Insight · Norway · Patrick Smith, CIPP/E
Norway's New Cookie Rules
The short answer: since 1 January 2025, Norway's new Electronic Communications Act (ekomloven) requires GDPR-standard consent before non-essential cookies are set for Norwegian users. Browser-settings consent — the old Norwegian shortcut — is gone. Datatilsynet published detailed guidance in April 2025, and many sites whose banners are scoped to "EU visitors only" are quietly non-compliant in Norway without knowing it.
What changed
From browser settings to real consent
For years Norway was the soft spot in European cookie law. The old Electronic Communications Act allowed consent to be inferred from browser settings, so many sites served Norwegian users trackers with no banner at all — or a banner built for looks rather than law. The new ekomloven, in force since 1 January 2025, closes that gap: consent for cookies and similar technologies must now meet the GDPR's definition — a freely given, specific, informed, and unambiguous indication by a clear affirmative act.
Supervision is shared between the Norwegian Communications Authority (Nkom) and Datatilsynet, and where the cookie data is also personal data — as analytics and advertising identifiers usually are — the GDPR applies on top with its ordinary sanctions. Datatilsynet's April 2025 guidance spells out what it expects a compliant setup to look like.
What Datatilsynet expects a banner to do
- Affirmative choice. No pre-ticked boxes; no consent inferred from scrolling, browsing, or defaults.
- Reject as easy as accept. The options carry equal prominence — no buried reject link under a bright accept button.
- Granular purposes. Analytics, advertising, and functional cookies consented to separately, not bundled.
- No cookies before consent. Non-essential cookies stay unset until the user actually chooses.
- Easy withdrawal. Consent can be withdrawn as easily as it was given, at any time.
The trap for international sites
The most common failure we see is not a bad banner — it is a good banner that never fires. Several consent-management platforms geo-target their banners to "the EU," and Norway, as an EEA state rather than an EU member, falls outside that scope unless someone ticks the extra box. The result is a site that is compliant in Berlin and silently non-compliant in Oslo. The rules protect users in Norway regardless of where the site owner sits, so a foreign company directing services to the Norwegian market is expected to obtain valid consent from its Norwegian visitors.
What to do about it
The fix is usually short: confirm the consent platform's geo-scope includes Norway, verify no non-essential cookies fire pre-consent for Norwegian visitors, align the purpose categories with what actually runs on the site, and record consents in a form that can be shown to a regulator. Privello tests cookie setups the way a regulator would — including the Norwegian scope most audits skip — as part of the fixed-fee Cookie Compliance Audit.
Common questions
Questions on the Norwegian cookie rules
What changed in Norway's cookie rules in 2025?
Norway's new Electronic Communications Act (ekomloven) entered into force on 1 January 2025 and raised the standard for cookie consent to the GDPR's definition. Under the old law, browser settings could count as consent. Under the new law, websites need clear, affirmative, informed consent before setting non-essential cookies or similar tracking technologies for Norwegian users.
Is continuing to browse, or a pre-ticked box, valid consent in Norway?
No. Consent must now meet the GDPR standard: a clear affirmative act, freely given, specific, and informed. Pre-ticked boxes, implied consent from continued browsing, and defaulted browser settings are no longer valid for non-essential cookies in Norway.
Who enforces the Norwegian cookie rules?
Supervision is shared between the Norwegian Communications Authority (Nkom) and the Norwegian Data Protection Authority (Datatilsynet), which published detailed consent guidance in April 2025. Where cookie data is also personal data — which analytics and advertising identifiers usually are — the GDPR and Datatilsynet's ordinary enforcement powers apply on top.
Our banner is already GDPR-compliant for the EU. Does it cover Norway now?
Much closer than before, but it should be checked rather than assumed. The consent standard is now aligned with the GDPR, and Datatilsynet's guidance mirrors EU expectations: reject must be as easy as accept, equal prominence for the options, granular purposes, and easy withdrawal. The check is whether the banner actually fires for Norwegian users — some geo-targeted consent platforms scope banners to “EU only” and quietly skip EEA states like Norway.
Do the rules only apply to Norwegian companies?
No. The rules protect users in Norway, so a foreign website directing services to the Norwegian market is expected to obtain valid consent from its Norwegian visitors, wherever the site owner is established.
Begin
Check whether your banner fires in Oslo
If Norwegian users are in your traffic, the two-week Cookie Compliance Audit covers the ekomloven scope alongside the EU and Swiss rules — one report, all three regimes.