The 7 easy steps to comply
with
the Swedish cookie guidelines:
-
Inform your users of cookies
-
Allow users easily to accept or reject cookies
-
Collect consent by purpose (marketing, statistics, functional cookies)
-
Don’t use pre-ticked checkboxes (for cookie purposes)
-
Make it easy to change or withdraw consent
-
Obtain consent before cookies are set/used
-
Store all user consents for 5 years
What are the rules on cookies in Sweden?
There are two laws you should be aware of when you use cookies or any other tracking technologies on your websites or apps in Sweden.
Swedish Electronics Communications Act (LEK)
- The General Data Protection Regulation (GDPR)
The two laws contain the rules for how you – as a website or app owner – shall collect valid consent for using cookies in Sweden.
However, law text can be difficult to read and filled with jargon. Therefore, we break the two laws down for you in an easy to read format that you can act upon.
Who is it for? Anyone who owns or manages a website in Sweden that uses cookies or other tracking technologies.
What must you do? Inform your website visitors of the cookies you use and collect a GDPR valid consent before using them.
Although we mainly talk about cookies in this article, what we mean by “cookie” is all types of technology designed to store and collect website or app visitors’ personal information and process it primarily for marketing purposes (e.g., fingerprinting, web beacons, pixels).
Swedish Electronics Communications Act (LEK)
The Swedish cookie rules are found in the Swedish Electronics Communications Act (Lag om Elektronisk Kommunikation – LEK 2003:389).
“The service provider may save cookies or other data concerning the use of the service in the user’s terminal device, and use such data, if the user has given his or her consent thereto and the service provider gives the user comprehensible and complete information on the purposes of saving and using such data.”
The Swedish rules on cookies in LEK state:
- All website visitors must be informed of which cookies a website uses, what data the cookies collect and for what purpose.
- All visitors must consent to cookies before a website can use cookies.
The section largely comes from the European ePrivacy Directive from 2002 which is commonly coined the European ‘cookie law’.
LEK is supervised by the Swedish Post and Telecom Authority (PTS).
This means that all Swedish websites and apps must have a cookie pop-up that informs their visitors of cookies and asks for a consent for using the cookies.
The use of cookies is also regulated by the General Data Protection Regulation (GDPR) when cookies collect, store and process visitors’ personal information.
The General Data Protection Regulation (GDPR)
The GDPR concerns data processing and how you must handle your users’ personal information.
The word “cookie” is mentioned only once, but the GDPR is all about the data most cookies collect.
When the cookies you use on your website or app, store and/or collect your users’ personal information (by you or a third-party), you are required to collect valid GDPR consent.
If you use tracking cookies, the rules for consent in the GDPR apply.
According to Article 4 (11) in the GDPR valid consent is:
- Freely given: Your visitor has to be able to accept or reject consent to cookies.
- Specific: Consent must be granular. You may only ask for consent to one specific purpose at a time (statistics, marketing, functional cookies).
- Informed: You must inform your visitors about which cookies you use; what data they collect; for what purpose; by whom; and for how long cookies are stored.
- Unambiguous: Your visitor must actively give consent by clicking a box/button in your cookie consent pop-up.
'Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
According to the GDPR when using cookies, you must:
- Obtain a freely given, informed, specific and unambiguous consent
- Collect consent to cookies before storing any cookies on your users’ device (computer/tablet/phone).
- Store user consents for 5 years (as documentation).
Cookies and the GDPR - What does it mean for you?
It means:
If you use cookies either set by you or third-party services like:
- Google (e.g., Analytics)
- YouTube
- TikTok
- Amazon
- and many more..
that collects your visitors’ personal information like:
- UserID
- CookieID
- IP-address
- Geolocation
- Other online identifiers
for the purpose of serving targeted ads across the internet, you have to collect a GDPR valid cookie consent (through the cookie banner).
How can you comply with Swedish cookie law?
You can comply with the Swedish cookie rules and the GDPR by collecting valid consent to cookies.
But how do you do that?
First of all you need a cookie consent banner.
But it’s not simply enough having a cookie banner with the text: “we use cookies – if you use our site you accept”.
Valid consent has to be freely given, specific, informed and unambiguous.
Now, in more practical terms it means that your cookie banner must live up to certain requirements.
In your cookie banner, your users must be able to:
- Say YES or NO to cookies (freely given).
- Give their consent for one specific purpose at a time e.g., statistics, marketing etc. (specific).
- Base their consent choice on an informed basis (informed). Let them know what cookies you use and what data they collect.
- Your users must be absolutely aware that they give consent (unambiguous). Consent is not scrolling, swiping or simply using the website or app.
Besides that, it must:
- Be easy for your users to change or withdraw consent to cookies.
- Store all user consents for 5 years (in case the Swedish authorities want to see them).
A GDPR compliant banner can look something like this:
You can always contact us with questions on how to get a GDPR compliant cookie banner for your website or app.
FAQ on cookies and consent in Sweden
[Q] – We are not using cookies on our website!
[A] – Most websites use cookies. These are either technically necessary cookies used for making the website work (e.g., remember language preferences, login settings, shopping cart cookies), or cookies set through your website by some of the services you use like for example Google Analytics, Facebook, Instagram, LinkedIn, Hotjar etc.
[Q] – Our website is not collecting – or processing – any personal data!
[A] – Maybe not, but third-party services like Google Analytics, Facebook, Hotjar, Amazon are! If you use any third-party service which set cookies through your website, you are the Data Controller (according to the GDPR), so collecting valid consent using these cookies is your responsibility.
[Q] – Can we use Google Analytics without consent?
[A] – No. Google Analytics is using multiple cookies that collect your visitors’ personal information which is used to provide you with insights into audience, acquisition and behaviour. That’s made possible with persistent cookies that track the user across your website. If you use Google Analytics, you should definitely collect valid GDPR consent to cookies.
[Q] – What are technically necessary cookies?
[A] – Technically necessary cookies are essential for your visitors to browse your website and use its features. That could be login features and shopping cart cookies (so the information is not lost when the visitor clicks away from a specific page). Technically necessary cookies are not Google Analytics. Unfortunately.
[Q] – How do I know if my website is GDPR cookie compliant?
[A] – You have it checked. By a Consent Management Platform provider – like Cookie Information – which can easily and quickly assess whether your website uses cookies that are not collected consent for. Get a free compliance check here with Cookie Information. No strings attached.
