Why should you collect consent to cookies in Sweden?

Last year the rules for the use of website cookies were strengthened when the European Court of Justice ruled in the case against Planet49. Here is what you should know about the Swedish cookie law and the GDPR's requirements for consent.

Most websites in Sweden uses cookies. And we’re beginning to see that more and more businesses start to use professional consent solutions to comply with Swedish cookie laws and the GDPR.

But what are the rules for cookies and consent in Sweden? And why is it important for your business?

Does your website meet the requirements for consent in the GDPR? Let’s check it out for free!

Why should you collect consent to cookies?

A cookie is a small text file. Cookies remember language settings, items in the shopping cart and other things that make it easier to use the website.

But a large majority of cookies also collect and process visitors’ personal information. And that information is used to profile users in order to deliver them  targeted ads around the web.

According to Swedish law (2003: 389) on electronic communication (LEK) (in Swedish), everyone who visits a website that uses cookies must have full access to information about which cookies are used, what data they collect and why they collect data.

In addition, the visitor is required to give consent to the website’s use of cookies.

If a website uses cookies that collect personal data such as IP addresses, device ID, geo-location or other information that can be used directly or indirectly to identify the user, the website must obtain consent in accordance with the rules in the GDPR.

When is consent to cookies valid?

If your business website uses third-party services such as Google Analytics, Google Ads, Facebook and Hubspot, then your business is responsible for obtaining valid consent.

And it is also your business’ responsibility to document that your visitors have given consent to your use of cookies.

Audits are conducted by the Swedish Post and Telecom Agency (PTS) and the Data Protection Authority (IMY, formerly the Data Inspectorate). And they will ask you to provide necessary documentation for valid consents.

A valid consent according to recital 32 in the GDPR is:




A freely given, specific, informed and unambiguous consent from the data subject that he or she agrees to the processing of personal data concerning him or her.

Recital 32, GDPR

What does that mean?

In the context of cookies, this means that you should have a cookie banner on your website that informs your user of cookies and asks for consent to use cookies.

The cookie banner should include a ‘yes’ to cookies button, but also a ‘no’ to cookies button.

The user’s choice should then be respected in such a way that no cookies are placed on the user’s computer and no data is collected until the user has given consent.

If the user declines, your cookie consent solution should prevent cookies from being stored.

Silence, pre-checked boxes or inactivity do not constitute valid consent (cf. the European Court of Justice's ruling in the case against Planet49).

Recital 32, GDPR

It is not considered valid consent simply to write: “We use cookies”, and then showing an “ok” button. A consent is also not valid if it only requires that your user continues to use your website (scroll or swipe).

How do you obtain a valid consent to cookies?

It’s actually not that difficult.

The only requirement is that your business uses a professional consent solution.

With a professional solution – unlike free solutions – your business gets a consent solution that:

With a solution from Cookie Information, your business gets a professional consent solution and a cookie banner for your website that you can customize to fit your company’s colors and logo.

Book a meeting with us, and we can tell you how your business and website can become cookie compliant.

Book a meeting 

Does your website meet the requirements for cookies?

We can check it for you. Ensure the website’s cookie compliance with Cookie Information.

Frequently Asked Questions (FAQ):

  • My company’s website does not use cookies!
    • If you use third-party services like Google Ads, Google Analytics, Facebook Pixel, LinkedIn Insight Tag, Hotjar, Adobe Analytics or almost any add-on from your CMS, then those services will set cookies via your website. And the responsibility for obtaining valid consent to these cookies is yours!
  • But we do not collect personal data!
    • Maybe not directly. But all the previously mentioned services collect your visitors’ personal data through cookies (e.g., IP address, device_ID, geo-location). Maybe you also collect other personal information via your CRM (e.g., HubSpot, Pipedrive, Salesforce) – that also requires valid consent.
  • What are personal data really?
    • Personal data are all data that your website or third-party services (e.g., Google Analytics, Google Ads, Facebook etc.) collect about your visitors that can – directly or indirectly – identify the user.
  • GDPR does not apply to us!
    • If you use cookies on your website, both Swedish law and GDPR apply. The Swedish law on electronic communication requires that you inform users about the use of cookies and that you obtain consent (Chapter 6, Section 1). The GDPR determines what such consent must look like in order to be valid (recital 32).
Share on facebook
Share on twitter
Share on linkedin
Share on email

- Webinars - Webinars - Webinars - Webinars

- Webinars - Webinars - Webinars - Webinars

Where to start with cookies?

Join our webinars about compliance in the Nordics