The new Norwegian Electronic Communications Act and Internet cookies

On Friday, December 13, 2024, The new Norwegian Electronic Communications Act has been approved. The new law will be applied from January 01, 2025, focusing a lot about using cookies. It’s even more strict than GDPR, with the purpose of protecting personal information data.

The owner of a website or an app will have to implement a cookie banner or a management platform that comply with the new rules. I will try to cover the most important points related to Internet cookies in this post.

Terms / Definitions

• The business(es) is referred to as the owner(s) of a website or an app.
• A cookie is a small block of data created by a web server while a user visits a website or an app connecting to the web server. Cookies will be saved on user’s computer. Cookies can be used for authentication, tracking user activities, or holding some information that allows marketers to target specific users.

Scope of Application

The Act applies to any website or app targeting Norwegian users, regardless of the domain name or the language of the digital platform. This broad scope ensures that all digital services accessible to Norwegian users comply with the new regulations.

• Any website is using .no domain.
• Any website or app using Norwegian language.
• Any website or app offering prices in Norwegian Kroner.
• Any website or app that has features or marketing aiming at Norway, such as shipping to Norway, holding an event in Norway, or using a Norwegian local service.
• Any website or app advertising to Norwegian users.
• Any website or app collecting personal information from Norwegian residents.

Consent Requirements

User rights

• User can choose different category of cookies (marketing, statistics, and preferences) separately.
• User can change or withdraw their consent anytime. Again, user can choose which category of cookies they want to change.

What businesses have to do

Businesses must obtain clear, informed consent from users before storing cookies or tracking user activity. That is applied to any cookies that are not strictly necessary for the website’s basic functionality (e.g., login, shopping cart functionality). This means providing transparent information about data collection practices and ensuring that users can easily grant or withdraw consent.

Businesses need to have documents about the cookies, for example, which provider sets that cookie, how long it will be stored, and the purpose of each cookie.

From above points, we can see that:

• If a website doesn’t have any banner informing users about cookies, it’s not good at all.
• If a website only has a cookie banner, but without any option for users to customise their cookie preferences, it’s not good enough.

Especially, I can see the second situation on many websites. Usually, the owner sets up a general banner, saying the website is using cookies and an OK button (or just Accept / Cancel buttons). Users can continue or not, but the cookies are already set. From January 01, 2025, it becomes illegal.

What businesses CAN NOT do

Businesses are not allowed to pre-set cookie options. Businesses cannot claim a legitimate interest in setting tracking cookies for analytics or marketing purposes without user consent. I have seen several websites that pre-set ON for all cookie categories.

If you set ON by default at any cookie category, except Necessary, it’s failed. The new EKOM law doesn’t allow that. Similar to the Google Consent Mode v2, you will need to block all cookies, except Necessary, by default. Then depends on which mode you are using, Basic or Advanced, each cookie will be processed correspondingly.

What’s happening if businesses don’t implement a right solution

In short, you can get fine from Datatilsynet.

In Norway, NKOM (The Norwegian Communications Authority) and Datatilsynet (the Norwegian Data Protection Authority) are the offices to work on this new law and enforce these regulations. Non-compliance can lead to penalties, making it imperative for businesses to align their data practices with the new requirements.

How much for the fine? I don’t know. But it’s definitely not cheap (as usual in Norway), and it takes time and effort from businesses. Why need to risk?

How to fix

Use the form below, send me your website. I will have a quick look. Depends on the platform you are using, what kind of content you are posting on your website, it will require different tasks. I have been using Cookiebot as the Cookie Management Platform (CMP) and can fix the situation on your website.

If you post different types of content on your website, or integrating more software on your website, usually, the cookies are also changing. That’s why you need to have a platform such as Cookiebot for managing, scanning cookies and informing the changes. For example

• Usually you create posts with text and photos, which are uploaded to your website already. But one day, you include a Youtube video link in a post, that means your website links to Youtube, and Youtube will try to set up some cookies.
• Your sales team just integrates a new CRM software to your website. That means the CRM provider also tries to set up some cookies.

In any case, you need to check and have corresponding actions for any cookie changing on your website. If you are not familiar with that, I am here to help.

How much does it cost?

Depends on the software you have on your website, it can create more or less tasks. My setting up cost starts from 2000 NOK, excluding VAT, one time payment.

Cookiebot fee comes in addition. Depends on how many pages, posts and products on your website, Cookiebot fee will be different. This monthly fee will include

• Scanning, cookie information, data storing from Cookiebot.
• My proactive cookie management whenever Cookiebot detects a change in cookie setting on your website.

Any concern, let me know.