New cookie guidelines in Norway: how to comply with the new Norwegian cookie law 

Blog
The Norwegian Parliament (Stortinget) has passed an updated E-com Act with new cookie guidelines, set to take effect in 2025. Here's what you should know to achieve compliance.
Table of Contents

On 12 April 2024, the Norwegian Ministry of Digitalisation and Public Governance submitted a proposal to amend the existing Electronic Communications Act (E-com Act or ekomloven). This Act, among other things, regulates the use of cookies and tracking technologies on digital platforms to protect user privacy.

The proposed amendments aim to address emerging technologies and align the E-com Act with the General Data Protection Regulation (GDPR) and ePrivacy Directive.

As of 13th December 2024, the Norwegian Parliament has processed and adopted the proposal. The proposed changes to the E-com Act will enter into force on January 1st 2025.

These changes introduce significant updates to managing cookies and consent requirements, posing new challenges for marketers, website administrators and app developers. It’s crucial to understand what’s changing, how the new cookie guidelines in Norway will impact your business, and the steps needed to ensure compliance.

Get compliant with the new Norwegian cookie requirements today

Set up a cookie consent banner on your site in minutes with Cookie Information’s Cookie Banner for Websites.

Why are the Norwegian cookie rules changing?

Norway’s cookie rules are changing to address inconsistencies and align more closely with European Union (EU) standards under the ePrivacy Directive and GDPR.
The Electronic Communications Act, Norway’s national implementation of the ePrivacy Directive, regulates the use of cookies and tracking technologies. For the most part, the two frameworks are aligned, requiring websites and apps to:
  • Obtain valid consent from users before setting cookies
  • Inform users about:
    • The cookies being used
    • The data collected and processed
    • The purpose of the data processing
    • Who will process the information
  • Enable users to easily modify their consent preferences 

However, there’s one key difference.

Unlike the ePrivacy Directive, Norway’s E-com Act has so far allowed passive consent, enabling websites or apps to rely on pre-ticked boxes or browser settings to comply with consent requirements.

This stems from the fact that the Act does not define “consent” in the same way as the Personal Data Act (Norway’s implementation of GDPR). The Court of Justice of the European Union’s (CJEU) case against German lottery business Planet49 clarified this discrepancy. In its judgment, the CJEU ruled that “consent” under the ePrivacy Directive must align with GDPR’s stricter definition and explicitly concluded that passive consent is invalid.

As a result, Norway’s rules have been different from those in the rest of the EU, leading to confusion for digital marketers trying to comply with the Norwegian E-com Act.

The upcoming changes aim to resolve these ambiguities by bringing Norway’s cookie law fully in line with EU standards, ensuring consistency and clarity for businesses and users alike.

How are the Norwegian cookie guidelines changing?

The updated Act introduces stricter rules for cookies and other tracking technologies to align with GDPR standards. Under the new rules, consent must meet the same requirements as the GDPR to be valid. This means that:

  • Passive consent won’t be valid.
  • Consent must be:
    • Freely given.
    • Specific.
    • Informed.
    • Unambiguous.
  • Users must be given the option to opt into—or deny—individual purposes for cookie use, instead of a single blanket consent.

Additionally, the new cookie law tightens the exception for cookies deemed “necessary”. The term “necessary” has been replaced with “strictly necessary.” It’s a subtle change which is not expected to have a great impact in practice. 

However, the change does potentially narrow the scope of cookies that can be exempted from consent requirements. The updated phrasing might also make it easier for authorities to determine whether or not a specific cookie is necessary to deliver an online service.

While the practical impact may be minimal, Norwegian marketers—or those targeting this market—should review their cookie classifications to ensure compliance with the updated definition:

  • Cookies used for basic site functionality, such as remembering items in a shopping cart or facilitating a login session, would likely still qualify as “strictly necessary.”
  • Cookies for user preferences (e.g., language settings) or analytical purposes, even if they improve user experience, may no longer fit this stricter category and would require user consent.
This subtle shift underscores the importance of conducting a thorough cookie audit and ensuring proper documentation and categorization to avoid regulatory issues.

Who does the Norwegian Electronic Communications Act (EKOM) apply to?

The Electronic Communications Act (EKOM) in Norway is generally interpreted—already in its 2003 version—to apply to any website or app targeting Norwegian users or operating in the Norwegian market, regardless of the domain name or the language of the digital platform, including:

1. Websites under a .no domain

These are explicitly considered to be operating within Norway and are subject to Norwegian law, including the EKOM Act.

2. Websites or apps in Norwegian

If a website or app is available in Norwegian, it is often seen as targeting Norwegian users, making it subject to Norwegian regulations, including the EKOM Act.

3. Websites or apps targeting a Norwegian audience

This covers websites or apps that:

  • Advertise to Norwegian users.
  • Offer prices in Norwegian kroner (NOK).
  • Have features or marketing explicitly tailored for Norway (e.g., shipping to Norway, using local payment methods).
  • Collect personal data from Norwegian residents.

Who enforces the Norwegian Electronic Communications Act (EKOM) and how?

Norwegian regulators (such as the Norwegian Communications Authority and the Norwegian Data Protection Authority) can pursue cases where the EKOM Act applies, even if the website or app is hosted outside Norway, as long as it targets users within the country.

If you are developing or managing a website/app that falls into any of these categories, it’s important to ensure compliance with the EKOM Act. Cookie Information offers privacy solutions for both websites and apps, including a free Website Cookie Banner if you’re a small business.

What do the new rules mean for marketers, website admins and app developers?

The updated Electronic Communications Act brings changes to how businesses can collect and use personal information, potentially posing challenges for marketers, website administrators and app developers.
Stricter consent requirements may mean that users are less likely to accept non-essential cookies, leading to a reduction in the data available for analytics and marketing efforts. This could affect how businesses track website and app performance, understand customer behavior, and measure campaign effectiveness.

Adapting to the changes requires a proactive approach. To stay compliant, businesses should review their consent management practices, and update their cookie banners, consent mechanisms, and privacy policies to meet the new, stricter requirements.

What changes for marketers with the new E-com Act? (Checklist)

1. Check if your website or app uses cookies

An easy way to do this is by using website Compliance Check tool to scan your website or app and identify all cookies and tracking technologies in use, or follow our step-by-step guide to find and categorize cookies.

2. Obtain explicit user consent

Ensure that users provide explicit, informed consent before any non-essential cookies or other tracking technologies are set. Passive consent methods, such as pre-ticked boxes or implied consent, are no longer acceptable.

3. Provide detailed cookie information

Clearly inform users about the types of cookies in use, the data they collect, their purposes, and the entities processing this information. This transparency is crucial for informed consent.

4. Offer granular consent options

Allow users to consent to different categories of cookies (e.g., functional, statistical, marketing) separately, enabling them to make specific choices about their data.

5. Facilitate easy consent withdrawal

Implement straightforward methods for users to withdraw consent or modify it at any time, ensuring compliance with user rights.

6. Update privacy policies

Revise privacy policies to reflect changes in data collection practices, explicitly detailing cookie usage, data processing purposes, and user rights under the new regulations.

7. Document and store consents

Maintain records of user consents to demonstrate compliance during audits or inspections by regulatory authorities.

Get compliant with the new cookie guidelines in Norway

Set up a cookie consent banner on your platform in minutes with Cookie Information’s cookie consent solutions.
website cookie banner
mobile app consent banner

Frequently Asked Questions: Norwegian E-com Act explained

What is the Norwegian Electronic Communications Act (Ekomloven) in simple terms?

The Norwegian Electronic Communications Act (Ekomloven) regulates the use of electronic communications, such as internet and phone services, to ensure privacy, security, and fair access. 

For marketers, it also sets strict requirements for consent management, particularly around cookies and tracking technologies on websites and apps. This means businesses must obtain clear, informed user consent before collecting data, making privacy compliance essential for building trust and maintaining a competitive edge.

The new Act enters into force on January 1, 2025, replacing the 2003 version.

Any website or app targeting Norwegian users, regardless of domain or location, must comply with the new cookie guidelines.
The guidelines strengthen user rights by requiring clear, informed consent before storing cookies or tracking user activity across digital platforms.
The law applies to data generated through electronic communications, including metadata, user behavior, and personal information shared via cookies and tracking technologies.
The Act aims to enhance user privacy on digital platforms, ensure transparency in data collection, and align Norwegian law with updated EU privacy directives.

The full Act will be available on Lovdata or other official Norwegian government websites. The PDF with the text passed in Parliament on 12 November is available here.

Cookie Information’s Cookie Banner is a leading consent management platform (CMP) that helps you collect valid cookie consent on websites and apps, ensuring full compliance with Norwegian cookie regulations.

  1. It’s a Google Gold CMP Partner, ensuring seamless integration with Google Consent Mode.
  2. Rated highly on G2 for its reliability and ease of use.
  3. Provides localized solutions for Norwegian privacy compliance needs.

Yes! Cookie Information offers a free plan for small businesses and personal websites with modest traffic, perfect for businesses looking to get started with compliance. Try it now!

Use a cookie scanner, like the one included in Cookie Information’s free website Compliance Check tool, to detect and categorize cookies on your website.

Yes. Although not specified by Norway’s E-com Act or Norwegian cookie guidelines, any website or app targeting a Norwegian audience on Google adtech platforms must comply with Google’s EU user consent policy, which complements Norwegian cookie regulations. This policy’s main requirement is to have Google Consent Mode v2 implemented on your platform.

Cookie Information is a Google CMP partner with a Gold status, and our consent solutions have Consent Mode v2 integrated by default. Find out how to set up Google Consent Mode v2, check our detailed Consent Mode v2 implementation guide, or watch our webinar in English or Norwegian.

The General Data Protection Regulation (GDPR) governs the processing of personal data across the EU/EEA, focusing broadly on data privacy, user rights, and data security, including consent requirements.

The Norwegian Electronic Communications Act (Ekomloven), on the other hand, specifically regulates electronic communications, such as internet, phone services, and cookie usage.
While GDPR applies to all personal data processing, the Ekom Act focuses on consent for cookies, tracking technologies, and metadata, making it a more targeted framework for online activity.

In addition to GDPR, frameworks like the ePrivacy Directive, Digital Markets Act (DMA), and Digital Services Act regulate data protection and online activity in Europe.