The 7 easy steps to comply
the Swedish cookie guidelines:
What are the rules on cookies in Sweden?
Swedish Electronics Communications Act (LEK)
- The General Data Protection Regulation (GDPR)
The two laws contain the rules for how you – as a website or app owner – shall collect valid consent for using cookies in Sweden.
However, law text can be difficult to read and filled with jargon. Therefore, we break the two laws down for you in an easy to read format that you can act upon.
What must you do? Inform your website visitors of the cookies you use and collect a GDPR valid consent before using them.
Although we mainly talk about cookies in this article, what we mean by “cookie” is all types of technology designed to store and collect website or app visitors’ personal information and process it primarily for marketing purposes (e.g., fingerprinting, web beacons, pixels).
Swedish Electronics Communications Act (LEK)
The Swedish cookie rules are found in the Swedish Electronics Communications Act (Lag om Elektronisk Kommunikation – LEK 2003:389).
The Swedish rules on cookies in LEK state:
- All website visitors must be informed of which cookies a website uses, what data the cookies collect and for what purpose.
The section largely comes from the European ePrivacy Directive from 2002 which is commonly coined the European ‘cookie law’.
LEK is supervised by the Swedish Post and Telecom Authority (PTS).
This means that all Swedish websites and apps must have a cookie pop-up that informs their visitors of cookies and asks for a consent for using the cookies.
The General Data Protection Regulation (GDPR)
The GDPR concerns data processing and how you must handle your users’ personal information.
The word “cookie” is mentioned only once, but the GDPR is all about the data most cookies collect.
When the cookies you use on your website or app, store and/or collect your users’ personal information (by you or a third-party), you are required to collect valid GDPR consent.
If you use tracking cookies, the rules for consent in the GDPR apply.
According to Article 4 (11) in the GDPR valid consent is:
- Freely given: Your visitor has to be able to accept or reject consent to cookies.
- Specific: Consent must be granular. You may only ask for consent to one specific purpose at a time (statistics, marketing, functional cookies).
- Informed: You must inform your visitors about which cookies you use; what data they collect; for what purpose; by whom; and for how long cookies are stored.
- Unambiguous: Your visitor must actively give consent by clicking a box/button in your cookie consent pop-up.
According to the GDPR when using cookies, you must:
- Obtain a freely given, informed, specific and unambiguous consent
- Collect consent to cookies before storing any cookies on your users’ device (computer/tablet/phone).
- Store user consents for 5 years (as documentation).
Cookies and the GDPR - What does it mean for you?
- Google (e.g., Analytics)
- and many more..
that collects your visitors’ personal information like:
- Other online identifiers
for the purpose of serving targeted ads across the internet, you have to collect a GDPR valid cookie consent (through the cookie banner).
How can you comply with Swedish cookie law?
You can comply with the Swedish cookie rules and the GDPR by collecting valid consent to cookies.
But how do you do that?
First of all you need a cookie consent banner.
Valid consent has to be freely given, specific, informed and unambiguous.
Now, in more practical terms it means that your cookie banner must live up to certain requirements.
In your cookie banner, your users must be able to:
- Say YES or NO to cookies (freely given).
- Give their consent for one specific purpose at a time e.g., statistics, marketing etc. (specific).
- Base their consent choice on an informed basis (informed). Let them know what cookies you use and what data they collect.
- Your users must be absolutely aware that they give consent (unambiguous). Consent is not scrolling, swiping or simply using the website or app.
Besides that, it must:
- Be easy for your users to change or withdraw consent to cookies.
- Store all user consents for 5 years (in case the Swedish authorities want to see them).
A GDPR compliant banner can look something like this:
FAQ on cookies and consent in Sweden
[Q] – We are not using cookies on our website!
[Q] – Our website is not collecting – or processing – any personal data!
[A] – Maybe not, but third-party services like Google Analytics, Facebook, Hotjar, Amazon are! If you use any third-party service which set cookies through your website, you are the Data Controller (according to the GDPR), so collecting valid consent using these cookies is your responsibility.
[Q] – Can we use Google Analytics without consent?
[A] – No. Google Analytics is using multiple cookies that collect your visitors’ personal information which is used to provide you with insights into audience, acquisition and behaviour. That’s made possible with persistent cookies that track the user across your website. If you use Google Analytics, you should definitely collect valid GDPR consent to cookies.
[Q] – What are technically necessary cookies?
[A] – Technically necessary cookies are essential for your visitors to browse your website and use its features. That could be login features and shopping cart cookies (so the information is not lost when the visitor clicks away from a specific page). Technically necessary cookies are not Google Analytics. Unfortunately.
[Q] – How do I know if my website is GDPR cookie compliant?