James Royal-Lawson


EU Cookie law in Sweden

Slowly but surely we’re getting a picture of what is expected of website owners (and indeed application providers) in respect of the Swedish response to the EU directive on online-privacy.

The Cookie Law

a bin that looks like Cookie Monster eating a cookie

Photo by Timm Schneider

Most of us are calling it The Cookie Law, but it’s broader than that. The Swedish Electronic Communications Act covers (amongst other things) the storage and reading of information on a terminal device and how you must obtain consent from the user prior to reading or writing such information.

A terminal device isn’t just a desktop or a laptop computer – it could also be, for example, a mobile phone, tablet, internet TV, or even a game console.

For the majority of websites, the data the law refers to is in the form of HTTP cookies, but it also includes Flash cookies, Silverlight cookies, HTML5 web storage, and other similar types of data transferred back and forth across the internet.

Some cookies are excluded from the law. These are cookies (or other such information) that are essential for the provision of the service you are accessing.

The most straight forward example is that of a shopping cart on an e-commerce site. You’ll have to come to your own conclusion about what is essential and what isn’t on your website.

What’s the response so far?

At the time of writing, most websites are either saying nothing or following the previous law from 2003, SFS 2003:389, which required website owners to declare that they used cookies.

A relatively small number of sites have taken steps to comply to the new law. The ways in which they have tried to comply varies from token gestures through to large consent banners covering the prime real-estate of the website.

screenshot of showing a large cookie opt in banner

Screenshot of featuring an opt-in banner

An onslaught from PTS?

PTS have a fair bit of information on their website to assist website owners. There’s no need to panic, the PTS isn’t going to jump on websites and close them down. Their normal routine, if they receive a complaint, would be to communicate in writing with the website owner, containing some advice and the chance to correct the situation.

During the 8 year lifetime of the previous Cookie law, only a handful of websites were warned, and no website was prosecuted. I expect it will be a similar situation this time round too.

The Swedish trade organisation, IAB Sweden, has produced guidelines as to how to comply to the law. It was stated during the preparation of the new law that best practice should be developed by website owners, the IAB’s recommendation is an expression of such best practice.

The IAB recommendation

What IAB recommend, and a recommendation I endorse for Swedish websites, is that the browser settings can be used to imply consent – but, that consent can only be inferred if the use of cookies is described and explained in a way that is easily understood.

All cookies, including third party cookies, should be explained. Information should also be given explaining how the user can withdraw the consent (by disabling cookies in their browser).

icon to indicate the use of cookies

The “We use cookies” icon produced by IAB

IAB have produced an icon that can be used to clearly signal that your site uses cookies. They’ve also produced a website, minacookies, that helps explain to users what cookies are as well as providing a home to their recommendations and guidelines.

Audit, be transparent, explain

So, if you are a Swedish company or organisation, targeting a Swedish audience, then you pretty much know what to do – audit your cookies, be transparent, and explain the choices.

You should also do your best to tidy up and remove any scripts and features that you don’t need. (This is not only good housekeeping, but it also helps improve performance and speed of your website.)

It’s even a good chance to check the effectiveness of certain website features? Put measurements in place and assess them (if you don’t already). That Facebook like-box might not actually be worthwhile after all…

Targeting countries outside of Sweden

Sounds simple so far? Well, what complicates matters is that each EU country is putting in place their own interpretation of the EU directive. Some countries are going to have much stricter interpretations of it than Sweden.

European law firm Field Fisher Waterhouse has produced a really useful table giving a country by country implementation status and a synopsis of the legal requirements.

If you are actively targeting people in other EU countries, then you will almost certainly need to comply with the relevant cookie laws in those countries.

Visits from non-targeted countries?

Visits from people in countries that you are not actively targeting are, in my opinion, a bit of a grey-zone.

Technically, you are transmitting and storing data on the user’s computer if you are using cookies – but having a website that specifically complies to all the laws in all other EU countries is going to be awkward at best, impossible at worst.

There’s no guarantee of a one-size-fits-all solution being possible, with the possible exception of the hardcore implementation – no use of cookies on your website.

Nordic and Baltic countries

For Swedish companies, one positive thing to note is that most of the countries neighbouring Sweden – namely Denmark, Finland, Estonia, have implemented the law in a way that is no more strict than the Swedish law. The exceptions to this are Latvia and Lithuania, where a strict prior opt-in (not implied by browser settings) appears to be required.

a map of of Scandinavia and The Baltics showing which countries require strict opt-in

Red require strict opt-in, Green via browsers settings.

Norway is not an EU country and is therefore not required to implement the EU directive. That said, Norway often implements them anyway – but at the moment, no formal proposal has been made, and no change of law has been implemented.

Business with integrity

Suffice to say, the Swedish cookie law isn’t out to get normal, honest, websites. It’s there to catch the abusers; the less honest. So those of us running businesses with a fair dose of integrity have nothing to worry about.

Of course, the content of this blog post is just my opinion, you should obtain specific legal advice for your own company.

It would be great to hear in the comments section below what your company has decided to do to be compliant…

James Royal-Lawson+ is a digital strategist and web manager based in Stockholm Sweden.

11 Articles worth reading… (Spotted: Week 18-21, 2011)

For your reading pleasure this time, a collection of links (with summaries) including articles related to: web management, UX, cookies, search, UX and search.

Web management, UX, mobile web

10 rules to make a great online bank dashboard – Meniga blog

The headline says “online bank” but these 10 rules are just as good for any website

Going Mobile!

‎”It’s not about making our site work on a mobile device, it is about what our users need when they’re mobile”. A case study from Utah Valley University

New Data: 33% of Facebook Posting is Mobile

Some stats saying that a third of FB updates are from mobile devices. Probably a pretty reasonable statistic – but it was calculated using 70,000 publicly available updates. No idea if that’s a representative selection of FB as a whole. It will of course vary quite dramatically from country to country.

How to improve the usability (and conversion rate) of your forms

Nice little check-list for making better forms.


Is your intranet a dinosaur?

Good set of 6 questions to ask yourself about your Intranet and help prioritise activities. Given that most orgs don’t have an intranet strategy, answering these wouldn’t be too bad a gap-filler.


The Cookie Law in Sweden – Self regulation committee started by the IAB

From July the 1st, an amended law comes into force, making it effectively illegal to create cookies when someone visits your (Swedish) website without explicit permission (in advance). Exactly how the law should be intepreted is a bit unclear. There is a trade organisation working on a recommendation. This change, driven by the EU, is perhaps excellent news for companies offering hosting outside of the EU…

Information Commissioner’s Office

Countries across europe are starting to implement new laws regarding Cookies. The new Swedish law comes into effect on July 1st, but it’s still unclear exactly what needs to be done. Here though is an example of what the Information Commissioner’s Office in the UK has done: a banner on every page asking you to accept cookies

Search & personalisation

Personalization gone too far

Every single service is fighting to give us “exactly what we want”. But is exactly what we want really want we want? or need? Take 10 minutes to have a look at this thought provoking TED talk by Eli Pariser.

Social Search goes global

Google has rolled out search results from your social circle globally. So now everyone will see links shared by their “friends” in their SERPs when Google deems it to be relevant. I’ve been watching this for the a fair while now, and it really affects the order of the search results. This is

Analytics & Tools

Google Analytics’ New Site Speed Report Tracks Page Load Times

You can now get page load data in Google Analytics. It’s only sampled data (you don’t get figures for every page view) and it needs a slight modification to your trackng code – but worth monitoring. Slow page load times causes visitors to give up.

probably the single most significant shake up of SERPs (for an individual) in ages.

URL Shortening Services Compared: Pro and Yourls

I make use of both Yourls and pro. pro is a more convenient in a number of ways – but wth Yourls you own the redirects, you can decide the shortened URL. The power is totally yours.

Reload this page with responsive web design DISABLED