Articles
Country guides
Cookie law in Norway: what you should know to be compliant (updated April 2025)
Country guides
new

Cookie law in Norway: what you should know to be compliant (updated April 2025)

Published  

5/17/2022

8
min read

Published  

May 17, 2022

by 

Brian Eckert

10 min read
Summary

Norway is a European outlier in a number of ways. Physically, it is the northernmost country in mainland Europe, with the continent’s lowest population density. Legally, Norway is not a part of the European Union, but the country is part of the European Economic Area, which makes it bound by the EU’s General Data Protection Regulation (GDPR). 

 

Privacy surveys have shown that many Norwegians feel powerless about how their information is used on the internet and have refrained from using an online service due to a lack of trust. Considering this and the general trend towards privacy-first practices, companies would be wise to place consumer consent at the center of their digital marketing strategy. 

Update April 2025: The Norwegian data protection authority is actively enforcing the new regulations through audits of websites using tracking technologies, with a particular focus on consent collection practices and compliance with the new E-Com Act requirements. Learn more in their press release and book a time with an expert to learn more about ensuring compliance in Norway but also Sweden, Denmark, and Finland.

Norwegian regulations on cookies

There are two pieces of legislation in Norway that regulate the use of cookies: the Electronic Communications Act and the Personal Data Act. 

The E-Com Act

Norway’s Electronic Communications Act, or E-com Act (Norwegian: Lov om elektronisk kommunikasjon, ekomloven) of 2003, as amended in 2013 and most recently in 2025, implements the EU-based ePrivacy Directive (aka the EU Cookie Law). 

According to § 2-7 b of the E-com Act, storage of, or access to, information in a user’s equipment/device is not permitted without the user: 

  • Being informed about what information is being processed (unless the information is exclusively for the purpose of transmitting a communication in an electronics communication network, or in cases where the cookie is essential to fulfill a request made by a user to provide an internet service); 
  • Being informed about the purpose of the processing;
  • Being informed about who is processing the information; and
  • Giving their consent to cookies. 

The Norwegian Communications Authority (Nkom)—the government agency with regulatory authority over the E-com Act—notes an additional prerequisite for user consent: clear and unambiguous information about the use of cookies. Nkom states that, to meet this requirement: 

 

  • The information must be easily visible when the user accesses the website; and
  • It must state the consent rules found in the E-com act (i.e., which cookies are used, which information is processed, the processing purpose, and the identity of the processor). 

A breach of Norway’s E-Com Act can result in a penalty of up to 5% of a business’s total sales revenue of its previous accounting year, depending on the length and seriousness of the infringement. 

 

The Personal Data Act

When a cookie involves the processing of personal data (that is, personally identifiable information), Norway’s Personal Data Act applies. The Personal Data Act implements the GDPR in Norway. It requires data controllers to have a legal basis for processing data (i.e., consent) and provide information about personal data processing. 

 

Among other things, this means providing users with transparent information about how they process personal data. This information should be clear and understandable (no legalese or technical jargon). The DPA has enforcement authority over the Personal Data Act. It offers an in-depth guide on information and transparency

 

When cookies are used for the processing of personal data, GDPR penalties, including administrative fines, can apply to violations of Norway’s Personal Data Act. Under the Personal Data Act, the DPA can also impose a daily fine if a company does not obey a compliance order. 

 

Frequently Asked Questions (FAQ)

What distinguishes Norway's regulations on cookies from those of other European countries?

As of January 2025, Norway's cookie regulations are fully aligned with EU standards through the new Electronic Communications Act (Ekomloven). The law requires explicit, active consent for all non-essential cookies, following GDPR principles


Which laws govern the use of cookies in Norway?

The use of cookies in Norway is regulated by two main pieces of legislation: the Electronic Communications Act (E-Com Act) and the Personal Data Act.

 

The E-Com Act implements the EU-based ePrivacy Directive, while the Personal Data Act incorporates GDPR's provisions when cookies involve the processing of personal data.

 

The author
Brian Eckert
Freelance writer
Writer covering privacy, compliance and regulations in the United States
Access author profile