific concerns

The IMY’s April 2025 enforcement actions revealed specific concerns that should guide your approach to cookie consent:

Equal prominence requirement

The IMY explicitly stated that options to accept or reject cookies must be presented with equal visual prominence. This means similar:

  • Button size
  • Color and contrast
  • Positioning
  • Typography

The regulator rejected the argument that business interests justify making acceptance more prominent than rejection.

First-layer completeness

The Swedish DPA emphasized that core cookie choices must be available on the first layer of any consent interface. While granular controls can exist on secondary layers, fundamental options to accept or reject should not require additional navigation.

Language transparency

The IMY specifically criticized euphemistic or misleading language in cookie banners. They clarified that cookie descriptions must:

  • Clearly state what data is collected
  • Identify who receives the data
  • Explain the specific purposes of processing
  • Avoid emotionally manipulative framing

Technical implementation reality

Importantly, the IMY verified whether technical implementations actually respected user choices. Having a compliant-looking banner isn’t sufficient if the underlying technology still deploys cookies despite rejection.

This focus aligns with previous guidance from other European DPAs, particularly the French CNIL and the Belgian DPA, reinforcing the continent-wide consensus against manipulative consent practices.

Create a seamless consent experience – fully compliant with IMY’s cookie banner requirements

Make it easy for users to give (or refuse) consent while keeping your website fully aligned with Swedish and EU cookie rules.

Sweden's cookie compliance requirements in 2025

To understand what your organization needs to do to avoid similar scrutiny, let’s break down Sweden’s specific requirements for cookie consent banners in 2025.

Legal framework

Sweden’s approach to cookie regulation blends two key pieces of legislation:

The General Data Protection Regulation (GDPR): establishes overarching principles for consent to personal data processing, including:

  • The requirement for lawful basis (including consent for most cookie-based processing)
  • Standards for valid consent (freely given, specific, informed, and unambiguous)
  • Principles of transparency and data minimization
  • Requirements for demonstrating accountability

The Swedish Electronic Communications Act (LEK): contains specific provisions cookies and similar tracking technologies, requiring:

  • Prior informed consent before storing or accessing information on user devices
  • Clear and comprehensive information about cookie purposes
  • Exceptions only for “strictly necessary” cookies required for service delivery

Together, these create a comprehensive framework governing how websites must obtain consent before storing or accessing information on user devices.

Core cookie compliance requirements in Sweden

Based on the April 2025 enforcement actions and previous guidance, here are the specific requirements for cookie banners targeting Swedish users:

1. Explicit, prior consent

  • Non-essential cookies must not be deployed before users have provided affirmative consent
  • Consent must be freely given, specific, informed, and unambiguous
  • Implied consent (e.g., continued browsing) is not sufficient
  • Pre-ticked boxes are explicitly prohibited

2. Equal prominence and accessibility

  • “Accept” and “Reject” options must be presented with equal visual prominence
  • Both options must be available on the first layer of the cookie banner
  • Color, size, and placement must not nudge users toward acceptance
  • The effort required to reject cookies must not exceed that required to accept them

3. Clear and accessible information

  • Information about cookie purposes must be provided in plain, understandable language
  • Cookie categories must be clearly defined and explained
  • Information about data recipients and retention periods must be accessible
  • Details about specific cookies used must be available

4. Granular control

  • Users must have the option to consent to some cookie categories while rejecting others
  • Cookie preferences must be manageable at a granular level
  • Category-specific consent must be respected

5. Withdrawal mechanism

  • Users must be able to withdraw consent as easily as they gave it
  • A persistent mechanism to access and modify cookie preferences must be available
  • Withdrawal must be possible without detriment to the user

Key takeaways:

  • Consent must be explicit, informed, and given before cookie use.
  • Rejecting cookies must be just as easy as accepting.
  • Cookie purposes, recipients, and durations must be explained.
  • Users need a simple way to withdraw consent at any time.

Consequences of non-compliance

The IMY has shown its willingness to enforce these requirements through formal criticism, which can escalate to more serious consequences:

  • Administrative fines of up to €20 million or 4% of global annual turnover
  • Brand reputation impact from public enforcement actions and negative perception among privacy-conscious Swedish consumers
  • Potential loss of consumer trust

Plus, addressing emergency compliance issues can also cause significant disruption with emergency technical implementations, legal/compliance resource diversion, and interruption of marketing campaigns.

Automate your cookie compliance in Sweden with Cookie Information’s consent solution

Easily implement a compliant cookie banner that meets IMY’s latest requirements – no setup headaches, just straightforward compliance from day one.

Summary: Compliant vs. non-compliant cookie banner features

Feature Compliant Non-compliant
Consent options visibility “Accept” and “Reject” buttons equally visible on first layer “Reject” hidden in settings or less prominent than “Accept”
Button design Same size, color, and position for all options “Accept” is highlighted; “Reject” is dull or styled as a text link
Consent choice effort One-click accept or reject One-click to accept, multi-step to reject
Language clarity Simple, neutral language – e.g. “Accept”, “Reject” Vague or manipulative wording – e.g. “I understand”, “Improve your experience”
Pre-selected options All non-essential cookies off by default Consent to some categories pre-checked or enabled by default
Information provided Clear explanation of purpose, data use, recipients, and retention Missing or vague information about cookie use and third parties
Consent logging Consent choices logged with timestamp and scope No reliable consent logging or documentation
Withdrawal mechanism Easy to access and update preferences at any time No clear way to withdraw or update consent preferences

How to make your banner compliant in Sweden (and across the EU)

If the Swedish decision has you thinking, “Is my cookie banner compliant?”, you’re asking the right question. The good news: we can distill IMY’s findings into actionable steps. Here’s a guide for tweaking your consent UI and practices to ensure they meet Sweden’s (and Europe’s) standards in 2025:

Start with a cookie consent management platform that’s designed for European compliance – not just a cookie pop-up tool. Cookie Information’s EU-based CMP stores consent data entirely in the EU, includes Swedish law–aligned templates, and keeps full logs of user choices and timestamps.

Make your “Accept” and “Reject” buttons look and feel the same – same size, same color, same position. Both options need to be right there on the first screen (the “first layer”), and users should find granular settings without digging through hidden layers.

Tip: Cookie Information’s CMP can be styled to match your brand without compromising on compliance.

Skip the buzzwords and get to the point. Tell users exactly what each cookie does, without scare tactics or vague phrases like “improve experience”. Link clearly to your cookie policy – and make sure that policy actually matches what your banner does.

Tip: Cookie Information’s CMP automates your cookie policy by keeping it up-to-date with new cookies or trackers found in your regular website scans.

Blocking cookies by default isn’t optional – it’s the law. Make sure your CMP and tag manager are set up to fire scripts only after consent, and audit regularly to make sure you’re not dropping unauthorized cookies in the background.

Configure analytics and marketing tools to honor consent decisions and explore EU-based or cookieless options when needed. Consider A/B testing compliant banner designs to improve consent rates ethically, and create respectful marketing strategies that engage both consenting and privacy-conscious users through transparent, first-party data practices.

Tip: Cookie Information integrates seamlessly with Google Consent Mode v2, Google Tag Manager, and Piwik PRO, among other tools – making it easy to enforce user choices across your entire marketing stack while staying fully GDPR-compliant.

Case study: How Swedish enterprise Trelleborg AB's avoided dark patterns and future-proofed its cookie compliance

Trelleborg AB's custom cookie consent banner
Trelleborg AB's custom cookie consent banner

Trelleborg AB, a global engineering group headquartered in Sweden, faced a similar challenge back in 2018 – how to ensure GDPR-compliant cookie consent across a large and complex digital portfolio.

With operations in 40 countries and a growing number of website domains, the stakes were high. But instead of relying on patchwork solutions or risky shortcuts, the company made an early move toward a transparent, user-friendly consent approach.

After seeing a live presentation from Cookie Information, the team at Trelleborg quickly recognized the importance of getting consent right – not just to comply with the law, but to simplify processes and build trust across all their markets, including Sweden.

Implementation of Cookie Information’s Consent Management Platform was fast and intuitive, with onboarding support that helped them scale easily.

“We could easily integrate Cookie Information’s cookie consent management platform on our domains and adapt it to fit our website structure.”

Unlike many businesses now caught off guard by IMY’s 2025 enforcement actions, Trelleborg took a proactive approach – investing in a platform that aligns with evolving privacy expectations and removes the risk of dark patterns with pre-build banner templates. Cookie Information’s consent solution is designed to make consent clear, user-friendly, and GDPR-compliant by default.

Want to secure cookie banner compliance in Sweden like Trelleborg AB?

Start your 14-day free trial of Cookie Information consent solution today – no credit card required, cancel anytime.

Final thoughts: no one likes annoying, sneaky cookie pop-ups – so don’t be the site that has one.

Sweden’s April 2025 enforcement makes one thing crystal clear: the era of manipulative cookie banners is ending. From Stockholm to Brussels, regulators are done tolerating dark patterns, buried reject buttons, and banners that trick users into handing over their data.

France’s CNIL, Belgium’s DPA, the UK’s ICO, Norway’s Datatilsynet – and now Sweden’s IMY – are all pushing toward the same goal: clear, honest, user-friendly consent.

The message? Consent must be real, not rigged.

At the same time, Europe’s data protection authorities are warning businesses to rethink their use of U.S.-based analytics and ad tools. While the EU-US Data Privacy Framework (DPF) remains operational, recent political developments following President Trump’s return to office have introduced questions about its long-term stability.

For marketers, this isn’t just about staying out of trouble – it’s about protecting your data pipeline, your brand reputation, and your ability to measure performance and optimize effectively. If you rely on tracking to drive results, then how you collect consent and which tools you trust with that data matters more than ever.

Here’s where to start:

  • Fix your cookie banner UX: Make rejecting as easy as accepting – no buried settings, no confusing language.
  • Drop dark patterns: Don’t nudge, mislead, or manipulate. Transparency builds trust – and passes DPA audits.
  • Rethink your reliance on U.S. tools: If you use platforms that export data to the U.S., consider EU-based alternatives before the next legal challenge hits.
  • Build a first-party data strategy: Focus on meaningful, consented interactions – because clean data is better data.

At Cookie Information, we help marketing teams across Sweden and Europe stay privacy-compliant without sacrificing results.

Frequently asked questions

Swedish DPA Integritetsskyddsmyndigheten (IMY) issued formal criticisms against three companies for using dark patterns in their cookie banners – designs that nudged users toward accepting cookies without offering a fair or transparent choice.

The three companies investigated were major players in the Swedish market for online betting and gaming, media publishing and entertainment. Each was found to have violated key consent requirements under Swedish and EU privacy law.

Dark patterns are design tricks – like making “Accept” buttons bright and visible while hiding or complicating the “Reject” option – that influence users to consent without a real, informed choice.

They undermine the idea of freely given, informed consent. If users are manipulated into agreeing, the consent is not valid – and any data collected may be processed unlawfully.

Websites must show clear, balanced consent options on the first screen, provide easy access to granular choices, use plain language, and block non-essential cookies until consent is given.

Two were flagged for dark patterns like unbalanced buttons and misleading language. The entertainment website was criticized for failing to give users enough information about who was collecting data and why.

Use a GDPR-compliant, EU-hosted Consent Management Platform (CMP) like Cookie Information CMP. Make sure your banner includes “Accept” and “Reject” buttons on the first layer, is free from dark patterns, and fully respects user choices.

Companies may face public enforcement actions, reputational harm, or even administrative fines under the GDPR. Regulators also expect technical enforcement – meaning consent settings must actually control cookies behind the scenes.

An EU-based CMP is a privacy tool that collects and manages user consent while ensuring data remains within the EU. These platforms eliminate cross-border risks and help marketers maintain compliance without sacrificing data-driven capabilities.

Besides protecting compliance, top EU CMPs improve consent rates through optimized UX, A/B testing, and localization. This means more usable data for analytics, targeting, and personalization – resulting in better marketing outcomes.

While there may be short-term migration costs, the ROI comes from uninterrupted marketing operations, higher consent rates, and greater customer trust. Plus, you avoid costly fines, emergency replatforming, and brand damage.