Norway’s Electronic Communications Act (E-Com Act) mandates explicit user consent for cookies and online tracking. Aligned with GDPR and the EU’s ePrivacy Directive, E-Com introduces consent-based rules for cookies and online tracking. Is your website ready?
The Norwegian Electronic Communications Act regulates electronic communications more broadly and specifically includes data privacy and consumer rights as a part of its mandate. Norway’s E-Com Act introduces stricter cookie consent rules to bring them in line with GDPR and the EU ePrivacy Directive.
If your website collects or processes user data through cookies, you must obtain clear and explicit user consent before tracking begins.
The regulation places a host of demands on businesses, which are now required to provide:
Explicit user consent required:
Users must actively accept cookies before they are placed
Equally accessible “reject” option:
Cookie banners must provide a clearly visible and easy-to-use “reject” button alongside the “accept” button
Clear and transparent information on cookies:
Websites must provide a detailed explanation of what cookies do, why they are used, and who has access to the collected data
Easy consent withdrawal:
Users must be allowed to change or withdraw their cookie preferences at any time
Consent logs:
Businesses must record and securely store consent data to demonstrate compliance in the event of an audit or legal inquiry
Any business or website that processes data from Norwegian users, regardless of where the business is physically located, must comply with this law if they:
Operate an e-commerce store targeting Norwegian customers
Run a news or media website that collects user data
Use tracking technologies
Engage in digital marketing using cookie-based advertising
Norway’s E-Com Act stipulates a number of data privacy and consent-related consumer rights:
Consumers must give explicit and active consent before websites or apps deploy any non-essential cookies or tracking technologies.
Consumers are entitled to transparent information regarding the types of data being collected, the purposes of collection, data storage duration, and any transfers to third parties.
Users can consent to different categories of processing separately—for instance, analytics, marketing, or personalization—rather than being forced into an all‑or‑nothing choice.
Consumers can withdraw or modify previously given consent at any time, and businesses must provide user‑friendly mechanisms (e.g., one-click withdrawal through a Consent Management Platform).
Businesses may only deploy cookies or tracking mechanisms that are strictly necessary for functionality if they have not obtained valid consent.
Consumers must be informed of their rights to lodge complaints with the Norwegian Data Protection Authority (Datatilsynet) or seek legal remedies under Norway’s Personal Data Act. This includes access to enforcement and supervisory channels.
If your website uses cookies for analytics, personalization or marketing, you must comply with the E-Com Act rules. And most businesses with an online presence do use cookies to track behavior, preferences, and interactions. As such, it is essential to manage cookie consent properly, implementing a compliant cookie banner that enables explicit accept and reject buttons, allows for consent withdrawal at any time, provides a visible preference management link, and stores consent log records to prove compliance in the event of an audit.
Penalties for failure to comply can be harsh: fines of up to 4% of global annual revenue, or 20 million EUR, as well as the intangible and incalculable loss of user trust and reputational damage.
Compliance with the E-Com Act can be achieved by taking a few key actions:
Review data practices for consent:
Ensure that you obtain explicit, informed consent before storing or accessing non-essential cookies. Pre-ticked boxes and implied consent are non-compliant
Provide clear choices:
Allow users to accept or reject different categories of cookies without influencing their choice and make consent withdrawal transparent
Ensure a symmetrical user experience:
Make “reject all” as easily accessible as “accept all” without burying the options under multiple clicks or with confusing wording
Avoid dark patterns and bundling:
Make sure that consent can be freely given, specific and not conditional
Implement consent management:
Platforms like CookieHub provide an easy way to manage consumer consent for data processing
The E-Com Act regulates the provision and use of electronic communication services and networks in Norway. It covers areas such as privacy, data protection, security, and the responsibilities of service providers in the electronic communications sector.
Personal data refers to any information relating to an identified or identifiable individual. This includes details like names, contact information, IP addresses, and any data that can directly or indirectly identify a person.
Sensitive data includes personal information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health information, sexual orientation, or other information that requires special protection due to its sensitive nature.
The Norwegian Communications Authority (Nkom) is the official regulatory body responsible for overseeing and enforcing the E-Com Act in Norway.
Certain organizations or services may be exempt, including those outside the scope of electronic communications, private internal networks without public access, and specific small-scale operators. However, exemptions are limited and clearly defined by law.
More details can be found on the Norwegian Communications Authority’s website (Nkom) and through official government publications related to the E-Com Act.
©2025 CookieHub ehf.
