Norwegian cookie guidelines explained

What are the rules for using cookies in Norway? And how do you collect valid consent to cookies? Here's everything you need to know about the Norwegian cookie guidelines.
Table of Contents

The 7 easy steps to comply with
the Norwegian cookie guidelines:

Norwegian cookie guidelines – what are the rules?

There has been a lot of confusion around the rules for using cookies in Norway the recent years.

The question has been: To collect consent or not to collect consent to cookies. And how?

The confusion comes from the interpretation of the national Electronic Communications law (EKOM) and whether the GDPR applies to Norwegian websites.

But after the European Court of Justice in 2019 ruled in the case against German lottery website Planet49 and their cookie banner practices, the Norwegian Communications Authority (Nasjonal kommunikasjonsmyndighet – NKOM) has declared:

  • If you use cookies that collect your website visitors’ personal information, you must collect a GDPR consent

Here’s how it works.

There are two laws central to the use of cookies in Norway:

  • Electronic Communications Law (EKOM)
  • General Data Protection Regulation (GDPR)

Which one you shall use depends on whether the cookies you use collect your users’ personal information or not.

See it as this:

So, latest recommendation from the Norwegian Communications Authority (NKOM) is:

3 simple advices from NKOM

But what do the EKOM and GDPR really say about cookies in Norway?

EKOM - The Electronic Communications Act

The national Norwegian rules on cookies come from the Act relating to Electronic Communications (EKOM) section 2-7b “Use of cookies”.

It says:

Retaining information in the user's communication equipment, or gaining access to this, is not permitted unless the user is informed on which information is processed, the purpose of this processing and who will process the information and consents to this.

The first point is not an obstacle for technical storage or access to information:

  1. exclusively for the purpose of transferring communication in an electronic communications network
  2. which is necessary to supply an information societal service in accordance with the user's explicit request.

What it really means is:

You are required to inform your users of the cookies you use, and the users must give their consent

You do not need consent for

  • technically necessary cookies (those that are required to make your website work (shopping cart cookies, login cookies etc.).
  • accessing information the user has explicitly requested.

The law concerns the use of cookies, i.e., storing information and gaining access to information in cookies on the website visitor’s computer or smartphone.

It is therefore a requirement for your use of cookies that your website visitor has consented to the use. 

According to NKOM, consent can be given by the website visitor by using a technical setting in the browser (accepting or rejecting all cookies) or through a cookie consent pop-up.  

But for a cookie consent to be valid under EKOM, it must contain clear information about:  

  • which cookies you use.
  • what information/data they collect and process.
  • what the purpose of data processing is.
  • who processes the information (who the cookies are shared with).

Tracking cookies – NKOM recommends a GDPR consent

The game changes when we talk about tracking cookies.

If the cookies you use are categorized as tracking cookies, i.e., they collect your users’ personal information which is processed either by you or a third party (e.g., Google, Facebook, Amazon, Hotjar etc.), then the NKOM recommends that you obtain a consent to cookies following GDPR standards.

This was announced by the NKOM back in November 2019. Here they said:

NKOM will assess the need for adjustments to the regulations as a result of the development. In the meantime, it is important to note that if there is any doubt as to whether the requirements of the Personal Data Act are met, then one should choose consent under the Personal Data Act (consent in line with the GDPR) to be on the safe side.

The same applies if you are responsible for a website that is also aimed at other European countries.

But what are the rules for consent under the GDPR?

The General Data Protection Regulation (GDPR)

The GDPR is all about data processing and how you must handle personal information. 

Even though the word “cookie” is mentioned only once in the GDPR, the GDPR is all about the data most cookies collect. 

Especially when it comes to tracking cookies or any other tracking technology like fingerprinting, pixels or web beacons.

When using cookies that collect your users’ personal information for further processing, you are required to collect valid consent in accordance with the GDPR. 

If you use tracking cookies,
the rules for consent in the GDPR apply

GDPR and cookies - What does it mean for you?

If you use cookies on your website or app set by you or third-party services like:

  • Google (e.g., Analytics)
  • Facebook
  • YouTube
  • TikTok
  • Amazon
  • and many more..

and these cookies collect your visitors’ personal information like: 

  • UserID
  • CookieID
  • IP-address
  • Geolocation
  • Other online identifiers

with the purpose of serving targeted ads across the internet, you must collect a GDPR valid cookie consent (with a cookie banner).

How do you collect valid consent to cookies in Norway?

In order to comply with the Norwegian cookie guidelines and the GDPR when using cookies on your site, make sure you collect valid consent.

Here’s how you do it: 

  • Inform your users of the cookies you use based on a scan of your website. 
  • Ask your users for permission for using cookies (consent). You can do that with a cookie consent pop-up.
  • Respect their choice (if they reject cookies). You can prevent your cookies from being set.
  • Give your users an easy way to withdraw or change their consent. You can do that with a simple link to reopen the consent pop-up.
  • Make it easy for your users to find information about your cookies and the data they collect. Guide them to your cookie policy with a link in your cookie consent pop-up.
  • Make consent granular (specific). You can do that with cookie controls in your cookie pop-up so users can accept or reject cookies by their purpose (marketing, stats, functional).
  • Store your users’ consent for 5 years. Your Consent Management Platform will do that for you. If it’s a good one.

You can collect valid consent to cookies with a professional Consent Management Platform.

You get a cookie consent pop-up that could look something like this: 

Example of Cookie Information's GDPR compliant cookie consent pop-up. The pop-up informs the users of cookies, provides granular (specific) consent and a 'Decline' button next to the 'Accept' button. Consent is a easy to reject as to give, following GDPR standards.

A professional Consent Management Platform and a consent pop-up that collects valid consent will ensure that your website complies with the Norwegian cookie guidelines, the EKOM and the GDPR.

You can always contact us with questions on how to get a GDPR compliant cookie banner for your website or app. 

FAQ on cookies and consent in Norway

[Q] – We are not using cookies on our website!

[A] – Most websites use cookies. These are either technically necessary cookies used for making the website work (e.g., remember language preferences, login settings, shopping cart cookies), or cookies set through your website by some of the services you use like for example Google Analytics, Facebook, Instagram, LinkedIn, Hotjar etc.

[Q] – Our website is not collecting – or processing – any personal data!

[A]  Maybe not, but third-party services like Google Analytics, Facebook, Hotjar, Amazon are! If you use any third-party service which set cookies through your website, you are the Data Controller (according to the GDPR), so collecting valid consent using these cookies is your responsibility.

[Q] – Can we use Google Analytics without consent?

[A]  No. Google Analytics is using multiple cookies that collect your visitors’ personal information which is used to provide you with insights into audience, acquisition and behaviour. That’s made possible with persistent cookies that track the user across your website. If you use Google Analytics, you should definitely collect valid GDPR consent to cookies.  

[Q] – What are technically necessary cookies?

[A]  Technically necessary cookies are essential for your visitors to browse your website and use its features. That could be login features and shopping cart cookies (so the information is not lost when the visitor clicks away from a specific page). Technically necessary cookies are not Google Analytics. Unfortunately.

[Q] – How do I know if my website is GDPR cookie compliant?

[A]  You have it checked. By a Consent Management Platform provider – like Cookie Information – which can easily and quickly assess whether your website uses cookies that are not collected consent for. Get a free compliance check here with Cookie Information. No strings attached.