Norway is a European outlier in a number of ways. Physically, it is the northernmost country in mainland Europe, with the continent’s lowest population density. Legally, Norway is not a part of the European Union, but the country is part of the European Economic Area, which makes it bound by the EU’s General Data Protection Regulation (GDPR).
However, when it comes to cookies, Norway lies outside of the European norm. Like other countries in Europe, it requires websites to gather consent before they can set cookies, in line with GDPR requirements. Where Norway differs from other European countries is that, in some cases, users are allowed to give consent using browser settings.
The Norwegian Data Protection Authority (DPA) is pushing for tighter cookie regulations in the country, saying that current regulations don’t do enough to protect user privacy. DPA privacy surveys have shown that many Norwegians feel powerless about how their information is used on the internet and have refrained from using an online service due to a lack of trust.
Norwegian regulations on cookies
The E-Com Act
Norway’s Electronic Communications Act, or E-com Act (Norwegian: Lov om elektronisk kommunikasjon, ekomloven) of 2003, as amended in 2013, implements the EU-based ePrivacy Directive (aka the EU Cookie Law).
According to § 2-7 b of the E-com Act, storage of, or access to, information in a user’s equipment/device is not permitted without the user:
Being informed about what information is being processed (unless the information is exclusively for the purpose of transmitting a communication in an electronics communication network, or in cases where the cookie is essential to fulfill a request made by a user to provide an internet service);
Being informed about the purpose of the processing;
Being informed about who is processing the information; and
Giving their consent to cookies.
The information must be easily visible when the user accesses the website; and
It must state the consent rules found in the E-com act (i.e., which cookies are used, which information is processed, the processing purpose, and the identity of the processor).
A breach of Norway’s E-Com Act can result in a penalty of up to 5% of a business’s total sales revenue of its previous accounting year, depending on the length and seriousness of the infringement.
The Personal Data Act
When a cookie involves the processing of personal data (that is, personally identifiable information), Norway’s Personal Data Act applies. The Personal Data Act implements the GDPR in Norway. It requires data controllers to have a legal basis for processing data (i.e., consent) and provide information about personal data processing.
Among other things, this means providing users with transparent information about how they process personal data. This information should be clear and understandable (no legalese or technical jargon). The DPA has enforcement authority over the Personal Data Act. It offers an in-depth guide on information and transparency.
When cookies are used for the processing of personal data, GDPR penalties, including administrative fines, can apply to violations of Norway’s Personal Data Act. Under the Personal Data Act, the DPA can also impose a daily fine if a company does not obey a compliance order.
Cookie consent through browser settings in Norway
One of the more confusing aspects of Norway’s cookie laws is the ability, in some instances, for users to legally consent to non-essential cookies using a browser’s pre-settings. Bull & Co Advokatfirma AS, an Oslo-based data privacy law firm, calls this a “uniquely Norwegian view” on cookie consent.
Following the EU Court’s ruling in the Planet49 case, which found that the use of pre-checked boxes does not constitute valid cookie consent, Nkom issued guidance stating that:
This means that the requirements for consent to place cookies on websites in the EU are higher than before, and here it is not possible to give consent through the browser settings.
So does this mean that consent given via browser settings is not valid? It depends on whether the cookie entails the processing of a user’s personal data. Nkom recommends compliance with the GDPR’s definition of consent (freely given, specific, informed, and unambiguous) when the cookies process personal data.
The recommendation applies, says Nkom, “where there is doubt as to whether a cookie stores or processes information that falls under Electronic Communications Act § 2-7b, or whether it is the processing of personal data that requires consent.” This same recommendation applies if you are responsible for a website that’s also aimed at other European countries.
Nkom further points out that the requirements for valid consent will be affected once the new ePrivacy Regulation takes force across the GDPR zone. The ePrivacy Regulation currently calls for a 24-month transition period, so even if it passes in 2022, it won’t take effect until 2024 at the earliest.
Yet another wrinkle to cookie laws in Norway is calls by the DPA to end the practice of consent through browser settings and bring Norway into line with the rest of the EU. In 2021, the Ministry of Local Government and District Affairs proposed changing provisions in the E-Com Act that deal with cookie consent.
In a February 2022 letter sent to the Ministry, the DPA urged action on this matter, saying that cookie consent through browser settings are not in line with European law, and that “Internet users in Norway have poorer protection against online tracking than Internet users in the EU.”
Given these ongoing developments in European and Norwegian cookie laws, this may be a situation where reaching out to a data privacy lawyer can provide greater clarity to your digital marketing efforts.
Requirements to be compliant with Norwegian cookie laws
Consent should be freely given, specific, informed, and unambiguous, in line with GDPR guidelines.
Freely given consent means that you can’t require cookies as a condition of using your website, unless the cookie is necessary to fulfil a site function.
Freely given consent also means gathering separate consents for each type of cookie deployed (such as marketing cookies, analytics cookies, and preference cookies).
Gathering consent for each granular purpose makes consent “specific” as well.
Let your users know what personal information is being processed, the purpose of your data processing, which parties are processing the data, and that they can withdraw consent at any time. Together, these requirements constitute “informed” consent.
Make withdrawing consent as easy as giving consent.
Provide clear and unambiguous information about which cookies are used. No pre-checked boxes or implied consent. Although Norway does not have specific rules for cookie banners, Nkom notes that the information should be “easily visible when the user enters the website.”
Examples of what Nkom finds acceptable are prominent links in the header or footer, a text box on the front page, or a pop-up that mentions the words “cookie” or “cookies.”
Respect your user’s consent choices. Do not deploy any non-necessary cookies other than those they have consented to.
Document and store your users’ consent preferences. The E-com Act states that data should “be deleted or made anonymous as soon as they are no longer necessary.” However, to be on the safe side, you should store consent preferences for at least five years, as per the GDPR.
How to comply with Norwegian cookie regulations
Norway’s cookie laws are more nuanced than those found in other European countries. As things stand, companies whose digital marketing relies on non-anonymous data will want to implement a good consent tool, like Didomi’s Consent Management Platform. The alternative is to move to an anonymous data strategy that allows Norwegian users to consent to cookies using only their browser settings.
But companies that view consent as an annoying legal hurdle to clear are missing out on consent as a business opportunity. Opinion research conducted by the DPA shows that Norwegians generally have low confidence in how private companies process and use their personal data. This lack of trust has consequences: half of Norwegians say they have refrained from using an online service due to uncertainty about the handling of their data. Nearly 70% expressed the feeling that they have little control over how their online data is used.
Implementing the Didomi CMP gives you a digital marketing strategy that is forward-looking and future-proof. Get out ahead of pending legal changes and embrace the cookieless future. Talk with an expert to learn more: