If you own a website in Sweden or the website targets Swedes, you must know the dos and don’ts of web cookies. Here’s an easy explanation of the cookie guidelines in Sweden.
Two authorities in Sweden can review if companies and website owners are cookie-compliant. The primary one is PTS, and the secondary one is Integritetsskyddsmyndigheten, IMY.
Let’s clarify why that is.
Two Legal Frameworks for Cookie Compliance in Sweden
The GDPR is technically neutral and focuses on protecting individuals’ personal data and safeguards their integrity regardless of how the data is collected and processed.
Cookies are only mentioned once in the GDPR, in Recital 30 where it states that cookies, when they can be used to identify online users (directly or indirectly), are considered personal data, which means that they can be subject to the GDPR. However, not all cookies are considered personal data according to this definition. But the majority of both first-party and third-party cookies meet the definition.
The GDPR came into full effect in 2018 and is enforced by the IMY, Sweden’s Data Protection Authority (DPA).
The ePDcame into effect in 2002, and PTS in Sweden has been the authority responsible for enforcing it since 2003. The ePD safeguards confidentiality in electronic communications, and contrary to the GDPR, it is not technically neutral legislation. In 2009, the ePD was updated to, among other things, include some clarifications regarding cookies.
Since the ePD is a directive and not a regulation, it has been integrated into national Swedish legislation, specifically the Electronic Communications Act (ECA). In Swedish ECA is called Lagen om Elektronisk Kommunikation (LEK). As previously mentioned, the Swedish Post and Telecom Authority (PTS) has supervisory authority over the ECA.
The ECA states in Chapter 9, section 28, that anyone visiting a website that uses cookies must be notified that the website contains cookies, what the cookies are used for, and how the use of cookies can be avoided.
Specifically, cookies may be stored on a user’s device only if the user is informed about their purpose and consents to their use.
How the ECA and the GDPR intersect regarding cookie compliance in Sweden
As stated above, according to Chapter 9, Section 28 of the Swedish ECA, information may be stored in or retrieved from a subscriber’s or user’s terminal equipment only if the subscriber or user has access to information about the purpose of the processing and consents to it.
What is consent?
The ECA states in Chapter 1, Section 8 that consent has the same meaning as in the GDPR, which means how the GDPR defines consent in Article 4.11. Here, the GDPR defines consent as any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by an explicit affirmative action, signify agreement to the processing of personal data relating to them.
Note that if there is a breach of the GDPR, which at the same time is a breach of the ePrivacy-regulations, the Swedish DPA (IMY) is allowed to take the rules in the ePrivacy-directive into account when enforcing the GDPR. However, IMY is not allowed to enforce the ECA per say. Only PTS can do that.
For example, if your website has collected personal data via cookies, IMY will check whether you had proper consent before reviewing how you are processing that data. IMY will also look at whether you gave the user or visitor enough information about how you process their data and whether you have proper security measures in place to protect that data.
When is cookie consent not needed in Sweden?
According to the Swedish ECA, cookie consent is sometimes not needed. But only when it refers to cookies that are strictly necessary for a service that the user or subscriber explicitly requests. A strictly necessary cookie could, for example, be one that enables the website to remember what product a visitor has put in their shopping cart.
How do you collect valid cookie consent in Sweden?
To comply with the Swedish cookie “guidelines,” follow these nine (9) steps:
1. Inform your users of cookies
Inform your users which scripts you use on your websites and what kind of cookies they place. Do it in a way that makes it apparent who the vendor is, what data they collect, for what purpose, and how long the cookie’s lifespan is. This information should be displayed in your cookie banner and cookie policy.
2. Active consent
Consent must be actively given and can not be assumed or implied. This means your user must actively click on a ‘yes’ button. Consent can not be given through an indirect action like scrolling, swiping, or using a website or app.
3.No pre-ticked checkboxes
This part relates to the decision made by the European Court of Justice in 2019 in the case against German lottery website Planet49. Consent must be something the user actively chooses by opting. You are not allowed to have check boxes pre-selected.
4. Reject button in the cookie banner
According to PTS, you must allow users to reject cookies in the first layer of your cookie consent pop-up. That means the no-thank-you button must be placed next to the yes-thank-you button.
5. Nu nudging
It must also be easy for your users to distinguish between a ‘yes’ and a ‘no’ to cookies. Making the ‘yes’ button bigger and hiding the ‘no’ button is not considered valid consent. Buttons should be the same size and displayed next to each other.
6. Informed consent
You do not have to collect consent for every specific cookie, but you must collect consent by purpose or category, for example, for every main purpose, like functional, statistical, or marketing. You can do that with cookie controls in your cookie pop-up so users can accept or decline cookies by purpose.
7. Withdraw or change consent
Users must be able to change or withdraw consent to cookies and tracking as easy as it was to give. To control this via the web browser settings is not sufficient.
8. Collect valid consent before activating cookies
You must obtain valid consent from those visiting your website or app before using any cookies, except for strictly technically necessary cookies.
9. Store user consents
You need to store all user consents to document that you collect valid consent. Should you be subject to an audit, you need this documentation to prove you have lawfully collected data.
How will the Swedish cookie "guidelines" affect my marketing?
Will the Swedish cookie guidelines impair your marketing?
Not necessarily. As long as you have valid consent, you are allowed to collect marketing data.
A proper CMP gives you a cookie banner that informs visitors of cookies and your data collection practices. A legally valid CMP solution increases your brand’s credibility because it enables you to be transparent with your visitors and users.
Won't many users say no to my cookies and data processing?
That depends. Cookie banners designed and branded according to the company’s graphical profile have a higher opt-in rate.
Note that if you use Google Analytics, using a CMP from Cookie Information will give you an integration with Google Consent Mode v2. This feature enables you to get as much as possible from Google Ads and Analytics, even when many visitors opt out of cookies.
Cookie Information’s CMP helps you protect user privacy without compromising your marketing goals. Try it out for 14 days—it’s free and without commitments.
