On 12 April 2024, the Norwegian Ministry of Digitalisation and Public Governance submitted a proposal to amend the existing Electronic Communications Act (E-com Act or ekomloven). This Act, among other things, regulates the use of cookies and tracking technologies on digital platforms to protect user privacy.
The proposed amendments aim to address emerging technologies and align the E-com Act with the General Data Protection Regulation (GDPR) and ePrivacy Directive.
As of 13th December 2024, the Norwegian Parliament has processed and adopted the proposal. The proposed changes to the E-com Act will enter into force on January 1st 2025.
Get compliant with the new Norwegian cookie requirements today
Why are the Norwegian cookie rules changing?
- Obtain valid consent from users before setting cookies
- Inform users about:
- The cookies being used
- The data collected and processed
- The purpose of the data processing
- Who will process the information
- Enable users to easily modify their consent preferences
However, there’s one key difference.
Unlike the ePrivacy Directive, Norway’s E-com Act has so far allowed passive consent, enabling websites or apps to rely on pre-ticked boxes or browser settings to comply with consent requirements.
This stems from the fact that the Act does not define “consent” in the same way as the Personal Data Act (Norway’s implementation of GDPR). The Court of Justice of the European Union’s (CJEU) case against German lottery business Planet49 clarified this discrepancy. In its judgment, the CJEU ruled that “consent” under the ePrivacy Directive must align with GDPR’s stricter definition and explicitly concluded that passive consent is invalid.
As a result, Norway’s rules have been different from those in the rest of the EU, leading to confusion for digital marketers trying to comply with the Norwegian E-com Act.
How are the Norwegian cookie guidelines changing?
The updated Act introduces stricter rules for cookies and other tracking technologies to align with GDPR standards. Under the new rules, consent must meet the same requirements as the GDPR to be valid. This means that:
- Passive consent won’t be valid.
- Consent must be:
- Freely given.
- Specific.
- Informed.
- Unambiguous.
- Users must be given the option to opt into—or deny—individual purposes for cookie use, instead of a single blanket consent.
Additionally, the new cookie law tightens the exception for cookies deemed “necessary”. The term “necessary” has been replaced with “strictly necessary.” It’s a subtle change which is not expected to have a great impact in practice.
However, the change does potentially narrow the scope of cookies that can be exempted from consent requirements. The updated phrasing might also make it easier for authorities to determine whether or not a specific cookie is necessary to deliver an online service.
While the practical impact may be minimal, Norwegian marketers—or those targeting this market—should review their cookie classifications to ensure compliance with the updated definition:
- Cookies used for basic site functionality, such as remembering items in a shopping cart or facilitating a login session, would likely still qualify as “strictly necessary.”
- Cookies for user preferences (e.g., language settings) or analytical purposes, even if they improve user experience, may no longer fit this stricter category and would require user consent.
Who does the Norwegian Electronic Communications Act (EKOM) apply to?
The Electronic Communications Act (EKOM) in Norway is generally interpreted—already in its 2003 version—to apply to any website or app targeting Norwegian users or operating in the Norwegian market, regardless of the domain name or the language of the digital platform, including:
1. Websites under a .no domain
These are explicitly considered to be operating within Norway and are subject to Norwegian law, including the EKOM Act.
2. Websites or apps in Norwegian
If a website or app is available in Norwegian, it is often seen as targeting Norwegian users, making it subject to Norwegian regulations, including the EKOM Act.
3. Websites or apps targeting a Norwegian audience
This covers websites or apps that:
- Advertise to Norwegian users.
- Offer prices in Norwegian kroner (NOK).
- Have features or marketing explicitly tailored for Norway (e.g., shipping to Norway, using local payment methods).
- Collect personal data from Norwegian residents.
Who enforces the Norwegian Electronic Communications Act (EKOM) and how?
Norwegian regulators (such as the Norwegian Communications Authority and the Norwegian Data Protection Authority) can pursue cases where the EKOM Act applies, even if the website or app is hosted outside Norway, as long as it targets users within the country.
If you are developing or managing a website/app that falls into any of these categories, it’s important to ensure compliance with the EKOM Act. Cookie Information offers privacy solutions for both websites and apps, including a free Website Cookie Banner if you’re a small business.
What do the new rules mean for marketers, website admins and app developers?
Adapting to the changes requires a proactive approach. To stay compliant, businesses should review their consent management practices, and update their cookie banners, consent mechanisms, and privacy policies to meet the new, stricter requirements.
What changes for marketers with the new E-com Act? (Checklist)
1. Check if your website or app uses cookies
An easy way to do this is by using website Compliance Check tool to scan your website or app and identify all cookies and tracking technologies in use, or follow our step-by-step guide to find and categorize cookies.
2. Obtain explicit user consent
Ensure that users provide explicit, informed consent before any non-essential cookies or other tracking technologies are set. Passive consent methods, such as pre-ticked boxes or implied consent, are no longer acceptable.
3. Provide detailed cookie information
Clearly inform users about the types of cookies in use, the data they collect, their purposes, and the entities processing this information. This transparency is crucial for informed consent.
4. Offer granular consent options
Allow users to consent to different categories of cookies (e.g., functional, statistical, marketing) separately, enabling them to make specific choices about their data.
5. Facilitate easy consent withdrawal
Implement straightforward methods for users to withdraw consent or modify it at any time, ensuring compliance with user rights.
6. Update privacy policies
Revise privacy policies to reflect changes in data collection practices, explicitly detailing cookie usage, data processing purposes, and user rights under the new regulations.
7. Document and store consents
Maintain records of user consents to demonstrate compliance during audits or inspections by regulatory authorities.
Get compliant with the new cookie guidelines in Norway
Frequently Asked Questions: Norwegian E-com Act explained
What is the Norwegian Electronic Communications Act (Ekomloven) in simple terms?
The Norwegian Electronic Communications Act (Ekomloven) regulates the use of electronic communications, such as internet and phone services, to ensure privacy, security, and fair access.
For marketers, it also sets strict requirements for consent management, particularly around cookies and tracking technologies on websites and apps. This means businesses must obtain clear, informed user consent before collecting data, making privacy compliance essential for building trust and maintaining a competitive edge.
When does the Norway Electronic Communications Act enter into force?
The new Act enters into force on January 1, 2025, replacing the 2003 version.
Who must comply with the new Norwegian cookie guidelines?
What are the main new cookie guidelines in Norway?
What data falls under the new Norway E-com Law?
What is the main purpose of the new Norwegian E-com Act?
Where can I get the Norwegian E-com Act PDF?
What is the best cookie consent solution to comply with the new Norway cookie law?
Cookie Information’s Cookie Banner is a leading consent management platform (CMP) that helps you collect valid cookie consent on websites and apps, ensuring full compliance with Norwegian cookie regulations.
Why is Cookie Information Cookie Banner the best CMP to comply with the new cookie rules in Norway?
- It’s a Google Gold CMP Partner, ensuring seamless integration with Google Consent Mode.
- Rated highly on G2 for its reliability and ease of use.
- Provides localized solutions for Norwegian privacy compliance needs.
Can I implement a website cookie consent banner for free?
Yes! Cookie Information offers a free plan for small businesses and personal websites with modest traffic, perfect for businesses looking to get started with compliance. Try it now!
How do I know if my website uses cookies?
Use a cookie scanner, like the one included in Cookie Information’s free website Compliance Check tool, to detect and categorize cookies on your website.
Do Norwegian websites also need to comply with Google’s EU user consent policy?
Yes. Although not specified by Norway’s E-com Act or Norwegian cookie guidelines, any website or app targeting a Norwegian audience on Google adtech platforms must comply with Google’s EU user consent policy, which complements Norwegian cookie regulations. This policy’s main requirement is to have Google Consent Mode v2 implemented on your platform.
Cookie Information is a Google CMP partner with a Gold status, and our consent solutions have Consent Mode v2 integrated by default. Find out how to set up Google Consent Mode v2, check our detailed Consent Mode v2 implementation guide, or watch our webinar in English or Norwegian.
What’s the difference between GDPR and Norway cookie law?
The General Data Protection Regulation (GDPR) governs the processing of personal data across the EU/EEA, focusing broadly on data privacy, user rights, and data security, including consent requirements.
What other data protection regulations and privacy frameworks are there in Europe?
In addition to GDPR, frameworks like the ePrivacy Directive, Digital Markets Act (DMA), and Digital Services Act regulate data protection and online activity in Europe.