Cookie law in Norway: what you should know to be compliant (updated April 2025)

Norway is a European outlier in a number of ways. Physically, it is the northernmost country in mainland Europe, with the continent’s lowest population density. Legally, Norway is not a part of the European Union, but the country is part of the European Economic Area, which makes it bound by the EU’s General Data Protection Regulation (GDPR). 

Privacy surveys have shown that many Norwegians feel powerless about how their information is used on the internet and have refrained from using an online service due to a lack of trust. Considering this and the general trend towards privacy-first practices, companies would be wise to place consumer consent at the center of their digital marketing strategy. 

‍

Update April 2025: The Norwegian data protection authority is actively enforcing the new regulations through audits of websites using tracking technologies, with a particular focus on consent collection practices and compliance with the new E-Com Act requirements. Learn more in their press release and book a time with an expert to learn more about ensuring compliance in Norway but also Sweden, Denmark, and Finland.

‍

Norwegian regulations on cookies

There are two pieces of legislation in Norway that regulate the use of cookies: the Electronic Communications Act and the Personal Data Act. 

‍

The E-Com Act

Norway’s Electronic Communications Act, or E-com Act (Norwegian: Lov om elektronisk kommunikasjon, ekomloven) of 2003, as amended in 2013 and most recently in 2025, implements the EU-based ePrivacy Directive (aka the EU Cookie Law). 

‍

According to § 2-7 b of the E-com Act, storage of, or access to, information in a user’s equipment/device is not permitted without the user: 

‍

• Being informed about what information is being processed (unless the information is exclusively for the purpose of transmitting a communication in an electronics communication network, or in cases where the cookie is essential to fulfill a request made by a user to provide an internet service); 
• Being informed about the purpose of the processing;
• Being informed about who is processing the information; and
• Giving their consent to cookies. 

The Norwegian Communications Authority (Nkom)—the government agency with regulatory authority over the E-com Act—notes an additional prerequisite for user consent: clear and unambiguous information about the use of cookies. Nkom states that, to meet this requirement: 

• The information must be easily visible when the user accesses the website; and
• It must state the consent rules found in the E-com act (i.e., which cookies are used, which information is processed, the processing purpose, and the identity of the processor). 

A breach of Norway’s E-Com Act can result in a penalty of up to 5% of a business’s total sales revenue of its previous accounting year, depending on the length and seriousness of the infringement. 

The Personal Data Act

When a cookie involves the processing of personal data (that is, personally identifiable information), Norway’s Personal Data Act applies. The Personal Data Act implements the GDPR in Norway. It requires data controllers to have a legal basis for processing data (i.e., consent) and provide information about personal data processing. 

Among other things, this means providing users with transparent information about how they process personal data. This information should be clear and understandable (no legalese or technical jargon). The DPA has enforcement authority over the Personal Data Act. It offers an in-depth guide on information and transparency. 

When cookies are used for the processing of personal data, GDPR penalties, including administrative fines, can apply to violations of Norway’s Personal Data Act. Under the Personal Data Act, the DPA can also impose a daily fine if a company does not obey a compliance order. 

Cookie consent through browser settings in Norway

As of January 1st, 2025, with the new Electronic Communications Act (Ekomloven), Norway has aligned with EU standards regarding cookie consent. The previous unique provision allowing consent through browser settings has been eliminated.

‍

Websites must now obtain active, explicit consent from users before setting any non-essential cookies.

‍

This change brings Norway's cookie regulations in line with GDPR requirements and addresses previous concerns raised by the Norwegian Data Protection Authority about inadequate user privacy protection.

‍

Requirements to be compliant with Norwegian cookie laws

The following requirements assume that your company uses cookies that collect users’ personal data. Under the new E-Com Act, all websites must implement a GDPR-compliant consent management system for any non-essential cookies, regardless of whether they collect anonymous or personal data. 

• Make sure that the user has consented to the use of cookies before setting non-necessary cookies. You must have a legal basis for processing data. 
• Consent should be freely given, specific, informed, and unambiguous, in line with GDPR guidelines.
  • Freely given consent means that you can’t require cookies as a condition of using your website, unless the cookie is necessary to fulfil a site function. 
  • Freely given consent also means gathering separate consents for each type of cookie deployed (such as marketing cookies, analytics cookies, and preference cookies).
  • Gathering consent for each granular purpose makes consent “specific” as well. 
• Let your users know what personal information is being processed, the purpose of your data processing, which parties are processing the data, and that they can withdraw consent at any time. Together, these requirements constitute “informed” consent. 
  • Make withdrawing consent as easy as giving consent. 
• Provide clear and unambiguous information about which cookies are used. No pre-checked boxes or implied consent. Although Norway does not have specific rules for cookie banners, Nkom notes that the information should be “easily visible when the user enters the website.” 
  • Examples of what Nkom finds acceptable are prominent links in the header or footer, a text box on the front page, or a pop-up that mentions the words “cookie” or “cookies.”
• Respect your user’s consent choices. Do not deploy any non-necessary cookies other than those they have consented to. 
• Document and store your users’ consent preferences. The E-com Act states that data should “be deleted or made anonymous as soon as they are no longer necessary.” However, to be on the safe side, you should store consent preferences for at least five years, as per the GDPR. 

How to comply with Norwegian cookie regulations 

Under the 2025 regulations, all companies operating websites in Norway must implement a compliant consent management solution, like Didomi’s Consent Management Platform. Browser-based consent is no longer a valid alternative, and passive consent mechanisms are prohibited.

Companies that view consent as an annoying legal hurdle to clear are missing out on consent as a business opportunity. Opinion research conducted by the DPA shows that Norwegians generally have low confidence in how private companies process and use their personal data. This lack of trust has consequences: half of Norwegians say they have refrained from using an online service due to uncertainty about handling their data.

Nearly 70% expressed the feeling that they have little control over how their online data is used. The implications of these findings are clear: companies that have a transparent cookie policy and give their users real data choices are in a much better position to earn user trust (and consent) in Norway. 

‍

With active enforcement and audits underway, immediate compliance with these regulations is crucial for businesses operating in Norway. Implementing a CMP gives you a forward-looking and future-proof digital marketing strategy. Get out ahead of pending legal changes and embrace the cookieless future. Talk with an expert to learn more:

‍

{{request-a-demo}}

Frequently Asked Questions (FAQ)

What distinguishes Norway's regulations on cookies from those of other European countries?

As of January 2025, Norway's cookie regulations are fully aligned with EU standards through the new Electronic Communications Act (Ekomloven). The law requires explicit, active consent for all non-essential cookies, following GDPR principles

Which laws govern the use of cookies in Norway?

The use of cookies in Norway is regulated by two main pieces of legislation: the Electronic Communications Act (E-Com Act) and the Personal Data Act.

The E-Com Act implements the EU-based ePrivacy Directive, while the Personal Data Act incorporates GDPR's provisions when cookies involve the processing of personal data.

How does the Norwegian Communications Authority (Nkom) interpret consent in the context of cookies?

According to Nkom, clear and unambiguous information about the use of cookies should be easily visible when a user accesses a website. This information should include the purpose of cookie processing, who is processing the information, and the rules of consent as per the E-Com Act.

How can businesses ensure compliance with Norwegian cookie laws?

To comply with Norwegian cookie laws, businesses should ensure users' consent is freely given, specific, informed, and unambiguous.

This includes making consent withdrawal as easy as giving consent, providing clear information on cookie use, respecting users' consent choices, and documenting and storing consent preferences. Implementing a robust Consent Management Platform (CMP) that aligns with GDPR best practices is advisable to mitigate risks.