New cookie guidelines in Norway: how to comply with the new Norwegian cookie law 

Blog
The Norwegian E-com Act (Ekomloven) established stricter cookie guidelines in January 2025, reinforced in April by the Norwegian Data Protection Authority Datatilsynet's new guidance and enforcement actions. Here's what you need to know to achieve full E-Com compliance.
Table of Contents

On 12 April 2024, the Norwegian Ministry of Digitalization and Public Governance proposed major updates to the Electronic Communications Act (E-Com Act or ekomloven) – the law that, among other things, regulates the use of cookies and tracking technologies on digital platforms. The end goal? To protect user privacy.

Fast forward to January 1st 2025: the updated E-Com Act is in force, and the pressure is on for businesses to align with stricter consent requirements.

But that’s not all.

In April 2025, the Norwegian Data Protection Authority (DPA) – Datatilsynet – published official guidance explaining exactly how to comply with the new rules – leaving no more room for “creative interpretations” of what valid consent really looks like.

And if you think this is just theory? Think again. Datatilsynet has also launched supervisory inspections targeting websites that may be sharing sensitive personal data – like health or political interests – through tools like tracking pixels. Yes, they’re checking who’s compliant and who’s not.

Whether you’re a marketer, website manager or app developer, this article breaks down:

  • What’s changed in Norway’s cookie rules (and why)
  • What Norwegian DPA Datatilsynet expects from you now
  • How to avoid enforcement risks – especially if you’re handling sensitive topics


Let’s get into it.

Get compliant with the new Norwegian cookie requirements today

Set up a cookie consent banner on your site in minutes with Cookie Information’s Cookie Banner for Websites.

Why did the Norwegian cookie rules change?

Because it’s time to clear up the confusion.

Norway is updating its cookie rules to fully align with EU privacy laws – namely the ePrivacy Directive and the General Data Protection Regulation (GDPR). Until now, the Electronic Communications Act (E-Com Act) allowed businesses to rely on passive consent methods, like pre-ticked boxes or browser settings. That’s no longer enough.

The Planet49 ruling from the EU Court of Justice made it clear: consent must be freely given, informed, specific, and unambiguous – no shortcuts.

This difference between EU and Norwegian law has created confusion for marketers trying to stay compliant.

The January 2025 update to the E-Com Act resolves that by adopting the GDPR consent standard and removing any grey areas around what valid cookie consent looks like.

With Datatilsynet’s new guidance now live, and inspections already underway, the message is clear: it’s time to review your consent setup and ensure you’re collecting it the right way – from the very first visit.

EXPERT’S OPINION
“Any website that uses cookies for purposes other than strictly necessary functionality – such as marketing, personalization, or tracking – is significantly impacted by the E-Com Act and is already at risk since 1 January, 2025, if they didn't adapt to the new rules yet.”

New in April 2025: Datatilsynet publishes comprehensive guide to E-Com compliance

On April 3, 2025, Norway’s DPA released comprehensive guidance detailing how businesses should obtain valid consent for cookies and tracking technologies under the updated E-Com Act. This guidance reinforces even more the alignment of Norway’s regulations with the EU’s GDPR standards.

Key takeaways from the guidance include:

1. Active consent required: Users must provide clear, informed consent before any non-essential cookies are set.

2. No pre-ticked boxes: Consent obtained through pre-ticked boxes or passive means – e.g., continued browsing – is not valid.

3. Equal prominence for choices: Options to accept or reject cookies must be presented with equal prominence, ensuring users can make an informed choice without being influenced by dark patterns or pre-ticked boxes.

4. Easy withdrawal: Users should be able to withdraw consent as easily as they gave it. Pro tip: a consent solution that allows a “consent widget” to show on your website makes this as easy as it gets.

Have questions? Find more detail about these E-Com requirements below in this article. And if you want practical tips for implementing these guidelines and ask your questions directly to the experts, watch our webinar, hosted in Norwegian: Ny 2025-cookieveiledning fra det norske Datatilsynet – slik etterlever du den

What the E-Com changed in Norway's cookie law

The updated E-Com Act brought new cookie rules to Norway, in line with GDPR standards — and that means stricter requirements for consent.

Here’s what changed:

  • Passive consent is out. You can’t rely on pre-ticked boxes or assume users agree just because they keep browsing.
  • Consent now needs to be:
    • Freely given
    • Specific
    • Informed
    • Unambiguous

In other words, users must clearly say “yes” — and they need to be able to choose what they’re saying yes to. Blanket consent for everything won’t cut it anymore.

There’s also a small wording change around the cookies that don’t require consent. 

  • Before, the law referred to “necessary” cookies. Now, it’s “strictly necessary”.

It sounds subtle, and in practice the practical impact may be minimal, but it gives regulators a clearer line for deciding which cookies really are essential.

So what does this clarification mean for you?

  • Cookies used for basic site functionality, such as remembering items in a shopping cart or facilitating a login session, would likely still qualify as “strictly necessary”.
  • Cookies for user preferences — e.g., language settings — or analytical purposes, even if they improve user experience, may no longer fit this stricter category and would require user consent.

Even if the impact seems minor, it’s a good time to review how your cookies are categorized and make sure you’re not treating convenience features as “essential”. A quick audit now can help you stay on the safe side.

Who enforces the Norwegian Electronic Communications Act (EKOM) and how?

Enforcement is a shared responsibility between two authorities and the updated guidance from April 2025 makes that division clearer than ever:

  • Nkom (Norwegian Communications Authority) oversees the technical side of things. They’re responsible for enforcing the E-Com Act, which covers how cookies and similar technologies are used specifically, when and how businesses can store or access information on users’ devices.
  • Datatilsynet (Norwegian Data Protection Authority) steps in when those cookies or tracking tools involve personal data which, in practice, is almost always the case. Their job is to ensure that the use of tracking technologies follows GDPR requirements, including how consent is collected, documented, and respected.

The April 2025 guidance makes it clear:

  • Nkom handles “can you set this cookie?”
  • Datatilsynet handles “are you processing personal data legally?”

If you’re setting any type of tracking that collects personal data — like IP addresses, user behavior, or identifiers — you’re likely subject to both sets of rules. So yes, it’s possible to hear from both authorities if something’s not right.

EXPERT’S OPINION
“Mobile apps often access device information and use tracking technologies similar to cookies. The 2025 E-com Act requires that explicit, informed consent from users for any data collection beyond what is strictly necessary to core functionality. App developers need to implement in-app consent mechanisms that clearly explain data collection purposes and allow users to manage their preferences easily.“

What do the new rules mean for marketers, website admins and app developers?

The updated Electronic Communications Act brings changes to how businesses can collect and use personal information, potentially posing challenges for marketers, website administrators and app developers.

Stricter consent requirements may mean that users are less likely to accept non-essential cookies, leading to a reduction in the data available for analytics and marketing efforts. This could affect how you track website and app performance, understand customer behavior, and measure campaign effectiveness.

Adapting to the changes requires a proactive approach. To stay compliant, you should review your consent management practices, and update your cookie banners, consent mechanisms, and privacy policies to meet the new, stricter requirements.

Datatilsynet is checking tracking tools on sensitive websites – is yours next?

Let’s get real for a second – if your website uses tracking tools like the Meta Pixel or Google Analytics, there’s a chance you could be sharing more data than you think. Especially if your site covers sensitive topics like health, religion, sexuality, or politics.

That’s why in April 2025 Datatilsynet has started checking up on Norwegian websites in these areas. They’ve kicked off a new round of supervisory inspections, looking at whether tracking tools are passing on sensitive user info to international tech giants – and whether that’s being done with proper consent.

So why should you care?

  • If you work in marketing for a brand, NGO, or media outlet that touches on these topics, you might be processing special category data under GDPR. That means the bar is higher for how you collect and share user info.

     

  • Even something as simple as loading a tracking pixel on a page about mental health could trigger a compliance issue if you don’t have explicit consent first.

     

  • You’re not just responsible for what you collect – you’re responsible for what your tools collect on your behalf.

What does that mean for your day-to-day?

  • Audit your pixels. Know what you’re running on which pages, and why.

  • Re-check your consent setup. Are users really opting in before those pixels fire?

  • Talk to your legal or compliance team, or seek legal counsel. Yes, it’s worth it – especially now that enforcement is heating up.

This isn’t about scaring you – it’s about helping you stay ahead. With regulators paying closer attention, being proactive is your best defense. And your users? They’ll thank you for taking their privacy seriously.

Your E-Com Act compliance checklist: what to check, what to fix

1. Check if your website or app uses cookies

An easy way to do this is by using website Compliance Check tool to scan your website or app and identify all cookies and tracking technologies in use, or follow our guide to find and categorize cookies.

2. Obtain explicit user consent

Ensure that users provide explicit, informed consent before any non-essential cookies or other tracking technologies are set. Passive consent methods, such as pre-ticked boxes or implied consent, are no longer acceptable.

3. Provide detailed cookie information

Clearly inform users about the types of cookies in use, the data they collect, their purposes, and the entities processing this information. This transparency is crucial for informed consent.

4. Offer granular consent options

Allow users to consent to different categories of cookies (e.g., functional, statistical, marketing) separately, enabling them to make specific choices about their data.

5. Facilitate easy consent withdrawal

Implement straightforward methods for users to withdraw consent or modify it at any time, ensuring compliance with user rights.

6. Update privacy policies

Revise privacy policies to reflect changes in data collection practices, explicitly detailing cookie usage, data processing purposes, and user rights under the new regulations.

7. Document and store consents

Maintain records of user consents to demonstrate compliance during audits or inspections by regulatory authorities.

Get compliant with the new cookie guidelines in Norway

Set up a cookie consent banner on your platform in minutes with Cookie Information’s cookie consent solutions.

website cookie banner
mobile app consent banner

Frequently asked questions: Norwegian E-Com Act explained

What is the Norwegian Electronic Communications Act (Ekomloven) in simple terms?

The Norwegian Electronic Communications Act (Ekomloven) regulates the use of electronic communications, such as internet and phone services, to ensure privacy, security, and fair access. 

For marketers, it also sets strict requirements for consent management, particularly around cookies and tracking technologies on websites and apps. This means businesses must obtain clear, informed user consent before collecting data, making privacy compliance essential for building trust and maintaining a competitive edge.

The new Act enters into force on January 1, 2025, replacing the 2003 version.

The Electronic Communications Act (EKOM) in Norway is generally interpreted – already in its 2003 version – to apply to any website or app targeting Norwegian users or operating in the Norwegian market, regardless of the domain name or the language of the digital platform, including:

1. Websites under a .no domain 
These are explicitly considered to be operating within Norway and are subject to Norwegian law, including the EKOM Act.

2. Websites or apps in Norwegian
If a website or app is available in Norwegian, it is often seen as targeting Norwegian users, making it subject to Norwegian regulations, including the EKOM Act.

3. Websites or apps targeting a Norwegian audience
This covers websites or apps that:

  • Advertise to Norwegian users.
  • Offer prices in Norwegian kroner (NOK).
  • Have features or marketing explicitly tailored for Norway (e.g., shipping to Norway, using local payment methods).
  • Collect personal data from Norwegian residents.

Enforcement of cookie compliance in Norway is a shared responsibility:

  • Nkom (Norwegian Communications Authority) handles enforcement of the E-com Act, including rules around cookies and electronic communications.
  • Datatilsynet (Norwegian Data Protection Authority) steps in when cookie use involves processing of personal data, which is almost always the case with tracking technologies.


So yes – there are two authorities you might hear from if your cookie practices are non-compliant.

The guidelines strengthen user rights by requiring clear, informed consent before storing cookies or tracking user activity across digital platforms.

The law applies to data generated through electronic communications, including metadata, user behavior, and personal information shared via cookies and tracking technologies.

The Act aims to enhance user privacy on digital platforms, ensure transparency in data collection, and align Norwegian law with updated EU privacy directives.

The full Act (Ekomloven) will be available on Lovdata or other official Norwegian government websites. The PDF with the Ekomloven text passed in Parliament on 12 November, 2024 is available here.

Cookie Information’s Cookie Banner is a leading consent management platform (CMP) that helps you collect valid cookie consent on websites and apps, ensuring full compliance with Norwegian cookie regulations.

  1. It’s a Google Gold CMP Partner, ensuring seamless integration with Google Consent Mode.
  2. Rated highly on G2 for its reliability and ease of use.
  3. Provides localized solutions for Norwegian privacy compliance needs.

Yes! Cookie Information offers a free plan for small businesses and personal websites with modest traffic, perfect for businesses looking to get started with compliance. Try it now!

Use a cookie scanner, like the one included in Cookie Information’s free website Compliance Check tool, to detect and categorize cookies on your website.

Yes. Although not specified by Norway’s E-com Act or Norwegian cookie guidelines, any website or app targeting a Norwegian audience on Google adtech platforms must comply with Google’s EU user consent policy, which complements Norwegian cookie regulations. This policy’s main requirement is to have Google Consent Mode v2 implemented on your platform.

Cookie Information is a Google CMP partner with a Gold status, and our consent solutions have Consent Mode v2 integrated by default. Find out how to set up Google Consent Mode v2, check our detailed Consent Mode v2 implementation guide, or watch our webinar in English or Norwegian.

The General Data Protection Regulation (GDPR) governs the processing of personal data across the EU/EEA, focusing broadly on data privacy, user rights, and data security, including consent requirements.

The Norwegian Electronic Communications Act (Ekomloven), on the other hand, specifically regulates electronic communications, such as internet, phone services, and cookie usage.
While GDPR applies to all personal data processing, the Ekom Act focuses on consent for cookies, tracking technologies, and metadata, making it a more targeted framework for online activity.

In addition to GDPR, frameworks like the ePrivacy Directive, Digital Markets Act (DMA), and Digital Services Act regulate data protection and online activity in Europe.

No. The Norwegian E-com Act requires user consent for storing or accessing information on a device – regardless of your intentions. Even if your analytics feel harmless, you still need consent unless the cookie is strictly necessary for delivering a service the user asked for.