How Sweden Regulates Cookies: Two Authorities, Two Laws
Sweden's cookie rules sit at the intersection of two legal frameworks and two supervisory authorities. The Swedish Electronic Communications Act (Lagen om elektronisk kommunikation, or LEK) transposes the EU ePrivacy Directive into Swedish law. Chapter 9, Section 28 of LEK states that visitors must be told what cookies a site uses, what purpose they serve, and how to avoid them. Chapter 6, Section 18 goes further: no information may be stored on or retrieved from a user's device without express consent, unless the cookie is strictly necessary.
The Swedish Post and Telecom Authority (PTS) supervises LEK compliance, while the GDPR - applied directly in Sweden since 2018 - is enforced by Integritetsskyddsmyndigheten (IMY), Sweden's data protection authority.
In practice, any cookie that processes personal data falls under both laws simultaneously. PTS handles the technical storage question; IMY handles the data protection question. If your site drops a _ga or _fbp cookie without valid consent, both authorities could take an interest.
What LEK Requires: Consent Before the Cookie
LEK mirrors Article 5(3) of the ePrivacy Directive. The principle is straightforward: obtain consent before placing any non-essential cookie. That consent must be freely given, specific, informed, and unambiguous - the same standard as GDPR Article 7.
There are two exceptions. Cookies that are technically necessary to transmit a communication over a network do not need consent. Cookies strictly required to provide a service the user explicitly requested - such as a session cookie keeping a shopping cart active - are also exempt.
Everything else needs prior opt-in consent. That includes analytics cookies, marketing cookies, social media tracking pixels, and any third-party scripts that read or write data on the visitor's device.
IMY's 2025 Enforcement: Dark Patterns Under the Microscope
In April 2025, IMY issued formal reprimands to three companies - ATG, Aller Media AB, and Warner Music Sweden AB - for non-compliant cookie banners. The cases stemmed from individual user complaints rather than a coordinated investigation, showing that a single complaint can trigger regulatory action.
The central issue was dark patterns in consent interfaces. IMY identified several design flaws that invalidated consent:
A prominent "Accept" button in a contrasting colour, while the reject option was a less visible text link
Pre-checked boxes for non-essential cookie categories
Coercive phrasing steering users toward acceptance
IMY's position is clear: visitors must be able to distinguish between "yes" and "no" equally. Both options should appear as buttons of the same size, displayed next to each other. Hiding or minimising the reject option does not produce valid consent under GDPR Article 4(11).
PTS and IMY: Who Enforces What?
The division of responsibilities between PTS and IMY can seem confusing from the outside. This table clarifies which authority covers what.
| Area | Responsible Authority | Legal Basis |
|---|---|---|
| Storing or accessing cookies on a device | PTS | LEK Chapter 6, Section 18 |
| Informing users about cookies and their purposes | PTS | LEK Chapter 9, Section 28 |
| Validity of consent (freely given, informed, specific) | IMY | GDPR Articles 4(11) and 7 |
| Processing personal data collected via cookies | IMY | GDPR Article 6 |
| Dark patterns and deceptive design in banners | IMY | GDPR Articles 4(11), 7, 25 |
| Data subject rights (access, deletion, portability) | IMY | GDPR Articles 15-22 |
PTS has historically been less active in enforcement. By the end of 2022, PTS had initiated only four supervisory proceedings against two companies and two public authorities. All four matters were closed in late 2023 after the organisations corrected their practices.
IMY, by contrast, has ramped up enforcement. In 2024, IMY closed 326 supervisory matters and imposed fines totalling SEK 60.6 million (approximately EUR 5.5 million) across six cases. Two notable fines targeted pharmacies Apoteket AB (SEK 37 million) and Apohem AB (SEK 8 million) for failures related to Meta Pixel data sharing.
Cookie Banner Design Rules for Swedish Websites
PTS and IMY guidance together create a specific set of design requirements for cookie banners served to visitors in Sweden.
First Layer: The Banner Itself
The banner must display a brief but clear description of what cookies the site uses and why. Accept and reject options must appear in the same view, as buttons of equal size and visual weight. It should not require more clicks to refuse cookies than to accept them.
Second Layer: Detailed Information
A second layer - accessible from the banner - must provide detailed information about each cookie category, including specific cookie names, their purposes, and how long they persist. This information should also appear in the site's cookie policy.
What Is Prohibited
Cookie walls that block access to the entire site until a visitor consents to non-essential cookies are not permitted. Pre-ticked checkboxes for optional categories violate the active consent requirement. Consent collected through continued browsing or scrolling is invalid.
How Sweden Fits Into the Broader Nordic and EU Picture
Sweden's approach aligns closely with its Nordic neighbours. Denmark's Datatilsynet and Finland's Traficom apply similar consent-before-cookies models derived from the same ePrivacy Directive. All three countries require opt-in consent for analytics and marketing cookies, reject cookie walls, and increasingly target dark patterns.
Across the EU, the trend is consistent. The EDPB's guidelines on consent under GDPR set the baseline, and national DPAs like France's CNIL and Germany's federal DPA have issued similar guidance. If your site already complies with CNIL's cookie guidelines, the adjustments for Sweden are minimal - primarily ensuring the banner text and policy are available in Swedish where appropriate.
Compliance Checklist for Websites Targeting Sweden
Use this checklist to verify your site meets Swedish cookie requirements:
Audit your cookies. Run a cookie scan to identify every cookie and tracking technology on your site, including those set by third-party scripts.
Classify each cookie. Separate strictly necessary cookies (exempt) from analytics, marketing, and functional cookies (consent required).
Block non-essential cookies before consent. No
_ga,_fbp,_gid, or similar cookies should fire until the visitor actively opts in.Design an equal-choice banner. Accept and reject buttons must be the same size, in the same colour scheme, and in the same view. No hidden reject links.
Provide layered information. Brief description in the banner; full details - cookie names, purposes, durations - in a second layer or cookie policy.
Record consent. Store proof of each visitor's consent choice, including timestamp and the version of the banner shown. Swedish authorities expect records to be kept for at least five years.
Allow easy withdrawal. Provide a persistent link or button so visitors can change their cookie preferences at any time. Withdrawing consent should require no more effort than giving it.
Implement Google Consent Mode v2 if you use Google Analytics or Google Ads, to ensure tags respect the visitor's consent state.
Frequently Asked Questions
Does Sweden require cookie consent for analytics cookies like Google Analytics?
Yes. Under LEK and GDPR, analytics cookies such as _ga and _gid are not strictly necessary to deliver the service a visitor requested. You must obtain active opt-in consent before these cookies are placed.
Can I use a cookie wall on a Swedish website?
No. PTS guidance states that conditioning access to a website on accepting non-essential cookies is not permitted. Visitors must be able to browse the site without consenting to optional cookies.
What is the difference between IMY and PTS for cookie enforcement?
PTS oversees the technical rules on storing and accessing cookies under LEK, while IMY enforces GDPR requirements around consent validity, personal data processing, and deceptive design patterns in cookie banners.
What fines can Swedish authorities impose for cookie violations?
Under GDPR, IMY can impose fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher. In 2024, IMY imposed a total of SEK 60.6 million in fines across its enforcement actions.
Do I need to show my cookie banner in Swedish?
There is no strict legal requirement to present the banner in Swedish, but PTS expects users to receive clear and understandable information. If your audience is primarily Swedish-speaking, providing a Swedish-language banner is strongly recommended to meet the informed consent standard.
How long should I keep cookie consent records in Sweden?
Swedish data authorities expect consent records to be retained for a minimum of five years. These records should include the timestamp of consent, the version of the banner shown, and the choices the visitor made.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
