While most of us were busy wrapping up everything that needed to be done before New Year’s – in the midst of the hunt for the “almond in the pudding” – the new Norwegian Electronic Communications Act was sanctioned in the government council. The result? Stricter rules for how cookies are used on Norwegian websites from January 1, 2025.

We know this came as a surprise, and many businesses may not have managed to put aside their holiday preparations before the regulations knocked on the door. The same was true for us, but we’ve found a good solution that ensures compliance without requiring costly legal fees.

New rules for cookies

First and foremost: What is a "cookie"? Simply put, cookies are small data packets stored on the user’s computer when they visit websites. These are used for everything from remembering logins to analyzing user behavior and targeting ads.

Until now, Norway has had more lenient regulations compared to the rest of the EU and has been in a legal gray area. Norwegians have had weaker privacy protection than residents of EU countries. The new rules change this.

Now, all cookies that are not strictly necessary must be turned off by default, and users must actively give their consent to enable them before using the websites. Great news for consumers, perhaps not as great for businesses with large advertising budgets.

Who does this affect?

Most websites use some form of cookies. Certain cookies are essential to the functionality of the platform – these so-called “strictly necessary cookies” ensure that websites function as intended and have little to do with tracking. They enable basic website functionalities, such as user logins and account management.

When it comes to cookies – in relation to the new legislation we’re discussing here – the "game is over" as soon as your website integrates third-party software. This includes embedding or displaying the following:

• Videos from YouTube, Vimeo, and similar platforms
• Third-party software, such as sign-up forms or newsletters (e.g., Mailchimp)
• Google Analytics (or other analytics tools)
• Social media platforms like Instagram, TikTok, Facebook, etc.

What must you do to comply with the new rules?

Here are the key points from the new regulations:

1. Prior consent: Cookies that are not technically necessary cannot be set without the user’s active consent.
2. Clear information: Users must understand what they are consenting to. This means explaining what data is collected, why it is collected, and who processes it. This should be outlined in your website’s privacy policy.
3. Easy to decline: It must be just as easy to refuse cookies as to accept them. Manipulative design (so-called "dark patterns") is not allowed.
4. Document consent: You must store the consent and be able to provide documentation during audits.
5. No cookie walls: Your website must remain accessible even if users refuse cookies, though some functionality may be slightly reduced.

What happens if you don’t comply?

If your website violates the rules, you risk daily fines and orders for immediate improvements. The Norwegian Data Protection Authority (Datatilsynet) and the Norwegian Communications Authority (NKOM) oversee compliance with the regulations.

We help you manage cookies

We have partnered with CookieInformation, the Nordic leader in GDPR-compliant cookie solutions. This solution complies with the Electronic Communications Act.

Free solution:

• Create your business account at cookieinformation.com.
• Free to use for scanning one site/domain with up to 200 subpages.
• The software scans your site upon installation and adjusts the cookie banner to comply with regulations based on the initial scan.
• You are responsible for performing a new scan if a new cookie is added.
• Easy integration: Send us the script along with your privacy policy, describing cookies, and we will implement it on your website (if hosted by us).

Paid solution:

• We set up your business account on our partner site at cookieinformation.com.
• Scans for domains/sites with up to 500 subpages. Larger sites require an Enterprise solution (custom pricing model).
• The software scans your site and adjusts the cookie banner weekly, 52 times per year.
• 25,000 unique consents per year.
• Data storage for 5 years (on Microsoft Azure).
• Google Consent Mode v2 (required by Google if you use Google Analytics). We can recommend alternatives to “GA” upon request.
• We integrate the privacy policy and cookie banner for you, ensuring the system works seamlessly.
• Price: NOK 3,100 per year, including setup. Invoiced separately from hosting.

Both solutions store data as required by authorities for audits.

Simple and compliant

We also offer customized cookie banners outside of existing ecosystems, but these are costly and typically unnecessary, given the robust solutions available through CookieInformation.com.
This is a simple solution we are confident in recommending to our clients.

Download the privacy policy template here.

Summary:

• The new rules for data storage on websites (cookies) take effect on January 1, 2025.
• The new rules give Norwegian consumers better control over their data but also require businesses to take privacy seriously.
• We are happy to help you stay ahead so you can focus on what you do best – running your business.

Contact us to find the best solution for your website.

Sources:

• Government: https://www.regjeringen.no/no/aktuelt/styrker-sikkerhet-og-forbrukerrettigheter-i-ny-ekomlov/id3033939/
• CookieInformation: https://cookieinformation.com/no/kunnskapsbase/blog-nb/norwegian-cookie-guidelines-explained/