The Norwegian Electronic Communications Act (E-com Act / Ekomloven) has been updated, effective January 1, 2025. This follows the Norwegian Parliament (Stortinget) adopting a proposal submitted by the Norwegian Ministry of Digitalisation and Public Governance in November 2024. Previously, Norway’s cookie use and consent requirements were notably more lax than European standards.
The revision better aligns Norwegian regulation of cookie use with the GDPR and ePrivacy Directive (though Norway is not an EU Member State). It introduces stricter standards for obtaining and managing user consent for use of cookies and other tracking technologies.
Norway also has the Personal Data Act to protect data and privacy when data processing occurs, with oversight and enforcement by the Norwegian Data Protection Authority (Datatilsynet).
Who must comply with the new Norwegian cookie guidelines?
The updated guidelines affect all businesses operating websites or applications that have or target Norwegian users, so both Norway-based businesses and international companies with platforms, products, or services used by Norwegians.
Specific platforms and parameters that will be affected:
- Websites with a domain name using the .no ccTLD (e.g. https://www.stortinget.no/)
- Websites or apps in the Norwegian language
- Websites or apps that target Norwegian users, including:
- Advertising to Norwegian users
- Pricing in the Norwegian kroner (NOK)
- Features tailored to Norwegian customers (e.g. local payment systems or shipping to Norway)
- Collecting personal data from Norwegian residents (businesses based outside Norway must also comply if they meet this criterium)
What are the requirements of the new Norwegian cookie guidelines?
The E-comm Act’s consent requirements are now aligned with the stricter consent standards of the GDPR. Like in Art. 4(11) GDPR, consent must be “freely given, informed, specific, and unambiguous.”
Active/explicit consent is mandatory, so users must perform a specific action to indicate giving consent. Ignoring a consent banner being construed as consent, or passive actions like pre-checking boxes or using browser settings is not allowed. Previously, some passive actions were acceptable under the law.
Businesses must also enable users to modify or withdraw previously granted consent at any time. The tools to do so must also be user-friendly to be compliant with the law’s requirements.
Only cookies or tracking technologies classified as “strictly necessary” can be used to collect data without obtaining user consent. What qualifies has been refined and now only includes cookies required for the basic operation of a website or app, e.g. shopping cart functionality or maintaining an active login session.
Analytics, marketing, and user preference cookies are not strictly necessary and do require valid user consent prior to being activated.
How can businesses achieve compliance with the new Norwegian cookie guidelines?
The law does not specify what the lifespan of cookies is allowed to be, but does require transparency from businesses about the cookies and trackers in use, including what data is collected and for what purposes, how long it will be retained, what parties it may be shared with, and what users’ rights are and how they can exercise them.
Additionally, companies that meet the law’s criteria must deploy a cookie consent banner that meets new guidelines’ requirements. There must be mechanisms to equally enable users to consent to cookie use or decline it, as well as to manage consent at a granular level, and to easily modify or withdraw it.
Companies must provide information about cookie use and consent in an easily accessible way on their website or app, including the E-com Act’s rules for cookie use, and details about which cookies or other tracking technologies are in use, what data is processed and why, and the processor’s identity.
Websites must remain accessible to users who refuse cookies, so cookie walls are not allowed, though it is acceptable for some functionality to be reduced slightly if a user declines cookies.
Companies also need to document and securely store users’ consent information over time, and be able to provide it in the event of a data request or audit.
Businesses that are already GDPR-compliant are already well positioned for compliance with the Norwegian cookie guidelines as well.
What are the penalties for noncompliance with the new Norwegian cookie guidelines?
Companies operating websites and apps that do not comply with the new guidelines risk daily fines and government orders to improve their compliance activities. Fines can be up to 5 percent of the business’s total sale revenue for the preceding year, depending on how long the violation has been going on and how serious it is.
Compliance is overseen by the Norwegian Communications Authority (NKOM) and Norwegian Data Protection Authority (Datatilsynet).
How Usercentrics enables cookie compliance
Usercentrics has been enabling ongoing data privacy compliance since the GDPR was implemented. In addition to helping companies to meet their legal obligations, Usercentrics Web CMP and Usercentrics App CMP enable you to deliver better transparency and great user experience.
Collect, securely store, and document valid user consent that meets Norwegian, EU, and/or international regulatory requirements while building trust with your users, helping you get the data you need and growing engagement and revenue.
Setup is designed for ease of use for technical and non-technical teams. Use one of our high quality pre-built templates, or fully customize your consent banner to match your brand.
Our powerful scanning technology detects and automates categorization of the cookies and tracking technologies you’re using, and we provide over 2,200 legal templates for data processing services in use, saving your time and resources at implementation and maintenance. A/B testing and in-depth analytics help you understand user interactions and consent choices to optimize your banner for higher consent rates.
Plus, you always get our expert guidance and detailed documentation every step of the way, so you can stay focused on your core business and harness the competitive advantage of Privacy-Led Marketing.