Why should you collect consent to cookies in Sweden [2022]?

The Swedish cookie guidelines and rules are changing. Here's a break down of why you should collect consent to cookies in Sweden.
Table of Contents

Why should you collect consent to cookies?

New winds are blowing in the legal landscape and it effects how you as a website owner must collect consent to cookies in Sweden. 

Much has happened since the GDPR took force in 2018! New verdicts and cookie guidelines have been implemented across Europe, and Sweden is no exception. 

Here we break down why you should collect consent to cookies in Sweden. 

Link: Swedish cookie law explained [2022]

Almost all websites use cookies. Most of these are tracking cookies. These cookies collect your visitors’ personal information (IP-address, device ID, geolocation etc.) and send this information to third parties, where it is shared and sold to fuel tracking-based ads.  

“If you use cookies,
you must collect your users’ consent”

According to Swedish law (2003: 389) on electronic communication (LEK) (in Swedish), everyone who visits a website that uses cookies must have full access to information about which cookies are used, what data they collect and why they collect data.

In addition, the visitor is required to give consent to the website’s use of cookies.

If a website uses cookies that collect personal data such as IP-addresses, device ID, geo-location or other information that can be used directly or indirectly to identify the user, the website must obtain consent in accordance with the rules in the GDPR.

“If you use tracking cookies,
collect a GDPR consent”

What is a GDPR consent in Sweden?

If your business website uses third-party services such as Google Analytics, Google Ads, Facebook and Hubspot, then your business is responsible for obtaining valid consent.

And it is also your business’ responsibility to document that your visitors have given consent to your use of cookies.

Audits are conducted by the Swedish Post and Telecom Agency (PTS) and the Data Protection Authority (IMY, formerly the Data Inspectorate). And they will ask you to provide necessary documentation for valid consents.

A valid consent according to recital 32 in the GDPR is:

A freely given, specific, informed and unambiguous consent from the data subject that he or she agrees to the processing of personal data concerning him or her.

What does that mean?

In the context of cookies, this means that you should have a cookie banner on your website that informs your user of cookies and asks for consent to use cookies.

The cookie banner should include a ‘yes’ to cookies button, but also a ‘no’ to cookies button.

The user’s choice should then be respected in such a way that no cookies are placed on the user’s computer and no data is collected until the user has given consent.

If the user declines, your cookie consent solution should prevent cookies from being stored.

Silence, pre-checked boxes or inactivity do not constitute valid consent (cf. the European Court of Justice's ruling in the case against Planet49).

It is not considered valid consent simply to write: “We use cookies”, and then showing an “ok” button. A consent is also not valid if it only requires that your user continues to use your website (scroll or swipe).

How do you collect a GDPR consent to cookies?

It’s actually not that difficult. The only requirement is that your business uses a professional consent solution. With a professional solution – unlike free solutions – your business gets a consent solution that:

With a solution from Cookie Information, your business gets a professional consent solution and a cookie banner for your website that you can customize to fit your company’s colours and logo. 

Book a meeting with us, and we can tell you how your business and website can become cookie compliant.

Book a meeting 

Does your website meet the requirements for cookies?

We can check it for you. Ensure the website’s cookie compliance with Cookie Information.

6 easy steps to comply with
the Swedish cookie guidelines:

Frequently Asked Questions (FAQ):

  • My company’s website does not use cookies!
    • If you use third-party services like Google Ads, Google Analytics, Facebook Pixel, LinkedIn Insight Tag, Hotjar, Adobe Analytics or almost any add-on from your CMS, then those services will set cookies via your website. And the responsibility for obtaining valid consent to these cookies is yours!
  • But we do not collect personal data!
    • Maybe not directly. But all the previously mentioned services collect your visitors’ personal data through cookies (e.g., IP address, device_ID, geo-location). Maybe you also collect other personal information via your CRM (e.g., HubSpot, Pipedrive, Salesforce) – that also requires valid consent.
  • What are personal data really?
    • Personal data are all data that your website or third-party services (e.g., Google Analytics, Google Ads, Facebook etc.) collect about your visitors that can – directly or indirectly – identify the user.
  • GDPR does not apply to us!
    • If you use cookies on your website, both Swedish law and GDPR apply. The Swedish law on electronic communication requires that you inform users about the use of cookies and that you obtain consent (Chapter 6, Section 1). The GDPR determines what such consent must look like in order to be valid (recital 32).