The 7 easy steps to comply
the Norwegian cookie guidelines:
Norwegian cookie guidelines – what are the rules?
There has been a lot of confusion around the rules for using cookies in Norway the recent years.
The question has been: To collect consent or not to collect consent to cookies. And how?
The confusion comes from the interpretation of the national Electronic Communications law (EKOM) and whether the GDPR applies to Norwegian websites.
But after the European Court of Justice in 2019 ruled in the case against German lottery website Planet49 and their cookie banner practices, the Norwegian Communications Authority (Nasjonal kommunikasjonsmyndighet – NKOM) has declared:
Here’s how it works.
- Electronic Communications Law (EKOM)
- General Data Protection Regulation (GDPR)
Which one you shall use depends on whether the cookies you use collect your users’ personal information or not.
See it as this:
So, latest recommendation from the Norwegian Communications Authority (NKOM) is:
3 simple advices from NKOM
But what do the EKOM and GDPR really say about cookies in Norway?
EKOM - The Electronic Communications Act
What it really means is:
You are required to inform your users of the cookies you use, and the users must give their consent
You do not need consent for
- technically necessary cookies (those that are required to make your website work (shopping cart cookies, login cookies etc.).
- accessing information the user has explicitly requested.
According to NKOM, consent can be given by the website visitor by using a technical setting in the browser (accepting or rejecting all cookies) or through a cookie consent pop-up.
But for a cookie consent to be valid under EKOM, it must contain clear information about:
- which cookies you use.
- what information/data they collect and process.
- what the purpose of data processing is.
- who processes the information (who the cookies are shared with).
Tracking cookies – NKOM recommends a GDPR consent
The game changes when we talk about tracking cookies.
If the cookies you use are categorized as tracking cookies, i.e., they collect your users’ personal information which is processed either by you or a third party (e.g., Google, Facebook, Amazon, Hotjar etc.), then the NKOM recommends that you obtain a consent to cookies following GDPR standards.
This was announced by the NKOM back in November 2019. Here they said:
But what are the rules for consent under the GDPR?
The General Data Protection Regulation (GDPR)
The GDPR is all about data processing and how you must handle personal information.
Even though the word “cookie” is mentioned only once in the GDPR, the GDPR is all about the data most cookies collect.
Especially when it comes to tracking cookies or any other tracking technology like fingerprinting, pixels or web beacons.
When using cookies that collect your users’ personal information for further processing, you are required to collect valid consent in accordance with the GDPR.
If you use tracking cookies,
the rules for consent in the GDPR apply
According to Article 4 (11) in the GDPR valid consent is:
- Freely given: Your visitor has to be able to accept or decline consent to cookies.
- Specific: Consent must be granular. You may only ask for consent to one specific purpose at a time (statistics, marketing, functional cookies).
- Informed: You must inform your visitors about which cookies you use; what data they collect; for what purpose; by whom; and for how long time they are stored.
- Unambiguous: Your visitor must actively give consent by clicking a box/button in your cookie consent pop-up.
According to the GDPR, as the website owner, you are the data controller, therefore you must collect and document valid consent.
*The guidelines for using (tracking) cookies and collecting valid consent under the GDPR is administered by the Norwegian Data Protection Authority (Datatilsynet).
GDPR and cookies - What does it mean for you?
- Google (e.g., Analytics)
- and many more..
and these cookies collect your visitors’ personal information like:
- Other online identifiers
with the purpose of serving targeted ads across the internet, you must collect a GDPR valid cookie consent (with a cookie banner).
How do you collect valid consent to cookies in Norway?
In order to comply with the Norwegian cookie guidelines and the GDPR when using cookies on your site, make sure you collect valid consent.
Here’s how you do it:
- Inform your users of the cookies you use based on a scan of your website.
- Ask your users for permission for using cookies (consent). You can do that with a cookie consent pop-up.
- Respect their choice (if they reject cookies). You can prevent your cookies from being set.
- Give your users an easy way to withdraw or change their consent. You can do that with a simple link to reopen the consent pop-up.
- Make consent granular (specific). You can do that with cookie controls in your cookie pop-up so users can accept or reject cookies by their purpose (marketing, stats, functional).
- Store your users’ consent for 5 years. Your Consent Management Platform will do that for you. If it’s a good one.
You can collect valid consent to cookies with a professional Consent Management Platform.
You get a cookie consent pop-up that could look something like this:
A professional Consent Management Platform and a consent pop-up that collects valid consent will ensure that your website complies with the Norwegian cookie guidelines, the EKOM and the GDPR.
FAQ on cookies and consent in Norway
[Q] – We are not using cookies on our website!
[Q] – Our website is not collecting – or processing – any personal data!
[A] – Maybe not, but third-party services like Google Analytics, Facebook, Hotjar, Amazon are! If you use any third-party service which set cookies through your website, you are the Data Controller (according to the GDPR), so collecting valid consent using these cookies is your responsibility.
[Q] – Can we use Google Analytics without consent?
[A] – No. Google Analytics is using multiple cookies that collect your visitors’ personal information which is used to provide you with insights into audience, acquisition and behaviour. That’s made possible with persistent cookies that track the user across your website. If you use Google Analytics, you should definitely collect valid GDPR consent to cookies.
[Q] – What are technically necessary cookies?
[A] – Technically necessary cookies are essential for your visitors to browse your website and use its features. That could be login features and shopping cart cookies (so the information is not lost when the visitor clicks away from a specific page). Technically necessary cookies are not Google Analytics. Unfortunately.
[Q] – How do I know if my website is GDPR cookie compliant?