Sweden

Can you place cookies without consent?

No. According to the Swedish Electronic Communications Act (2022:482) Chapter 9 Section 28, consent is required for placing cookies and similar technologies that are not necessary for the provision of the service expressly requested by the user.

Are cookie rules (whether specific or within general data protection laws) followed in practice?

A recent investigation conducted by the Swedish Post and Telecom Authority (“PTS”) revealed that four Swedish authorities and companies did not comply with the rules on cookies. While this demonstrate that total cookie compliance is yet not achieved, even by some of the most frequently used services in Sweden, it also shows that the PTS has a current focus on cookie compliance. This current focus of the PTS together with the guidance available in the investigation reports and other guidance provided by the PTS, is likely to encourage Swedish companies to strengthen their cookie compliance.

Are there any exemptions if consent is required?

Yes. Consent is not required for cookies or similar technologies that are necessary for the provision of the service. Functional cookies, such as cookies that allow for the consumer to place products in an online store shopping basket, are generally considered as necessary cookies. Moreover, consent is not required for cookies necessary for the transmission of an electronic message via an electronic communications network.

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

Necessary cookies may be placed automatically (without consent), all other cookies require the users’ consent. Please note that the transparency obligations, as specified below, apply also when placing necessary cookies.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

No. The consent required for non-necessary cookies uses the same definition for consent found in the GDPR, i.e., the consent must be freely given, specific, informed, and unambiguous, and either a statement or a clear affirmative action. Implied consent does not fulfil this requirement.

Can you set cookies without a cookie notice? 

No. Cookies may only be placed when the user is informed about the cookies, and if the use of cookies involves processing of users’ personal data, the transparency obligations set out in the GDPR apply as well.

Can you set cookies without a cookie banner/ management tool?

No. Consent must be obtained from the user before cookies, other than necessary cookies, are placed on the user’s device. In accordance with Swedish law, such consent must comply with the requirements stipulated in the GDPR, i.e., the consent must be freely given, specific, informed, and unambiguous and may not be obtained through pre-ticked boxes. Moreover, the user must be able to withdraw his/ her consent at any time, as easily as it was given. The recent investigations by the PTS, of four Swedish companies and authorities, emphasised that users must be able to reject non-necessary cookies as easily and in the same layer as the user can consent to such cookies. Moreover, the PTS stressed that it is not allowed to use colours and contrasts to highlight the consent option, i.e. the cookie banner/management tool must be designed in a user-friendly way. The PTS also found that some of the entities did not comply with the information requirements.

Are you able to use cookie walls? 

No. Cookie walls (that block access to a website) cannot be used to obtain consent for cookies from the users. Consent must be given freely, and thus if a cookie wall prevents the use of a website unless consent is given, consent is not given freely.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

Yes.

Although there are a limited number of enforcements, we are now witnessing more and more activity from the PTS with regard to cookies.

In 2023, the PTS investigated the cookie compliance of four major Swedish companies and authorities. The investigation revealed that all four entities breached the cookie rules, mainly with regard to obtaining valid consent.

If the use of cookies will result in processing of personal data, the Swedish Authority for Privacy Protection (“IMY”) also has supervisory responsibilities.

Are there any current consultations relating to ad tech/cookies?

None that we are aware of.

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

As far as we are aware, there are no anticipated changes to the rules on cookies. However, there have been changes to the attitudes in the market, at least by the PTS. As aforementioned, the PTS have investigated several Swedish companies and authorities recently and it has also expressed its intention to conduct further investigations.