Sweden has a long history of transparency in information governance. It adopted the world’s first freedom of information law in 1766 (Freedom of the Press Act) and in 1973, Sweden enacted the world’s first national data protection law (The Data Act). 

 

As a member of the European Union, Sweden is subject to the EU’s General Data Protection Regulation (GDPR) and the EU e-Privacy Directive (aka the “EU cookie law”). Sweden also has its own data privacy protection legislation that supplements these EU regulations, including the Data Protection Act (DPA) and the Swedish Electronics Communication Act (ECA). 

 

In Sweden, the rules on cookies are governed by the ECA, as amended by the e-Privacy Directive, and the GDPR. While companies should be preparing for a cookieless future, they’ll still have to comply with Swedish cookie laws in the short term.

 

Summary:

 

 

 

Swedish Regulations on Cookies

 

The DPA does not address cookies (Swedish: “kakor”), but the ECA does. Sweden implemented Europe’s e-Privacy directive in the ECA. The Swedish Post and Telecom Authority (PTS) has supervisory authority over the ECA. The Swedish National Data Protection Authority oversees compliance with the GDPR and the DPA. 

 

Cookie provisions found in the ECA are intended to protect the integrity of users. According to Chapter 6, section 18 of the ECA, anyone visiting a website that uses cookies must be notified that the website contains cookies, what the cookies are used for, and how the use of cookies can be avoided. Specifically, cookies may be stored on a user’s device only if: 

 

  • The user is informed about the purpose of the cookies; and

  • The user consents to the use of cookies.

 

The ECA clarifies that these cookie rules do not apply to cookies used for the transmission of electronic messages over an electronic communications network, or to provide a service that the user explicitly requests. 

 

PTS points out that cookies can be controlled through web browser settings, but this is not enough to comply with the ECA. Swedish apps and websites that use cookies must have a banner or pop-up form that informs users of their cookie policy and asks users to consent to cookies

 

The digital age of consent in Sweden is 13 years. Breaches of the ECA can result in fines. 

 

Requirements To Be Compliant With Swedish Cookie Laws

 

In addition to the ECA (which, again, contains European cookie policy requirements found in the e-Privacy directive), Swedish cookie compliance hinges on provisions found in the GDPR. 

 

Cookies are only explicitly mentioned once in the GDPR. Recital 30 of the GDPR states that cookies, when they can be used to identify online users (directly or indirectly), are considered personal data, and thus subject to the GDPR. Not all cookies are considered personal data based on this GDPR definition. However, the majority of first-party and third-party cookies—including cookies used for advertising and analytics—do meet this definition. 

 

Companies that handle cookies collected from Swedish users must have a legal basis for doing so, per the GDPR. In the case of cookies, this means obtaining user consent. Turning to Article 4, section 11 of the GDPR, we see that consent of the data subject must be freely given, specific, informed, and unambiguous. Furthermore, the GDPR stipulates that companies must document the cookie consent preferences of users and store this information for at least five years.

 

BLOG - FINNISH REGULATION (1)

 

To summarize, businesses with digital operations in Sweden must take the following steps to meet cookie policy requirements: 

 

  • Understand the types of cookies your website uses and the purpose they serve so that you can provide accurate cookie information to your users about the data each cookie tracks and the cookie’s purpose. This is in keeping with GDPR “informed” consent. 

  • With the exception of “technical” or “essential” cookies, which are necessary for proper website functioning, you will need to collect user consent before deploying cookies. 

  • The consent request needs to be written in clear and plain language.

  • Collect user consent for each type of cookie deployed (e.g. marketing cookies, statistics cookies, and preference cookies). Consent needs to be given for each granular purpose in order for consent to be “specific.” 

  • For consent to be “unambiguous,” it must be given with a clear, affirmative act. In other words, consent must be given through an opt-in so that there is no mistaking the user’s intention. Consent cannot be inferred from pre-ticked boxes or simply by using the website. 

  • Informed consent also requires that the user is told about their right to withdraw consent at any time. In addition, withdrawing consent (or changing consent) must be as easy as giving consent. This involves providing users with opt-out and preference mechanisms that are always available. 

  • Allow users to access your site even if they do not consent to the use of certain cookies. 

  • Document user consent and store this information for a minimum of five years in case of an audit by Swedish data authorities (in this case, the DPA). 

 

How To Comply With Swedish Cookie Regulations 

 

Interpreting the legal fine print of data privacy laws like the GDPR and ECA can be tricky. It can be just as tricky to bring all the key compliance points together in a way that protects you legally while garnering a high user consent rate. 

 

A Consent Management Platform (CMP) from Didomi makes consent collection easier, more efficient, and aligned with Swedish regulations. Our CMP allows you to collect cookie consent using a pop-up format or a banner format. You can A/B test these different formats to find the highest consent rates for Swedish users. 

 

Consent shouldn’t be viewed solely as an onerous legal burden. It is a crucial performance indicator that provides business opportunities. Compliance and consent equal trust, and trust equals revenue. 

 

Didomi is a consent partner on more than 160,000 websites and apps. Talk to an expert to learn how we can help you optimize cookie consent collection as part of a forward-looking digital marketing strategy. 

 

Talk to an expert

 

Frequently Asked Questions (FAQ)

 

What are the main laws governing cookie usage in Sweden?

In Sweden, cookie usage is primarily governed by the Swedish Electronics Communication Act (ECA) and the EU's General Data Protection Regulation (GDPR).

 

The ECA has integrated Europe's e-Privacy directive and is supervised by the Swedish Post and Telecom Authority (PTS), while the GDPR is overseen by the Swedish National Data Protection Authority (DPA).

 

What are the key requirements for cookie compliance in Sweden?

The ECA mandates that users visiting a website with cookies should be notified about their presence, their purpose, and how to avoid them.

 

Explicit user consent is required before storing cookies on a user's device, except for cookies necessary for electronic message transmission or providing a service explicitly requested by the user.

 

What constitutes 'consent' under Swedish cookie laws and the GDPR?

Consent, as per the GDPR and Swedish law, must be freely given, specific, informed, and unambiguous.

 

This means users should be provided with clear information about the cookies and their purpose, and should actively opt-in for non-essential cookies. Additionally, they should be able to withdraw or change their consent easily at any time.

 

What steps should businesses take to comply with Swedish cookie regulations?

Businesses should understand the types of cookies they use, ensure user consent before deploying non-essential cookies, provide clear consent requests, allow users to access the site even without consenting to certain cookies, and document user consent for at least five years.

 

Implementing a Consent Management Platform (CMP) can help in achieving compliance efficiently.