What the Danish DPA announced – and why it matters

Your cookie banner might be about to get a lot more scrutiny. The Danish Data Protection Authority (Datatilsynet) has announced its enforcement priorities for 2026, and cookie consent practices are firmly in the spotlight. The authority will examine whether Danish websites give users a genuine choice about tracking – and the findings so far suggest many do not.

For businesses still relying on manipulative consent designs or non-compliant cookie banners, this is a clear warning. But for those who have invested in proper consent management platforms, this enforcement focus could be the competitive edge you’ve been waiting for.

In their official 2026 supervision plan, Datatilsynet was blunt:

Notice that phrase: “real opportunity to say no.” The DPA is not just checking whether websites have a cookie banner. They’re asking: can users actually decline without jumping through hoops? 

“Studies are still being published regularly showing extensive collection of personal data continues on Danish websites, and where citizens do not have a real opportunity to say no to tracking technologies.”

Notice that phrase: “real opportunity to say no.” The DPA is not just checking whether websites have a cookie banner. They’re asking: can users actually decline without jumping through hoops? 

Two agencies, coordinated enforcement

Datatilsynet will coordinate its enforcement with Digitaliseringsstyrelsen (the Danish Agency for Digital Government). Two regulatory bodies examining cookie consent practices simultaneously increases both the scope and likelihood of enforcement actions.

The post Cookie consent under scrutiny: Danish DPA’s 2026 focus creates opportunity for compliant businesses appeared first on Cookie Information.

One crucial element we want to zone in on is buttons. 

Because their placement, color, or wording, can significantly impact users’ engagement, decisions, and ultimately, your cookie compliance. But many businesses still struggle with getting them right. 

Additionally, a lot has happened in the regulatory landscape within the last six months: Regulatory bodies across Europe have issued formal warnings, enforcement actions, and hefty fines targeting websites using non-compliant banners.

Particularly those based on deceptive design patterns – with buttons often being a subject of contention.

As data privacy regulations evolve, authorities are paying closer attention to the design elements of cookie banners and how they influence user choices. 

To keep you up to speed with the current legal landscape, we prepared an overview of:

• The latest regulatory developments.
• How they might affect you.
• How to design a compliant, non-deceptive cookie banner (including a checklist).

Recent rulings on deceptive cookie banner designs

Regulatory bodies such as the UK’s Information Commissioner’s Office (ICO), France’s Commission Nationale de l’Informatique et des Libertés (CNIL), and the Belgian Data Protection Authority (DPA) have tightened their enforcement on misleading cookie banners, particularly those that use dark patterns to manipulate user choices.

How national DPAs influence EU-wide rules

If your business is neither French, Belgian, nor British, you might naturally think that their positions on the matter are irrelevant to you.

However, the regulatory decisions taken by CNIL, ICO, and the Belgian DPA are not just relevant to businesses operating in those specific countries. 

Because these rulings often set the stage for broader interpretations by the European Data Protection Board (EDPB), influencing future EU-wide guidance.

What is the EDPB?

The European Data Protection Board (EDPB) is an independent European body that ensures consistent application of relevant data privacy laws across the European Economic Area (EEA).

The EDPB helps businesses understand what constitutes compliance and reduces the risk of country-by-country discrepancies. For example, it does so by:

• Issuing guidance documents, recommendations, and best practices to clarify how data privacy laws should be applied.

• Ensuring that all DPAs interpret and enforce GDPR consistently, preventing discrepancies across different countries.

• Providing input on new privacy laws, policies, and international data transfer agreements to ensure they align with privacy principles.

• Settling cases of disputes between national DPAs, by issuing legally binding decisions that all European Union countries must follow.

Understanding the role of the EDPB is crucial because while the ePrivacy Directive and GDPR set the overall framework for data protection, they leave room for interpretation in certain areas – such as cookie banner layout.

What does the ePrivacy Directive and GDPR say about cookie banner design practices?

When it comes to privacy laws like the ePrivacy Directive and GDPR, the details of how you should design your cookie banner can be confusing.

This is, in part, because the ePrivacy Directive and GDPR don’t explicitly address cookie banners or prescribe exact design requirements. Rather, the legal texts set broad principles for how you can use cookies, when to require explicit consent, and how you should obtain user consent.

This flexibility is intentional – it allows the privacy laws to apply across different technologies, industries, and user interfaces. Still, certain phrasings in both the ePrivacy Directive and the GDPR hint at how you should design your cookie banner.

Design cues for a GDPR compliant cookie banner design:

• You must provide users with “the opportunity to refuse to have a cookie or similar device stored on their terminal equipment” (ePrivacy Directive, Article 5(3)).

• Your methods for “giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible” (ePrivacy Directive, Recital 25).

• Your users “have the right to withdraw his or her consent at any time” (GDPR, Article 7(3)).

• For users it should “be as easy to withdraw as to give consent” (GDPR, Article 7(3)).

Because these principles are broad and open to interpretation, regulatory bodies across Europe have different approaches to enforcement. This is where the EDPB comes in – to create a more unified standard for data privacy compliance.

EDPBs Cookie Banner Taskforce

In September 2021, the EDPB established the Cookie Banner Taskforce. The main purpose of the Taskforce is to coordinate responses to complaints concerning cookie banners and to promote cooperation, information sharing and best practices between the DPAs.

This is an instrumental task in ensuring a consistent approach to cookie banners across the EEA.

In January 2023, the Taskforce published a report on their work. In it, data protection authorities (DPAs) agreed on a shared understanding of key rules from the ePrivacy Directive and GDPR. 

They covered things like reject buttons, pre-ticked boxes, cookie banner design, and how users can withdraw consent.

How do the recent regulatory developments in data privacy affect you?

Let’s say you own a small online business that drives traffic from a list of different European countries.

As a website administrator, you must ensure that your cookie banner complies with the rules and guidelines of each visitor’s location.

And while the EDPB sets a common baseline for cookie banner compliance across the EU, national DPAs are free to enforce stricter or more specific interpretations – as seen with CNIL, the ICO, and the Belgian DPA.

So even if a ruling originates in one country, businesses across the EU should anticipate similar enforcement trends. 

Thus, the safest (and easiest) approach is to align your cookie banner with the strictest interpretations of the law to ensure full compliance.

What’s the best cookie banner design for 2026?

So what should you change in your cookie banner design?

Taking into account the GDPR, ePrivacy Directive, EDPB, and recent rulings from national DPAs, the key question is:

How can you design a user-friendly cookie banner that ensures compliance?

Understanding these regulations and best practices is essential for creating a legally sound and user-friendly experience.

Compliant cookie banner checklist for marketers and designers in 2026

1. Equal prominence for consent choices

• If an “Accept All” button is present, make sure a “Reject All” button is equally visible, styled similarly, and placed on the same level.

• Buttons should have consistent size, font, and contrast to avoid nudging users toward one option.

2. Clear and concise language – no unambiguous wording

Use explicit labels for buttons such as “Accept All” and “Reject All”.

Avoid vague terms like “More Options” or “Customize” that obscure rejection options.

3. Granular consent options

• Users must be able to opt in or out of specific cookie categories (e.g., analytics, marketing, functional cookies) rather than facing an all-or-nothing choice.

• These options should be immediately accessible, not buried in multiple layers of settings.

4. Positive action for consent

• No implied consent: Simply continuing to browse the website must not be interpreted as consent.

• Give users the option to actively select their preferences before setting non-essential cookies. 

5. Easy way to change or withdraw consent

• Users must be able to change or revoke consent as easily as they gave it.

• Provide users with a persistent, easily accessible method for revisiting preferences (like a preference management widget).

6. No deceptive design practices

Avoid dark patterns that manipulate user choice, such as:

• Pre-ticked consent checkboxes (users must actively opt in).

• Hiding the reject button behind multiple clicks or in small, low-contrast text.

• Making the “Accept” button visually dominant (e.g., bright colors, larger size) while downplaying rejection options.

• Using misleading wording that pressures users into accepting cookies.

Frequently asked questions about compliant cookie consent banner design

The post How to design a user-friendly and compliant cookie banner in 2026 appeared first on Cookie Information.

Key takeaways:

• PDPA consent must be explicit, granular, and logged.
• Cross-border transfer rules under Sections 28–29 are now enforceable.
• CMPs can be hosted abroad if appropriate safeguards are in place.
• PDPC enforcement is active (Aug 2025 fines, Oct 2025 DPO rule).
• Transparent, compliant data practices build user trust and marketing credibility.
• Anonymous tracking allows complete traffic visibility while respecting user choices.
• Integrated martech stack (CMP + analytics + activation) simplifies compliance and improves performance.

Thailand’s privacy law landscape: what changed in 2024-2025

If you’re running digital marketing campaigns in Thailand or collecting data from Thai users, the compliance landscape changed dramatically in 2024-2025. What began as guidance has become active enforcement, complete with multimillion-baht fines and mandatory technical requirements for every marketing tool you use.

This guide cuts through the legal complexity to give you exactly what you need: clear requirements for cookie banners, analytics platforms, and cross-border data transfers, plus practical steps to ensure your marketing tech stack meets Thailand’s Personal Data Protection Act (PDPA) standards.

What is the Thailand PDPA?

Thailand has established comprehensive data protection standards that mirror – and in some cases exceed – European GDPR requirements. Understanding these rules is essential for any marketer operating in or targeting the Thai market.

The Personal Data Protection Act B.E. 2562 (PDPA) is Thailand’s comprehensive data-protection law, similar in scope and spirit to the EU’s GDPR. It governs how organizations collect, use, and disclose personal data belonging to individuals in Thailand.

The Act was published in the Royal Thai Government Gazette on 27 May 2019 and became fully effective on 1 June 2022, after pandemic-related postponements. Since then, the regulator – the Personal Data Protection Committee (PDPC) – has issued several clarifications and begun enforcing compliance.

Why the 2025 PDPA update matters

Since the PDPA’s full enforcement in June 2022, Thailand’s regulatory landscape has shifted from guidance to active enforcement. Three major developments in 2024-2025 fundamentally changed compliance obligations for digital marketers:

1. Active PDPA enforcement

In August 2025, the PDPC issued its first major administrative fines (over THB 21.5 million – approximately €576,000 / USD 666,000), signaling the end of the “grace period” approach.

2. New DPO rule

On 9 October 2025, a Royal Gazette notification made Data Protection Officers mandatory for all state agencies, with broader private sector implications expected.

3. Clarified obligations

PDPC Guidelines on Consent and Notification (September 2022) and Cross-Border Transfer Regulations (March 2024) now shape how websites, apps, and marketing tools must operate.

These changes signal Thailand’s move from a ‘grace period’ approach to strict enforcement, making compliance a business-critical priority rather than a future consideration.

What counts as personal data under the PDPA?

“Personal data” means any information that identifies an individual directly or indirectly – such as names, emails, phone numbers, IP addresses, or cookie identifiers.

“Sensitive personal data” (for example, religion, health, biometrics) requires explicit consent unless another lawful basis applies.

The PDPC has clarified that tracking and behavioral data (e.g., analytics IDs, device fingerprints) can qualify as personal data if they can reasonably identify a user.

Who must comply with Thailand’s PDPA?

The PDPA applies to any organization that:

• collects, uses, or discloses personal data within Thailand; or
• operates outside Thailand but offers goods or services to, or monitors the behavior of, individuals in Thailand.

In other words, even non-Thai companies must comply if they collect data from Thai users through websites, apps, or marketing platforms.

Thailand PDPA vs. GDPR vs. CCPA: quick comparison

If you’re already managing compliance for European or US markets, this comparison helps you quickly identify where Thailand’s requirements align with or diverge from frameworks you know. 

Pay particular attention to cross-border transfer mechanisms and consent standards – these create the most operational complexity when you’re running campaigns across multiple jurisdictions. 

Use this table to spot where you can leverage existing compliance infrastructure versus where Thailand requires unique implementation:

PDPA, cookies and consent management

For digital marketers, cookies and tracking technologies sit at the intersection of Thailand’s PDPA requirements and practical campaign execution. The 2022 Consent & Notification Guidelines clarified that consent-based tracking isn’t optional – it’s the legal foundation for most marketing analytics and personalization activities.

Cookies and similar technologies collect personal data about users. Under the PDPA, you must obtain valid, informed consent before setting any non-essential cookies.

The 2022–2025 consent and notification guidelines

In September 2022, the PDPC issued two important documents:

• Guideline on Requesting Consent from the Data Subject
• Guideline on Notification of Purposes for Data Collection

These clarify that consent must be:

• Freely given and obtained through an affirmative action (opt-in)
• Granular, with separate options for analytics, marketing, or functional cookies
• Transparent, using plain, concise language
• Withdrawable at any time through the same ease as giving it
• Recorded – controllers must keep proof of when and how consent was given

Healthcare, finance, and insurance organizations: Due to the sensitive personal data you process, PDPA compliance carries higher stakes and scrutiny. The PDPC explicitly lists health data, financial information, and biometric data as “sensitive personal data” requiring explicit consent. Consider conducting a formal Data Protection Impact Assessment (DPIA) before implementing new marketing tools or data activation workflows.

Your PDPA cookie banner needs to:

• Display “Accept all” and “Reject all” buttons of equal prominence
• Block non-essential cookies until consent
• Provide a clear list of vendors and purposes
• Maintain auditable consent logs

Cookie Information’s consent management platform addresses these requirements with WCAG accessible banners customizable to Thailand’s specific PDPA rules, including the mandatory ‘Accept all’ and ‘Reject all’ equal prominence, granular consent categories, and auditable consent logs that satisfy PDPC inspection requirements.

These rules closely mirror the GDPR and are now actively enforced in Thailand.

Building a PDPA-compliant analytics setup

Moving from non-compliant to compliant analytics doesn’t require replacing your entire stack – but it does require strategic choices about core platforms. Here’s how to build a foundation that supports both marketing performance and legal requirements:

Foundation layer: consent management

Required for compliance:

• Deploy a compliant cookie banner before any tracking loads
• Implement granular consent categories (necessary, analytics, marketing)
• Block all non-essential cookies until consent is received

Recommended for audit readiness:

• Maintain detailed consent records with timestamps and user preferences to demonstrate compliance if inspected by the PDPC

Data collection layer: analytics platform

Required for compliance:

• If transferring Thai user data abroad, verify your vendor provides Section 29 transfer safeguards (SCCs or BCRs)

Recommended for complete visibility:

• Choose analytics that supports anonymous tracking for non-consenting users—this allows you to understand full traffic patterns while respecting user choices
• Select a platform that can differentiate consented vs. anonymous data, giving you flexibility in how you use insights

Recommended for marketing performance:

• Prioritize platforms offering real-time or near-real-time data processing (30-minute data freshness or better) to enable faster campaign optimization

Activation layer: marketing tools

Required for compliance:

• Audit all pixels, tags, and tracking codes for PDPA compliance
• Use tag management to control when marketing tools fire based on consent

Recommended for enhanced privacy:

• Consider implementing server-side tracking to reduce client-side data exposure and improve data quality
• Document data flows to each vendor with legal basis – this documentation proves invaluable during regulatory inquiries or audits

Anonymous tracking under Thailand PDPA

One of the most valuable – yet underutilized – PDPA privacy compliance strategies is privacy-preserving anonymous tracking. When implemented correctly, it allows you to understand full traffic patterns, optimize user experience, and measure campaign effectiveness even for visitors who decline consent.

Piwik PRO’s anonymous tracking captures behavioral signals like page views, referral sources, and conversion paths without cookies or personal data collection. When visitors later consent, the platform seamlessly upgrades to identified tracking with full attribution – giving you visibility into the entire journey while maintaining PDPA compliance throughout.

Cross-border data transfers and hosting (sections 28–29)

One of the most significant changes affecting international marketers came in March 2024, when Thailand’s cross-border transfer regulations took full effect. These rules directly impact where you can host analytics tools, how you process data through cloud services, and which vendors you can work with legally.

Thailand’s cross-border data-transfer regime took effect on 24 March 2024 through two PDPC Notifications. It regulates how Thai personal data can be sent abroad.

Section 28 – Transfers to “adequate” destinations

Under Section 28, data may be transferred to a country or international organization that has adequate data-protection standards, as determined by the PDPC.

As of late 2025, no official “adequacy list” has been published. Until then, adequacy must be assessed individually or justified using Section 29 mechanisms.

Countries and regions such as the EU/EEA, UK, Japan, and Singapore are widely considered likely candidates for adequacy, though this is not yet confirmed.

Section 29 – Appropriate safeguards when no adequacy decision exists

When transferring data to destinations not yet approved, you must implement appropriate safeguards, such as:

• Binding Corporate Rules (BCRs): internal policies that apply across a corporate group, subject to PDPC approval.
• Standard Contractual Clauses (SCCs): contractual terms ensuring data protection, enforceable rights, and remedies for Thai data subjects.
• Certified frameworks: participation in recognized certification or code-of-conduct schemes, once approved by the PDPC.

Each safeguard must guarantee:

• enforceable rights for individuals;
• effective legal processes in the event of a breach; and
• adequate technical and organizational security measures.

What this means for your analytics stack

Many marketing teams unknowingly violate Thailand’s transfer rules because popular digital marketing tools process data outside Thailand and may not have proper safeguards in place. Here’s what requires your immediate attention:

• Google Analytics 4: Sends data to US servers (requires Section 29 safeguards)
• Meta Pixel: Processes through multiple global data centers (compliance unclear without SCCs)
• Most CDP platforms: Store data in US/EU clouds (need documented transfer mechanisms)
• Email marketing platforms: Often replicate data across regions (requires vendor assessment)

Hosting digital marketing platforms outside Thailand

The PDPA does not require marketing tools like CMPs or analytics systems to be hosted in Thailand.

However, if your platform stores or processes Thai users’ data abroad, you must ensure:

• The destination country qualifies as (or is expected to be) adequate under Section 28; or
• You have valid safeguards under Section 29 (BCRs, SCCs, or certification); and
• Your privacy or cookie notice clearly discloses the transfer and the protections applied.

Best practice:

• Retain consent logs under your organization’s control (cloud hosting abroad is fine if compliant)
• Include PDPA-aligned clauses in vendor contracts – including 72-hour breach notification and restrictions on onward transfers
• Disclose your CMP’s hosting region (e.g., “Our consent system is hosted in the EU under PDPA-compliant safeguards.”)

Piwik PRO’s analytics platform offers EU-based hosting with documented PDPA-compliant transfer safeguards, giving marketers the complete behavioral data they need while maintaining clear legal standing under Sections 28-29. Unlike cloud-agnostic alternatives, data location and transfer mechanisms are explicit, documented, and audit-ready.

Enforcement and DPO responsibilities (2025)

Thailand’s regulatory approach has evolved from educational to punitive. The August 2025 fines – totaling THB 21.5 million – represent the PDPC’s shift toward active enforcement, particularly targeting organizations with inadequate security measures and those failing to report breaches within mandated timeframes.

Enforcement is intensifying. In August 2025, the PDPC imposed fines totalling THB 21.5 million across five cases, citing failure to report data breaches and poor security measures.

On 9 October 2025, a Royal Gazette notification expanded the DPO appointment obligation to all state agencies, signaling stricter oversight in both public and private sectors.

The regulator now frequently inspects how organizations manage consent records, vendor contracts, and international data transfers.

Common violations triggering enforcement by the PDPC

Understanding what triggers PDPC scrutiny can help you prioritize compliance efforts:

• Collecting data without valid legal basis – Most common in marketing contexts where consent is assumed rather than obtained
• Failing to block cookies before consent – Non-essential tracking that loads before user choice
• Inadequate vendor contracts lacking PDPA clauses – Third-party processors without proper data protection terms
• Processing sensitive data without explicit consent – Particularly problematic in health, finance, and behavioral targeting
• Cross-border transfers without safeguards – Using tools that send data abroad without Section 29 documentation
• Missing or inadequate privacy notices – Failing to inform users about data collection purposes and legal basis

Penalties for non-compliance

• Administrative fines: up to THB 5 million per offence
• Civil damages: including punitive damages up to double the actual loss
• Criminal penalties: up to one year’s imprisonment or THB 1 million fine for certain offences

While these penalties are lower than the GDPR’s global-turnover model, Thailand’s enforcement momentum means poor consent or data transfer practices carry serious financial and reputational risks.

Frequently asked questions

The post What is the Thailand PDPA? 2025 guide to consent, cross-border transfers and compliance appeared first on Cookie Information.

Picture this: you’re a teenager desperately seeking help after experiencing abuse, visiting what you believe is an anonymous helpline website. Unknown to you, Meta and Snapchat are tracking every click, collecting data that could be used for profiling. This isn’t fiction – it’s exactly what the Norwegian Data Protection Authority (Datatilsynet) uncovered in their groundbreaking enforcement actions against six websites.

The targeted websites – ranging from children’s crisis helplines to health information portals – were found to be sharing visitor data with tech giants without any legal basis. The consequences? One public service received a €25,000 fine (250,000 NOK), while others got formal reprimands. Importantly, the DPA explicitly warned that they were going easy this time. Future violations will face much harsher penalties.

It’s important to note that these organizations were providing valuable services to their communities. The violations appear to stem from technical oversights rather than deliberate attempts to exploit user data.

These cases reveal an important lesson: even well-intentioned organizations can inadvertently share visitor data with third parties due to gaps in understanding how tracking technologies work. Let’s dive into what went wrong and, more importantly, how to ensure your organization doesn’t become the next headline.

The pixel enforcement actions: understanding the scope

When the Norwegian DPA launched their investigations in March 2024, they weren’t randomly browsing websites. They strategically selected six platforms that handle particularly sensitive information, the kind of data that reveals our deepest vulnerabilities and most private struggles.

Think about it: when someone searches for information about depression, visits a support service for domestic violence victims, or researches STD symptoms, they’re revealing incredibly intimate details about their life. The DPA recognized that these digital footprints deserve the highest level of protection, especially when the visitors include vulnerable children and people in crisis.

The inspected websites painted a diverse picture of Norway’s digital landscape:

• A helpline service for children experiencing violence, abuse, or other traumatic situations (operated by a municipality)
• An online pharmacy where people purchase medications and health products
• A religious organization’s platform for Bible distribution and accepting donations
• A medical services website for booking doctor appointments
• A support service specifically designed for children with incarcerated parents
• A comprehensive health information portal covering various diseases and medical conditions

What united these seemingly different platforms? They all used tracking pixels from Meta (Facebook/Instagram) and/or Snap (Snapchat) that silently transmitted visitor information to these tech giants.

Even more troubling, the website operators were often unaware about what was actually happening behind the scenes. This isn’t surprising given the technical complexity of modern tracking technologies and the rapid evolution of privacy regulations.

Key tracking pixel violations uncovered by Datatilsynet (June 2025)

1. Unauthorized data sharing without legal basis

The most alarming fact is that every single website failed the most basic GDPR requirement: having a lawful basis for processing personal data. The tracking pixels weren’t just counting anonymous visits. They were transmitting a cocktail of personal identifiers that, when mixed with Big Tech’s existing data pools, created detailed profiles of real people. This included:

• Unique user identifiers that persist across browsing sessions (stored in cookies like _fbp and _scid)
• IP addresses that can pinpoint your location and identify your household
• Detailed page URLs revealing exactly what health conditions, problems, or interests you’re researching
• Device fingerprints including your browser type, screen resolution, and operating system
• Timestamp data showing patterns of when and how often you visit

If you happened to be logged into Facebook or Snapchat in the same browser, these platforms could directly link your sensitive website visits to your real-world identity. Imagine Facebook knowing about your child’s mental health struggles or Snapchat tracking your visits to addiction support pages.

2. Processing special categories of personal data

The GDPR treats certain types of data as especially sensitive – health data, information about children, religious beliefs, and sexual orientation all fall into this “special category” bucket, requiring extra-strict protection.

The Norwegian DPA left no room for interpretation: when someone repeatedly visits pages about epilepsy, searches for depression symptoms, or accesses LGBTQ+ health resources, you’re processing health data. It doesn’t matter if they never fill out a form or create an account. The pattern of visits alone reveals sensitive health information.

One health information website argued that visitors might just be curious or doing research for others. The DPA rejected this argument. They pointed to recent EU court decisions confirming that even indirect health information – the kind you can deduce from browsing patterns – deserves full protection under Article 9 of the GDPR.

The children’s services cases were particularly serious. Kids reaching out for help about abuse, violence, or family trauma had their vulnerable moments tracked and packaged for tech companies. The DPA emphasized that children deserve enhanced protection, especially when they’re seeking help for traumatic experiences.

3. Misleading or absent privacy information

The DPA’s review of privacy documentation across all six websites revealed systematic failures in transparency and accuracy – not just minor oversights, but fundamental breakdowns in communicating data practices to users.

The most serious violation came from the children’s helpline, which prominently promised anonymity throughout their website while simultaneously feeding visitor data to Meta and Snapchat. Other common failures included:

• Privacy policies claiming “we don’t process sensitive data” while health information flowed freely to third parties
• Cookie notices using complex technical terminology inappropriate for the intended audience, particularly problematic on sites serving children or people in distress”
• No mentions of Meta Pixel or Snap Pixel in privacy documentation
• No explanation about data processing and data retention – what these companies would do with the data or how long they’d keep it
• Generic statements about “improving user experience” without explaining the real purpose: targeted advertising

One website’s privacy policy hadn’t been updated since 2018 – years before they had even installed the tracking pixels.

4. Invalid consent mechanisms

The DPA also found textbook examples of “dark patterns” – design tricks that nudge you toward the least privacy-friendly option.

Picture this: you land on a health website desperately seeking information. A cookie banner blocks your access with three options:

• “Accept all cookies” (in bright, eye-catching blue)
• “Customize” (in barely visible gray)
• “Necessary only” (also in gray, blending into the background)

Guess which option most stressed visitors clicked? The DPA called this out as psychological manipulation, especially problematic when targeting vulnerable populations. Other consent sins included:

• Pre-ticked boxes for marketing cookies (a big GDPR no-no)
• Bundling different purposes together, forcing an all-or-nothing choice
• Making privacy-friendly options require multiple clicks while “Accept all” was one tap away
• Using fear-inducing language suggesting the site wouldn’t work properly without tracking

The DPA made it crystal clear: true consent means real choice, presented fairly, without tricks or pressure.

The €25,000 fine: Norway’s message to public sector websites

While five websites received reprimands, the children’s helpline was penalized with a €25,000 fine (250,000 NOK). Why did this case warrant monetary punishment when others didn’t?

The DPA laid out several aggravating factors that pushed this case over the edge:

Interestingly, the DPA originally planned to fine them €30,000 (300,000 NOK) but reduced it to €25,000 (250,000 NOK) in recognition of the municipality’s cooperative response and immediate remediation efforts. The message? Quick action and genuine contrition can reduce the sanction, but they won’t eliminate consequences entirely.

Industry-specific implications from the six cases

Let’s dig deeper into what each case reveals about sector-specific privacy risks and why certain industries need to be extra cautious with tracking technologies.

1. Healthcare and pharmaceutical websites: the online pharmacy and health portal cases

The online pharmacy and health information portal cases establish critical precedents that should make every healthcare website operator nervous.

The health portal case was particularly revealing. The DPA’s digital inspection on March 19, 2024, uncovered significant violations from Norway’s largest health information provider, serving hundreds of thousands of weekly visitors. They offered a symptom checker and disease database covering 2,187 conditions. The site even asked visitors upfront whether they were healthcare professionals to “personalize” content.

Here’s what made their Meta Pixel use especially problematic:

• The organization appears to have misunderstood that even anonymous browsing patterns could constitute health data processing.
• Visitors researching specific conditions unknowingly shared their health interests with Meta
• The tracking occurred despite their privacy policy claiming they “generally don’t process sensitive personal data”
• Their elaborate consent banner with 81 partners couldn’t save them – the consent wasn’t valid for health data

The DPA’s message to healthcare sites? Your entire website is essentially a special category data processor. Every page view potentially reveals health information. If someone repeatedly visits pages about diabetes, depression, or STDs, you must assume they have a personal health interest.

The online pharmacy case reinforced this stance. When people browse medication categories or health products, they’re revealing health information – whether they complete a purchase or not. The DPA made clear that the sensitive nature of health data means marketing interests will almost never outweigh privacy rights in any legitimate interest assessment.

2. Religious and belief-based organizations: the Bible distribution case

The religious organization’s website handled Bible text publication, book sales, and donation collection. While seemingly less sensitive than health sites, the DPA highlighted unique privacy risks:

• Regular visits to religious content can reveal spiritual beliefs or religious affiliation
• Donation patterns might indicate level of religious commitment
• Children accessing religious content deserve special protection from commercial tracking

The organization’s use of Meta and Snapchat pixels meant that these platforms could potentially identify individuals exploring Christianity, perhaps during vulnerable moments of spiritual searching or crisis. Like many organizations, they were unaware that religious content engagement patterns could reveal protected belief data.

The DPA emphasized that freedom of religion includes the right to explore beliefs privately, without commercial surveillance.

This case sends a clear message to all faith-based organizations: your digital spaces should be sanctuaries from commercial tracking, just like your physical places of worship.

3. Support services and vulnerable populations: the children’s helpline cases

Two cases involved services specifically for children in crisis – the municipal helpline for abuse victims (inspected on March 14, 2024) and the support service for children with incarcerated parents. These cases revealed the serious privacy implications when support services get tracking wrong.

The imprisoned parents’ support service case highlighted how seemingly narrow use cases can affect vulnerable populations. Children dealing with parental incarceration face stigma, emotional trauma, and social isolation. When they seek support online, they shouldn’t worry about tech companies building profiles based on their family trauma.

Both services made similar mistakes:

• A common misconception that led to these violations was believing that anonymity promises for direct contact extended to all website interactions.
• Assuming that promising confidentiality for direct contact (phone/chat) was enough
• Failing to understand that tracking pixels capture the entire journey, not just form submissions
• Underestimating how visit patterns could reveal a child’s situation to data brokers

The DPA’s verdict was uncompromising: if you serve vulnerable populations, especially children in crisis, third-party tracking is almost certainly inappropriate. The trust relationship these services depend on is incompatible with commercial surveillance.

4. Medical services: the appointment booking platform case

The doctor appointment booking website represented another flavor of health data exposure. The platform appears to have misunderstood that appointment booking data requires the same protection as direct health information. Unlike passive information sites, this platform facilitated actual medical service bookings, creating additional privacy complications:

• Visitors weren’t just researching – they were taking concrete steps toward medical treatment
• The types of specialists viewed or booked could reveal specific health conditions
• Appointment patterns over time could indicate chronic conditions or ongoing treatments

The case reinforced that any website touching healthcare – whether providing information, selling products, or booking services – must treat all visitor data as potentially revealing health information.

Updated compliance recommendations from the Norwegian DPA (June 2025 compliance guide)

Notably, all organizations demonstrated good faith by immediately addressing the issues once they understood the implications. Following these regulatory actions, the Norwegian DPA didn’t just walk away. They published new detailed guidance about the use of tracking tools on websites and in apps. 

Here’s what they want every website operator to understand and implement:

1. Conduct thorough tracking audits (and actually understand what you find)

The DPA found that many organizations lacked awareness what tracking technologies lived on their websites. They recommend:

• Map every single tracking technology: Use automated scanning tools, but don’t stop there. Manually review your site’s code, tag managers, and third-party integrations. The DPA found pixels that website owners didn’t even know existed.
• Understand the data flow: For each tracker, document exactly what data it collects, where it sends that data, and what happens to it afterward. If you can’t explain this clearly, you shouldn’t be using the tracker.
• Pay special attention to invisible tracking: Pixels don’t appear in cookie scanners but can be even more invasive. Check your source code for scripts from facebook.com, snapchat.com, google-analytics.com, and similar domains.
• Review regularly: The children’s helpline added trackers for a 2020 campaign and forgot about them. Set quarterly reviews to catch outdated trackers that outlive their purpose.

2. Assess your audience and content sensitivity

The DPA wants organizations to take a hard look in the mirror and honestly assess their privacy risks. This means:

• Consider your most vulnerable visitors: A health site might serve elderly people researching dementia, teenagers exploring sexuality, or parents researching childhood disorders. Design privacy protections for your most vulnerable users, not your average visitor.
• Think about cumulative patterns: One visit to a depression article might mean nothing. But weekly visits over three months? That’s a mental health journey being tracked. The DPA emphasized that patterns over time reveal more than individual page views.
• Examine indirect inferences: The religious site argued they just provided Bible texts. But the DPA noted that regular engagement with religious content, especially combined with donation data, reveals protected beliefs. Ask yourself: what could a data analyst deduce from visitor patterns?
• Remember intersectionality: A visitor to the incarcerated parents’ support site might also be dealing with poverty, racial discrimination, or mental health challenges. Multiple vulnerabilities compound privacy risks.

3. Implement privacy-first design (not privacy as an afterthought)

The DPA’s strongest recommendation? If you handle sensitive data or serve vulnerable populations, just say no to third-party tracking. But if you absolutely must track, they outline strict requirements:

• Default to privacy: Make “reject all” as prominent and easy as “accept all” – same color, same size, same number of clicks. The health portal’s blue “accept” button versus gray “reject” option was specifically called out as manipulation.
• Embrace true anonymity: If you promise anonymity, deliver it. The DPA suggested privacy-preserving analytics that process data on your servers without sharing raw visitor information with third parties.
• Layer your privacy controls: Implement privacy at multiple levels – anonymous by default, optional accounts with clear data handling, and granular controls for any enhanced features.
• Test with real users: The DPA noted that privacy policies written by lawyers often confuse regular people. Test your privacy communications with actual users, especially from vulnerable groups you serve.

4. Fix consent mechanisms (eliminate dark patterns and respect users’ choices)

Valid consent isn’t just a legal checkbox – it’s about respecting visitor autonomy. The DPA’s requirements include:

• Visual equality: Every consent option must be equally visible and accessible. No color tricks, no size differences, no hiding privacy-friendly options behind extra clicks.
• Granular control: Visitors must be able to consent separately for different purposes. Bundling analytics, personalization, and marketing into one “accept” choice violates GDPR. The DPA specifically praised solutions allowing purpose-by-purpose decisions.
• Age-appropriate communication: The children’s helpline used technical jargon to describe tracking to kids as young as seven. The DPA demands plain language adapted to your actual audience. If kids use your site, a child should understand your privacy notice.
• Consequences transparency: Visitors must understand what happens when they consent. “Improving your experience” doesn’t cut it. Explain that Meta will combine visit data with social media profiles for ad targeting across the internet.
• Genuine choice: The medical booking site made tracking consent seem necessary for appointments. The DPA clarified: core services must work without tracking consent. No coercion, no feature blocking, no emotional manipulation.

Cookie compliance in Norway: before and after January 2025

Norway’s data privacy enforcement has undergone a dramatic transformation that every website operator needs to understand.

The old world (before the 2025 update to the E-Com Act)

Cookie compliance enforcement fell under the telecom authority (Nkom) while the DPA handled data processing – a split system that created enforcement gaps.

Unlike many EU countries that aligned cookie consent with GDPR requirements, Norway’s rules remained vague and permissive. Penalties were rare, investigations reactive, and many organizations operated in blissful ignorance – a stark contrast to the strict enforcement already happening across Europe.

The new reality – updated cookie guidelines in Norway (January 2025 onwards)

The game changed completely with the new E-Com Act, in force from January 2025. With Norway’s updated privacy law, DPA now controls both cookie placement AND data processing, with:

• Unified enforcement authority (no more jurisdictional gaps)
  Mandatory GDPR-compliant consent for all cookies
• Proactive sector sweeps instead of reactive complaints
• Technical expertise to catch violations at scale
• Explicit warnings that future penalties will be severe

The €25,000 fine sends a clear signal: the era of “we didn’t know” is over. As these cases show, the DPA gave educational warnings this time – but explicitly stated future violations face much harsher consequences. The bottom line: Norway has joined Europe’s privacy enforcement elite, and claiming confusion won’t save you.

Technical considerations for digital marketing teams

If you’re in marketing, this section will help you understand the technical complexities that led to these violations. Those tracking pixels you copy-pasted from Meta’s Business Manager? They might be doing way more than counting conversions. Here’s what you need to know about pixel functionality.

Understanding tracking pixels: from marketing tool to privacy risk

Here’s the critical point the Norwegian cases revealed: many organizations had tracking pixels installed but didn’t understand when they fired or what data they sent. Let’s clear this up:

The myth: “Our pixels only track when people consent, and the data is anonymous anyway.”

The reality in these Norwegian tracking pixel cases:

• Pixels were firing before valid consent was obtained (or with manipulated consent)
• When they fired, they sent far more than “anonymous” data:
  • Unique identifiers that persist across websites (_fbp cookie)
  • IP addresses enabling household-level identification
  • Exact URLs revealing what health conditions or problems people were researching
  • Browser fingerprints that can uniquely identify devices
  • Direct profile matching when users were logged into Facebook

The compliance gap: Yes, properly configured consent management can prevent pixels from firing without consent. But the Norwegian pixel violation cases showed organizations had either:

• No consent mechanism implemented at all
• Invalid consent flows with dark patterns
• Pixels loading regardless of the website visitors’ consent choices
• No visibility into their pixel behavior

What this means for marketers:

If you haven’t personally verified that your pixels respect consent choices, you’re at risk. The children’s helpline thought they were just measuring campaign reach. Instead, they were sharing children’s data with Meta. Their mistake? Assuming the pixel was “privacy-safe” without actually checking.

The lesson isn’t that all pixel use is illegal – it’s that you must understand and control when pixels fire and what data they share. Without proper consent management, that innocent conversion tracking becomes a privacy violation.

Alternative approaches: privacy-preserving analytics for modern marketers

The Norwegian DPA isn’t saying “don’t measure anything.” They’re saying “keep visitor data within your control.” Here are practical alternatives that respect users’ privacy while delivering marketing insights:

Server-side analytics replace client-side tracking:

• Instead of pixels phoning home to Meta, process data on your own servers
• You still learn about traffic sources, popular content, and conversion paths
• But raw visitor data never leaves your control
• Tools like Piwik PRO offer these capabilities

Statistical sampling instead of universal tracking:

• Do you really need to track every single visitor to understand trends?
• Privacy-preserving systems can extrapolate insights from anonymized samples
• Like political polling – you don’t need to survey everyone to understand population trends

Aggregated conversion APIs for campaign measurement:

• Instead of pixel-based tracking, use privacy-preserving conversion APIs
• These report campaign effectiveness without exposing individual journeys
• Apple’s SKAdNetwork and Google’s Privacy Sandbox (despite flaws) point toward this future

First-party data strategies that build trust:

• Offer genuine value in exchange for voluntary data sharing
• Email newsletters, account benefits, and loyalty programs create consensual data relationships
• When people explicitly choose to share, you avoid the privacy violations plaguing pixel-based tracking

How Cookie Information and Piwik PRO can help

The Norwegian cases highlight a painful truth: most organizations are flying blind when it comes to tracking technologies. You need more than good intentions – you need robust tools and expertise. Here’s how the combined power of Cookie Information and Piwik PRO addresses each challenge revealed in these enforcement actions:

Discover what’s really happening on your website:

Our automated scanning technology finds cookies, pixels, and online tracking technologies across your website – including those invisible pixels the Norwegian websites missed. You’ll get a complete inventory with clear explanations of what each technology does and which third parties receive data.

Implement consent that actually respects choice:

Our consent management platform eliminates dark patterns by design with compliant banner templates. Equal prominence for all options, granular purpose-level controls, and automatic preference synchronization across devices. We’ve analyzed thousands of consent flows to optimize for both compliance and user experience – because confused visitors can’t give valid consent.

Keep analytics without compromising user privacy:

Piwik PRO’s analytics platform processes data under your control, not Big Tech’s. Track conversions, measure campaigns, and understand user journeys – all without sharing raw data with third parties. Our privacy-by-design architecture means you can promise visitors their data stays with you and actually keep that promise.

Prove compliance with comprehensive documentation:

When regulators come knocking (and they will), you need evidence. Our platform automatically generates audit-ready privacy compliance records showing what technologies you use, what consent you obtained, and how you honor user choices.

Stay ahead of evolving data privacy regulations:

Privacy law changes constantly. Our team monitors enforcement actions like these Norwegian cases, updating our platforms to address new requirements before they become your problem. We turn regulatory intelligence into product features, keeping you compliant automatically.

The merger of Cookie Information and Piwik PRO creates something unique: a complete privacy-first marketing technology stack. You’re not just avoiding fines – you’re building sustainable, trust-based customer relationships.

Frequently asked questions

The post Norwegian DPA sanctions 6 websites for Meta and Snapchat tracking pixel violations appeared first on Cookie Information.

But here’s the uncomfortable truth: If your cookies aren’t blocked until after consent, you’re not compliant.

That’s not a legal grey area – it’s a hard requirement under GDPR and the ePrivacy Directive.

And yet right now, the vast majority of websites are still collecting personal data before users have consented.

This isn’t about bad intent. It’s about a common – and costly – misunderstanding: That installing a CMP automatically solves the problem.

But compliance doesn’t come from the banner. It comes from the behavior behind it.

We scanned 4,000 of the most visited websites. Here’s what we found

Back in 2024, we analyzed the 1,000 most visited company websites in each of four markets: Denmark, Sweden, Norway, and the UK.

International platforms like Google and Facebook were excluded.

Our goal: Check how many of these websites load non-essential cookies before the user gives consent.

The results:

That means 3 out of 4 high-traffic company websites were still firing cookies and trackers before the user clicks “Accept.” Often without even realizing it.

Since 1 January 2024, over 3,000 users have run a scan using our Compliance Check tool. And when analyzing the results, the numbers look slightly better.

Among them, 59.08% of websites were still setting cookies before user consent.

Better, but still not great. So what’s going wrong?

Where the assumption breaks: CMP ≠ automatic blocking

The confusion is understandable. Most teams assume that installing a CMP takes care of everything – cookies included.

But the reality is more nuanced.

A cookie banner is the interface. Compliance depends on what actually happens behind the scenes.

If your site loads third-party services like Meta Pixel, Google Analytics, YouTube, or Hotjar before consent, you’re not compliant – even if your CMP is technically active.

What the law actually requires

Under GDPR and the ePrivacy Directive, the requirements for setting cookies are as follows:

• Non-essential cookies (e.g. marketing, statistics) must be blocked until explicit, opt-in consent is given.
• Consent must be freely given, informed, and documented.
• Only strictly necessary cookies are allowed to load before consent.

If you’re collecting any user data before opt-in – through trackers, pixels, or embeds – your site is exposed.

And regulators are enforcing:

• CNIL (French DPA) fined Google €100 million and Amazon €50 million for failing to block cookies properly before consent was given.
• Datatilsynet (Danish DPA) has issued specific guidance requiring prior blocking as part of lawful consent.
• Datatilsynet (Norwegian DPA) has launched audits and emphasized that cookie placement before opt-in violates both GDPR and ePrivacy.

How Cookie Information helps you get this right

Cookie Information CMP is built to meet both legal and technical requirements – including prior cookie blocking.

But like all compliance tools, effectiveness depends on proper setup.

First-party cookies? Blocked by default until user consent is given.

Third-party cookies? You’ll need to configure them to respect consent using our Cookie Control SDK. This ensures external services don’t fire without permission. It’s a quick integration. Fully documented. And fully compliant.

Already a Cookie Information user?

You’re already ahead of the curve – but make sure your configuration is airtight.

• Follow our step-by-step guide to block third-party cookies.
• If you’re unsure about your setup, you can always reach out to our support at [email protected]

How to check if your site is leaking cookies

There are two ways to find out if your setup is exposing you:

• Run a scan with our Compliance Check tool: Fast, free, and only requires your email (so we can send the results to you).
• Manually inspect your site: Follow the short guide below.

Don’t let assumptions become risk

You’ve invested in a CMP. You’re doing your part. But don’t stop short.

Because until every tracker is blocked by default, you’re not protected.

If your cookies are still loading early, you’re not protecting your users. And you’re not legally covered.

The good news?

The fix is simple – and fully supported by Cookie Information.

Take five minutes. Check your setup. And make sure your CMP is not just present – but working as intended.

The post Is your CMP blocking cookies before consent? appeared first on Cookie Information.

Starting August 4, 2025, we’re launching a new lineup of plans designed to deliver everything you need for privacy-first marketing and analytics. It’s a shift toward simplicity, transparency, and more value – all in one place.

Here’s what’s changing, why it matters, and how it affects you.

Why we’re making this change

We’ve seen a shift in how businesses use data. Modern organizations are no longer looking for standalone tools. They want:

• Trusted, complete datasets
• Clear visibility into the customer journey
• Ethical, compliant data collection
• A platform that “just works” – from consent to conversion

Our response is a unified platform that combines Consent Management, Analytics, Tag Management, and Data Activation. These updates make it easier for you to get started, grow confidently, and stay compliant – without juggling multiple tools or contracts.

What’s new in our pricing model?

We’re moving from fragmented products to four unified plans, tailored to support different stages of growth and compliance needs. Each plan is carefully designed to deliver increasing levels of functionality, privacy assurance, and support – all while working seamlessly together.

What the changes mean for current clients

We’re committed to make the introduction of the new pricing as smooth as possible.

Here’s how it affects our current clients:

• Starting August 4, 2025, most CMP-only clients (excluding small business users and resellers) will be transitioned to the Business plan.
• You’ll now get Consent Management, Analytics, Tag Manager, and Data Activation – all for the same or a lower price.

What you get

So how does this benefit you as a client, and why should you care if you aren’t a client yet?

Frequently Asked Questions

The post One platform, more value: Explore our new pricing appeared first on Cookie Information.

They’re expected to drive growth, navigate strict privacy laws, and make decisions based on scattered, often unreliable data.

At the same time, the rules of engagement are changing. Privacy is no longer just about ticking compliance boxes – it’s a tried and tested way to earn trust in a world full of digital uncertainty. And for the companies that get it right, it’s becoming a serious competitive edge.

People are watching more closely, too. With AI on the rise, they’re paying attention to how their data is collected, stored, and used. They want transparency, and they reward the businesses that offer it.

Research from Cisco, PwC, and the IAPP shows that companies with strong privacy programs are seeing real returns – from better insights to faster operations and higher customer loyalty.

So putting privacy first doesn’t just keep you safe. It helps you grow. It builds trust, improves data quality, and strengthens your brand.

Ultimately, privacy has become marketing’s next big advantage. Are you ready to use it?

The very real ROI of privacy

In Cisco’s latest 2025 Data Privacy Benchmark Study, a whopping 96% of organizations said the benefits of privacy investments outweigh the costs. More than half reported returns of at least 1.6x. Nearly a third are seeing 2x or higher.

Privacy investments are speeding up sales cycles, boosting efficiency, and making companies more attractive to customers, partners, and investors. In fact, 78% of businesses in the study said privacy helps improve their public image.

Smart consent management is a big part of this. Tools like cookie banners that clearly inform users and collect valid consent lead to cleaner, more reliable first-party data. That means better targeting, more accurate analytics, and stronger ROI.

Cisco also found that these investments reduce the frequency and impact of data breaches, lower remediation costs, and improve internal morale.

Privacy builds trust, and trust wins customers

Trust has become a make-or-break factor in customer decisions.

But still there are quite some trust-gaps between businesses and consumers, for example when it comes to the intersection of data privacy and the use of AI.

EY’s AI Sentiment Index shows just how wide that gap can be. While 61% of consumers are concerned about how companies protect the privacy of AI data, only 31% of C-suite executives share that concern. On top of that 64% of people globally worry that their data will be used to train AI without their consent. This disconnect can cost companies if they’re not careful.

The IAPP’s Privacy and Consumer Trust Report found that 68% of people are concerned about their online privacy – and they’re not shy about taking action. If they don’t trust a company, they’ll delete the app, withhold info, or stop buying.

But here’s the upside: 64% of consumers said they trust companies more when privacy policies are clear and easy to understand. On the flip side, over 80% said they’d likely stop doing business with a company after a data breach.

That means your cookie banner, privacy policy, and how you communicate data choices are doing more than meeting legal requirements. Clear banners and honest privacy settings show customers you respect them. And when they feel respected, they stick around. That trust is your best long-term asset.

So when your company takes privacy seriously, you’re showing customers they can count on you – and that pays off.

Compliance and culture: the internal advantage

PwC’s 2025 Global Compliance Survey confirms what many teams are feeling: compliance is getting harder. 77% of leaders say it’s slowing down areas like product launches, IT upgrades, and AI adoption. But some companies are turning the challenge into a strength.

They’re automating compliance tasks, simplifying processes, and involving privacy teams early in product development. That helps them move faster and with more confidence. When privacy is built into the way a business works, it creates smarter decisions, smoother operations, and better collaboration. Tools like consent banners and privacy-first analytics help break down silos. Everyone from marketing to product to legal can rely on the same trusted data foundation.

Embedding privacy from design to deployment – through clear governance structures and transparent practices – creates not only legal safeguards but cultural alignment across teams. This shared ownership builds confidence, boosts morale, speeds up decisions and helps businesses innovate responsibly.

Privacy-first analytics plays a big role here. When your data tools are built for privacy from the start, you avoid compliance bottlenecks and reduce reliance on risky third-party cookies. You get the insights you need without the legal stress.

Investing in strong data infrastructure is also essential for scaling AI responsibly. Leaders who prioritize data readiness and governance are better positioned to turn privacy efforts into innovation drivers.

Can you afford the risk of doing nothing?

Here’s the bottom line: companies that invest in privacy are laying the groundwork for long-term success. But if you delay, you risk falling behind. Every month without a clear privacy strategy is a month of lost trust, poor data quality, and growing legal exposure. The longer you wait, the harder – and costlier – it gets to catch up.

The risks of doing nothing? Losing customer trust, stalling innovation, and missing out on market opportunities. Not to mention growing scrutiny from regulators.

With laws like the GDPR and CCPA expanding, companies using outdated tools or unclear banners are being fined or forced to overhaul their systems. It’s smarter – and more cost-effective – to get privacy right the first time.

Embedding transparency and fairness into customer-facing technologies – like analytics and AI – helps organizations stand out. These ethical design principles don’t just reduce risk; they drive adoption and create a meaningful competitive edge.

Privacy-first marketing in practice

Privacy-first marketing doesn’t mean giving up on insights or performance. But many marketers are feeling the sting of lost data – whether it’s disappearing third-party cookies, limited access to behavioral insights, or tools that can’t operate in a privacy-first world.

Without the right foundation, you’re left with blind spots that slow campaigns, weaken targeting, and make reporting a guessing game. It means using tools and approaches that respect user choices while still delivering business value.

Here are some practical steps to support privacy-compliant marketing:

• Use first-party tracking to gather high-quality, consented data directly from your users without third-party middle-men.
• Switch to anonymous tracking to get insights without collecting personal information.
• Replace invasive third-party cookies with privacy-first analytics tools like Piwik PRO.
• Offer clear user choices and communicate openly through compliant, user-friendly cookie banners.
• Respect user preferences and maintain consent through persistent, easy-to-manage settings.
• All capabilities available in our new pricing bundles – find the right one for your setup today!

When you invest in privacy-first tools, you’re building a marketing engine that’s resilient, trusted, and future-proof.

The post Privacy pays off: The ROI of smart privacy investments appeared first on Cookie Information.

In force since 1 January, 2025, the  Norwegian E-Com Act is shaking things up for websites across Norway and that’s great news for digital marketing agencies. Here’s the deal: in our recently published report Cookie Compliance in Norway: Trends & Insights 2024, we found:

• Norwegian websites had the lowest adoption rate of cookie banners among the 10 countries analyzed.
• 86% of the analyzed websites exhibited compliance issues.
• 81% fired non-essential cookies before user consent.

Your agency has a vast business opportunity to step in as the expert partner who helps clients navigate the new cookie requirements, avoid risks, and build trust with their users. By understanding the ins and outs of the Act, you can position your agency as the go-to resource for privacy compliance – and open the door to new clients who need guidance.

Ready to discover how turning cookie compliance into a competitive advantage can grow your business? Let’s dive in.

Are your clients ready for the 2025 Norwegian E-Com Act?

Choose Cookie Information as your compliance partner to help your clients avoid financial risks, stay compliant, and maintain marketing performance.

What is the 2025 Norwegian E-Com Act: Summary

The 2025 Norwegian E-Com Act is Norway’s answer to stricter cookie guidelines, aligning with the EU’s ePrivacy Directive and putting data privacy front and center. It changes how businesses (and the digital marketing agencies supporting them) handle cookies and user data, requiring transparent, informed, and voluntary consent.

For your agency, this isn’t just another regulation – it’s a must-know for creating digital solutions that are both privacy-compliant and help your clients reach their targets.

April 2025: Norwegian DPA releases official guidance for digital marketers

You need to know this! On April 3rd, 2025, Datatilsynet (the Norwegian Data Protection Authority) released their comprehensive guidance on E-Com Act compliance. This resource comes directly from the regulatory authority, providing you with authoritative direction when implementing solutions for your clients.

Datatilsynet presents this guidance as a “practical tool” and “clear recipe” for organizations – exactly what you need when advising your clients on compliant implementation strategies. The guidance reinforces key requirements that impact your agency’s client services:

• Mandatory clear information about all tracking technologies used
• Ensuring genuinely free user choices regarding cookies
• Equal prominence for rejection and acceptance options
• Neutral presentation of cookie choices
• Documentation requirements for consent records
• Simple consent withdrawal mechanisms
• Regular cookie policy reviews and updates
• Privacy-by-design implementation principles
• Limited scope for legitimate interest as a legal basis
• Regular cookie audits and compliance monitoring

For you as an agency managing client campaigns and websites, this official publication provides definitive standards that can differentiate your services in a crowded marketplace. Position your agency as the expert guide through these regulatory requirements while still delivering performance marketing results.

Why should your digital marketing agency care about the 2025 Norwegian E-Com Act?

Privacy compliance can seem like a headache, but the 2025 Norwegian E-Com Act is actually your agency’s golden ticket to building trust, strengthening client relationships, and standing out in a crowded market. Clients want partners who know how to navigate the tricky waters of consent management and data privacy, and this new cookie law gives you the chance to showcase your expertise.

By baking compliance into how you manage client websites and digital campaigns, you’re not just helping clients avoid fines or bad press – you’re positioning yourself as a forward-thinking agency with real strategic value. Turn this challenge into an opportunity, and you’ll gain a reputation for protecting clients’ good name while driving results.

Why the E-Com Act matters for your agency

What changed in the 2025 Norwegian E-Com Act?

The 2025 Norwegian E-Com Act brings stricter rules for cookies and user data transparency, setting it apart from the previous E-Com law. Here’s what’s different:

1. Granular consent

Unlike before, users now need the option to accept or reject specific cookie categories (e.g., essential, marketing, functional). The old law allowed for broad, all-encompassing consent, but now consent must be precise, empowering users to control their data preferences.

As an expert, you must design consent banners that allow users to customize their preferences and offer them full control over their website experience.

2. No pre-ticked boxes

One of the core principles of the 2025 Norwegian E-Com Act is that consent cannot be implied or assumed. Previously, pre-ticked boxes for cookie consent were standard in Norwegian websites, assuming user agreement by default. Now, consent must be active and explicit, requiring users to make a deliberate choice.

If your client’s current cookie banner tool is too complex to adapt to the new requirements or doesn’t even allow for the required customizations, your safest choice is to implement a new consent management platform, such as Cookie Information, that offers E-Com-compliant cookie banners by default.

3. Easier consent withdrawal

While the right to withdraw consent existed before, the new law ensures that it must be just as simple and visible as giving consent.

This means digital marketing agencies need to implement clear, user-friendly website cookie banners to let users adjust or revoke consent anytime.

4. Detailed cookie disclosures

Under the old rule, many websites provided vague or incomplete information about cookies. Now, websites must clearly explain the purpose of each cookie, whether it’s a first- or third-party cookie, and what data it collects. Transparency is no longer optional – it’s mandatory.

As an agency, you need to ensure client websites display clear, concise, and accessible privacy policies and cookie banners that cover all required disclosures. With Cookie Information CMP, you get an automatically generated cookie policy that is customized to the website, meets all the legal requirements and is updated over time according to the website’s cookie usage.

Overcoming client resistance: The business case for privacy compliance

Many clients may hesitate to update their practices for the updated E-Com Act, viewing compliance as an unnecessary expense or an overly complicated problem. However, with the right approach, you can demonstrate how compliance benefits their bottom line and protects their long-term growth.

1. Simplifying complexity: making compliance easy for clients

Many clients feel overwhelmed by the details of the 2025 E-Com Act, especially regarding consent management and data transparency. You can ease this burden by offering clear guidance and tools that simplify the process.

Consent management platforms like Cookie Information’s Cookie Banner for Websites and Consent Banner for Mobile Apps also help automate much of the compliance process and provide a streamlined way to manage cookie consent, store user preferences, and automatically meet legal requirements.

By showing clients that compliance doesn’t have to disrupt their operations, you position your agency as an essential partner that makes their lives easier while keeping them safe from legal pitfalls.

2. Avoiding financial and reputational risks in 2025

At our recent E-Com Act webinar, compliance expert and our digital marketing partner Jan Morten (CoreTrek), agreed with Vebjørn’s statement above. Datatilsynet (the Norwegian data protection authority) is expected to actively enforce the updated E-Com Act this year, making it critical for businesses to comply.

Non-compliance carries risks like fines, legal actions, and reputational damage that could result in customer churn or lost revenue – both for you and your clients.

Highlight to clients that the cost of implementing compliance solutions is far less than the potential penalties and fallout from being caught unprepared. Emphasize the financial and operational stability compliance offers.

With a proactive approach, your clients can avoid being made an example of in Datatilsynet’s enforcement efforts and protect their revenue streams in a privacy-focused marketplace.

3. Building trust and competitive advantage with privacy compliance

The new E-Com Act isn’t just about legal requirements but also about meeting customer expectations. Today’s users are increasingly privacy-conscious, valuing businesses that respect their data. By adopting transparent consent practices, your clients can strengthen trust, enhance customer loyalty, and position themselves as privacy leaders in their industries.

You can explain how many Norwegian websites still rely on non-compliant or outdated solutions, leaving a competitive gap for privacy-first businesses to capitalize on. By helping clients showcase their commitment to user data protection, you also help them turn compliance into a marketing advantage that drives customer engagement and long-term growth.

4. Future-proofing your clients’ business with automated solutions

Compliance isn’t a one-time effort. The landscape of privacy laws is constantly evolving, and businesses need scalable systems to stay ahead. Automated consent solutions like Cookie Information help clients remain compliant as new regulations emerge, reducing the burden of manual updates.

By integrating the the Cookie Information cookie banner into your clients’ websites, you’re providing a sustainable solution that effortlessly adapts to changes. It integrates with major CMS platforms like WordPress, Drupal, and others, making implementation straightforward and frictionless. Your clients will be happy to be able to focus on growth while remaining protected from legal risks.

Why Cookie Information is your ideal partner for 2025 Norwegian E-Com Act Compliance

As your agency strives to meet the 2025 Norwegian E-Com Act requirements, partnering with the right Consent Management Platform (CMP) – or cookie banner tool – is key. Cookie Information is the perfect partner to help you and your clients navigate the complexities of cookie consent compliance with ease and efficiency.

Cookie Information is an intuitive, customizable CMP solution that ensures full compliance with the Norwegian E-Com Act, GDPR, and other privacy regulations. Our platform is built with the flexibility to adapt to a wide range of websites and marketing strategies and to evolve as regulations evolve.

By partnering with Cookie Information, your agency can offer your clients a top-tier, easy-to-manage consent solution, ensuring compliance with the 2025 Norwegian E-Com Act and enhancing your service offerings. Download our Partner Handbook or start your partnership today and turn cookie consent into a competitive advantage for your agency.

Enforcement alert: Datatilsynet begins active monitoring of tracking technologies

You should be aware that Datatilsynet has recently launched targeted supervisory inspections focusing on tracking pixels and data sharing practices. These inspections specifically target websites dealing with sensitive user data and examine how these sites may be sharing information with international technology companies.

For your agency serving clients in healthcare, financial services, or other sensitive sectors, this represents both a risk and an opportunity:

The risk: Your clients found non-compliant could face regulatory action, potentially damaging both their reputation and yours as their service provider.

The opportunity: Proactively helping your clients audit their tracking implementations demonstrates your agency’s expertise and commitment to protecting their business interests.

As part of your agency’s service offering, consider implementing compliance audits that specifically address Datatilsynet’s enforcement priorities. This value-added service can both protect your existing client relationships and serve as a compelling differentiator when pitching to new prospects.

Final thoughts: Digital marketing agencies need to embrace the 2025 Norwegian E-Com Act

The 2025 Norwegian E-Com Act introduces stricter consent requirements that may directly impact your clients’ marketing performance going forward. Users now need to opt into cookies more explicitly – and many likely opt out – so clients may experience lower consent rates than before. This means reduced access to marketing data, making it harder to optimize campaigns and drive results.

How can you help your clients get some of the data back?

Recommend they set up Google Consent Mode v2 (or include it in your services), ideally through a CMP with native integration like ours, to recover anonymized data from non-consenting users. Pair this with anonymous tracking provided by platforms such as our new Analytics module (by Piwik PRO), to ensure clients can still make data-driven decisions while staying fully compliant. The best part? You can subscribe to our Business Plan for a free 30-day trial from 4 August 2025 and test all its capabilities – Analytics, Cookie Banner, Tag Manager, and Data Activation. Our Business Plan is an accessible, powerful tool combination for any business navigating these changes.

Frequently asked questions

The post Norwegian E-Com Act: What digital marketing agencies need to know [April 2025 update] appeared first on Cookie Information.

If you’re managing digital marketing or website compliance targeting Swedish users, there’s a significant development you need to know about. In April 2025, Sweden’s Authority for Privacy Protection (in Swedish: Integritetsskyddsmyndigheten – IMY) issued formal criticisms against three major companies for their non-compliant cookie banners. This enforcement action serves as a clear warning for any marketer collecting data from Swedish visitors.

The issue at hand? “Dark patterns” in cookie consent flows – design techniques that steer users toward accepting tracking without genuine understanding or choice. These enforcement actions signal Sweden’s intensifying focus on ensuring genuine consent and transparent data collection practices.

In this article, we’ll break down everything you need to know to stay compliant and protect your Swedish market strategy:

• The background: what triggered IMY’s April 2025 investigation
• Key findings: dark patterns identified (and why they’re problematic)
• Sweden’s cookie compliance rules in 2025 – what exactly the law requires now
• Guidance for marketers and site owners: how to fix your cookie banners (hint: use an EU-based consent management platform (CMP) and drop the deceptive designs)
• The bigger picture in Europe: how this Swedish crackdown aligns with a broader trend across Belgium, France, the UK and growing skepticism toward U.S.-based adtech.

What prompted IMY’s April 2025 enforcement actions?

The IMY’s April 2025 investigations weren’t spontaneous. They stemmed from a series of individual complaints filed by users regarding cookie consent practices on several popular websites. Unlike a coordinated campaign, these actions represent the IMY’s ongoing commitment to responding to specific privacy concerns raised by individuals.

Sweden’s DPA examined whether cookie consent practices aligned with both the General Data Protection Regulation (GDPR) and Sweden’s Electronic Communications Act (ECA) – or Lagen om Elektronisk Kommunikation (LEK), in Swedish – highlighting that companies of all sizes must comply with privacy regulations, regardless of their market position or visitor numbers.

Before the April 2025 enforcement, IMY’s previous set of decisions – and fines – was released between June and December 2024 and focused on complaints from companies about Meta Pixel malfunctioning and its compliance with GDPR.

The 2025 IMY cases: who was investigated and why

The April 2025 enforcement actions specifically targeted three prominent companies operating in the Swedish market:

1. Major player in Sweden’s gambling and betting sector

Sweden’s major horse racing and betting operator was criticized primarily for its imbalanced cookie banner design. 

The IMY found that their online gambling website prominently displayed an “Accept” button in contrasting colors while relegating the “Reject” option to a less visible text link. This design asymmetry was deemed to create undue influence on user choice, steering visitors toward acceptance rather than presenting balanced options.

2. One of Sweden’s largest magazine and digital media groups

A well-known Swedish media group with several popular magazine and news sites faced criticism for multiple issues in its cookie consent implementation. The IMY specifically highlighted:

• The use of pre-selected checkbox options for non-essential cookies
• A multi-step process required to reject cookies (compared to a single click for acceptance)
• Ambiguous language that obscured the consequences of cookie acceptance

The regulator determined these elements collectively constituted dark patterns designed to maximize consent rates at the expense of genuine user autonomy.

3. Global entertainment brand with a strong presence in Sweden

A major entertainment and music company with a strong presence in Sweden was not cited for dark patterns, but rather for inadequate information disclosure. The IMY found that its cookie banner failed to provide sufficiently detailed information about:

• The specific purposes of different cookie categories
• Which third parties would receive data through cookies
• How long cookie data would be retained

This lack of transparency was deemed to undermine informed consent, as users couldn’t fully understand the implications of their choices.

Key findings: the dark patterns IMY identified

The IMY’s investigation uncovered several problematic design practices that undermined genuine user consent:

Asymmetrical visual hierarchy

Two of the companies implemented cookie banners with clear visual asymmetry:

• “Accept” buttons were prominently displayed, using attention-grabbing colors (typically green or blue)
  “Reject” options were significantly less visible – either using muted colors or appearing as plain text links
• Size differences between accept and reject options created an imbalanced visual hierarchy

The IMY determined this design approach created an artificial “path of least resistance” toward cookie acceptance, steering user behavior through visual manipulation rather than facilitating genuine choice.

Multi-step rejection vs. one-click acceptance

The media publisher’s cookie banner was particularly criticized for implementing different user journeys based on the desired outcome:

• Accepting all cookies required just a single click on a prominent button
• Rejecting cookies necessitated navigating through multiple screens, toggling individual settings, and then confirming choices

This asymmetry in effort created what the IMY called “friction by design” – intentionally making rejection more cumbersome than acceptance. The regulator explicitly stated that equal effort should be required regardless of the user’s choice.

Misleading button labels and language

Both the online betting and media websites’ cookie banners used language that the IMY found misleading or manipulative:

• Vague button labels like “I understand” instead of clear consent language
• Text suggesting the site “wouldn’t work properly” without accepting non-essential cookies
• Framing cookie rejection as potentially harmful to user experience

The regulator emphasized that cookie banner language must be clear, accurate, and non-manipulative – allowing users to make truly informed decisions.

Pre-selected options and hidden controls

The media website’s cookie consent banner implementation included pre-selected checkboxes for non-essential cookie categories when users accessed the preference settings.

Meanwhile, the entertainment website banner obscured important privacy controls behind additional layers of navigation. The IMY reiterated that these practices directly contradict GDPR requirements for explicit, affirmative consent and constitute clear violations of Swedish law.

Understanding dark patterns in cookie consent

The practices identified by the IMY are textbook examples of “dark patterns” – manipulative design techniques that subtly guide users toward choices that benefit the service provider rather than respecting user autonomy. But to grasp the significance of these findings, you need to understand the concept of dark patterns and why regulators are increasingly focused on eliminating them from digital interfaces.

What makes these practices “dark patterns”?

Dark patterns exploit cognitive biases and design principles to influence user behavior. In the context of cookie consent, they typically manifest as:

• Visual hierarchy manipulation: Using size, color, and placement to make “Accept” options more prominent and appealing while de-emphasizing “Reject” options
• Friction asymmetry: Making acceptance easy while creating additional steps, clicks, or effort for rejection
• Misleading framing: Presenting cookie acceptance as the obvious or beneficial choice through suggestive language, or using wording that misleads users about the consequences of their choices
• False dichotomies: Implying that website functionality will be impaired if cookies are rejected (when only essential cookies are actually required)

These techniques don’t just happen by accident – they’re often deliberately implemented to maximize consent rates, even at the expense of genuine user choice.

Why dark patterns matter for user privacy

They subvert informed consent

When users are subtly pushed toward cookie acceptance without understanding the implications, the resulting consent lacks the informed quality required by the GDPR. This creates a situation where data collection occurs without the genuine awareness or agreement of the individual.

They create power imbalances

Dark patterns exploit information and power asymmetries between website operators and visitors. Most users lack a deep understanding of tracking technologies, making them vulnerable to manipulation through design techniques that exploit cognitive biases.

They erode trust in digital services

When users eventually realize they’ve been manipulated into consent, it damages trust in the brand and in digital services more broadly. This creates a negative cycle where users become increasingly suspicious of privacy interfaces.

They undermine regulatory intent

The spirit of privacy regulations like the GDPR is to give individuals genuine control over their personal data. Dark patterns systematically find a way around this intent while creating the appearance of compliance.

The Swedish DPA’s specific concerns

The IMY’s April 2025 enforcement actions revealed specific concerns that should guide your approach to cookie consent:

Equal prominence requirement

The IMY explicitly stated that options to accept or reject cookies must be presented with equal visual prominence. This means similar:

• Button size
• Color and contrast
• Positioning
• Typography

The regulator rejected the argument that business interests justify making acceptance more prominent than rejection.

First-layer completeness

The Swedish DPA emphasized that core cookie choices must be available on the first layer of any consent interface. While granular controls can exist on secondary layers, fundamental options to accept or reject should not require additional navigation.

Language transparency

The IMY specifically criticized euphemistic or misleading language in cookie banners. They clarified that cookie descriptions must:

• Clearly state what data is collected
• Identify who receives the data
• Explain the specific purposes of processing
• Avoid emotionally manipulative framing

Technical implementation reality

Importantly, the IMY verified whether technical implementations actually respected user choices. Having a compliant-looking banner isn’t sufficient if the underlying technology still deploys cookies despite rejection.

This focus aligns with previous guidance from other European DPAs, particularly the French CNIL and the Belgian DPA, reinforcing the continent-wide consensus against manipulative consent practices.

Sweden’s cookie compliance requirements in 2025

To understand what your organization needs to do to avoid similar scrutiny, let’s break down Sweden’s specific requirements for cookie consent banners in 2025.

Legal framework

Sweden’s approach to cookie regulation blends two key pieces of legislation:

The General Data Protection Regulation (GDPR): establishes overarching principles for consent to personal data processing, including:

• The requirement for lawful basis (including consent for most cookie-based processing)
• Standards for valid consent (freely given, specific, informed, and unambiguous)
• Principles of transparency and data minimization
• Requirements for demonstrating accountability

The Swedish Electronic Communications Act (LEK): contains specific provisions cookies and similar tracking technologies, requiring:

• Prior informed consent before storing or accessing information on user devices
• Clear and comprehensive information about cookie purposes
• Exceptions only for “strictly necessary” cookies required for service delivery

Together, these create a comprehensive framework governing how websites must obtain consent before storing or accessing information on user devices.

Core cookie compliance requirements in Sweden

Based on the April 2025 enforcement actions and previous guidance, here are the specific requirements for cookie banners targeting Swedish users:

1. Explicit, prior consent

• Non-essential cookies must not be deployed before users have provided affirmative consent
• Consent must be freely given, specific, informed, and unambiguous
• Implied consent (e.g., continued browsing) is not sufficient
• Pre-ticked boxes are explicitly prohibited

2. Equal prominence and accessibility

• “Accept” and “Reject” options must be presented with equal visual prominence
• Both options must be available on the first layer of the cookie banner
• Color, size, and placement must not nudge users toward acceptance
• The effort required to reject cookies must not exceed that required to accept them

3. Clear and accessible information

• Information about cookie purposes must be provided in plain, understandable language
• Cookie categories must be clearly defined and explained
• Information about data recipients and retention periods must be accessible
• Details about specific cookies used must be available

4. Granular control

• Users must have the option to consent to some cookie categories while rejecting others
• Cookie preferences must be manageable at a granular level
• Category-specific consent must be respected

5. Withdrawal mechanism

• Users must be able to withdraw consent as easily as they gave it
• A persistent mechanism to access and modify cookie preferences must be available
• Withdrawal must be possible without detriment to the user

Consequences of non-compliance

The IMY has shown its willingness to enforce these requirements through formal criticism, which can escalate to more serious consequences:

• Administrative fines of up to €20 million or 4% of global annual turnover
• Brand reputation impact from public enforcement actions and negative perception among privacy-conscious Swedish consumers
• Potential loss of consumer trust

Plus, addressing emergency compliance issues can also cause significant disruption with emergency technical implementations, legal/compliance resource diversion, and interruption of marketing campaigns.

Summary: Compliant vs. non-compliant cookie banner features

How to make your banner compliant in Sweden (and across the EU)

If the Swedish decision has you thinking, “Is my cookie banner compliant?”, you’re asking the right question. The good news: we can distill IMY’s findings into actionable steps. Here’s a guide for tweaking your consent UI and practices to ensure they meet Sweden’s (and Europe’s) standards in 2025:

Choose an EU-based CMP built for GDPR

Start with a cookie consent management platform that’s designed for European compliance – not just a cookie pop-up tool. Cookie Information’s EU-based CMP stores consent data entirely in the EU, includes Swedish law–aligned templates, and keeps full logs of user choices and timestamps.

Design a compliant consent banner that gives real choice

Make your “Accept” and “Reject” buttons look and feel the same – same size, same color, same position. Both options need to be right there on the first screen (the “first layer”), and users should find granular settings without digging through hidden layers.

Tip: Cookie Information’s CMP can be styled to match your brand without compromising on compliance.

Use clear, honest language in your cookie banner text

Skip the buzzwords and get to the point. Tell users exactly what each cookie does, without scare tactics or vague phrases like “improve experience”. Link clearly to your cookie policy – and make sure that policy actually matches what your banner does.

Tip: Cookie Information’s CMP automates your cookie policy by keeping it up-to-date with new cookies or trackers found in your regular website scans.

Make sure your technical implementation matches consent

Blocking cookies by default isn’t optional – it’s the law. Make sure your CMP and tag manager are set up to fire scripts only after consent, and audit regularly to make sure you’re not dropping unauthorized cookies in the background.

Adapt your marketing stack to stay compliant

Configure analytics and marketing tools to honor consent decisions and explore EU-based or cookieless options when needed. Consider A/B testing compliant banner designs to improve consent rates ethically, and create respectful marketing strategies that engage both consenting and privacy-conscious users through transparent, first-party data practices.

Tip: Cookie Information integrates seamlessly with Google Consent Mode v2, Google Tag Manager, and Piwik PRO, among other tools – making it easy to enforce user choices across your entire marketing stack while staying fully GDPR-compliant.

Case study: How Swedish enterprise Trelleborg AB’s avoided dark patterns and future-proofed its cookie compliance

Trelleborg AB, a global engineering group headquartered in Sweden, faced a similar challenge back in 2018 – how to ensure GDPR-compliant cookie consent across a large and complex digital portfolio.

With operations in 40 countries and a growing number of website domains, the stakes were high. But instead of relying on patchwork solutions or risky shortcuts, the company made an early move toward a transparent, user-friendly consent approach.

After seeing a live presentation from Cookie Information, the team at Trelleborg quickly recognized the importance of getting consent right – not just to comply with the law, but to simplify processes and build trust across all their markets, including Sweden.

Implementation of Cookie Information’s Consent Management Platform was fast and intuitive, with onboarding support that helped them scale easily.

Unlike many businesses now caught off guard by IMY’s 2025 enforcement actions, Trelleborg took a proactive approach – investing in a platform that aligns with evolving privacy expectations and removes the risk of dark patterns with pre-build banner templates. Cookie Information’s consent solution is designed to make consent clear, user-friendly, and GDPR-compliant by default.

Final thoughts: no one likes annoying, sneaky cookie pop-ups – so don’t be the site that has one.

Sweden’s April 2025 enforcement makes one thing crystal clear: the era of manipulative cookie banners is ending. From Stockholm to Brussels, regulators are done tolerating dark patterns, buried reject buttons, and banners that trick users into handing over their data.

France’s CNIL, Belgium’s DPA, the UK’s ICO, Norway’s Datatilsynet – and now Sweden’s IMY – are all pushing toward the same goal: clear, honest, user-friendly consent.

The message? Consent must be real, not rigged.

At the same time, Europe’s data protection authorities are warning businesses to rethink their use of U.S.-based analytics and ad tools. While the EU-US Data Privacy Framework (DPF) remains operational, recent political developments following President Trump’s return to office have introduced questions about its long-term stability.

For marketers, this isn’t just about staying out of trouble – it’s about protecting your data pipeline, your brand reputation, and your ability to measure performance and optimize effectively. If you rely on tracking to drive results, then how you collect consent and which tools you trust with that data matters more than ever.

Here’s where to start:

• Fix your cookie banner UX: Make rejecting as easy as accepting – no buried settings, no confusing language.
• Drop dark patterns: Don’t nudge, mislead, or manipulate. Transparency builds trust – and passes DPA audits.
• Rethink your reliance on U.S. tools: If you use platforms that export data to the U.S., consider EU-based alternatives before the next legal challenge hits.
• Build a first-party data strategy: Focus on meaningful, consented interactions – because clean data is better data.

Frequently asked questions

The post Swedish DPA targets dark patterns in cookie banners: is your website compliant? appeared first on Cookie Information.