Cookies – the new Act relating to Electronic Communications

A cookie is often defined as a small text file that a website places on the user's device while browsing, and which allows storage of information or access to information already stored in the user's equipment. This is a widely used tool that enables internet players to, for example, analyze the effectiveness of website designs and advertising, in addition to verifying the identity of users engaged in online transactions, as well as adapting the content to each user.

As of today, the use of cookies is regulated by the current Act relating to Electronic Communication (the "Act") section 2-7b, which, as a main rule, stipulates that retaining information in the user's communication equipment, or gaining access to this, is not permitted unless the user is informed on which information is processed, the purpose of this processing and who will process the information.

In addition to the obligation to provide information, the user must consent to the use of cookies. These requirements are, however, not an obstacle for technical storage or access to information exclusively for the purpose of transferring communication in an electronic communications network or which is necessary to supply an information societal service in accordance with the user's explicit request. These two exceptions are commonly relied upon by website providers to place "necessary" cookies e.g. enabling the online service to work as requested by the user (thus, it is usually not possible to reject the application of such cookies).

Today, these requirements are rather easy to comply with by relying on a pre-set consent in the web browser's settings, while at the same time providing information via a pop-up message to the visitor when entering the website. Thus, until now, a form of passive consent from the user has been acceptable in Norway for placing cookies.

The background is that pursuant to Section 2-7b in the Act, which implements the Directive on privacy and electronic communication (Directive 2002/58/EC, hereinafter "Directive") Article 5 (3), the definition of "consent" is not to be understood in the same way as in the Norwegian Personal Data Act and the General Data Protection Regulation ("GDPR").^[1] In the EU, the Court of Justice of the European Union ("CJEU") concluded in case C-637/17 (Planet49) that "consent" pursuant to the Directive 5 (3) shall be interpreted in conjunction with the definition of "consent" pursuant to the GDPR Article 4. Further, the CJEU explicitly concluded that a consent is not valid when the use of cookies is permitted by way of a pre-ticked checkbox which the user must deselect to refuse consent.^[2] So the rules have been different in Norway than in the EU.

This may now change following the Proposal, which stipulates that a cookie consent must fulfil the same requirements as under the GDPR to be valid. In other words, a consent must be a freely given, specific, informed, and unambiguous indication of the user's wishes by which the user, by a statement or by a clear affirmative action, signifies agreement to the use of cookies. A passive consent will no longer be sufficient if the Proposal's rules are put into effect. The consent conditions are as follows:

Freely given. The user must not be put in a situation where they feel obligated or bound to consent to the use of cookies to avoid negative consequences.

Specific. The website provider must ensure that the user receives information about the specific purpose of the use of cookies. The consent mechanism should have a separate opt-in for each purpose so that the user may consent to each specific purpose, and the information given should be clearly separated from any other type of information, such as information about the Terms of Use, to ensure that the user is aware of the impact of the different choices available.

Informed. The Proposal explicitly states that the user must be informed on which information is processed, the purpose of this processing and who will process the information. In addition to this information, any other information must be provided which is necessary to enable the user to give an informed consent. This may be done via a pop-up banner or a cookie statement easily available on the website.

Unambiguous indication of wishes. The user must give a statement or a clear affirmative act. As explained above, the CJEU decided that a pre-ticked checkbox which the user must deselect to refuse his or her consent is not sufficient.^[3] However, the act of actively ticking a box when visiting the website, or otherwise choosing technical settings (which are not predetermined), may be a sufficiently clear affirmative act.^[4]

To comply with the Proposal, the user must also be able to withdraw his or her consent at any time. The user must be informed of this right, and it shall be as easy to withdraw as to give consent.

As for the two exceptions, the one for technical storage or access to information exclusively for the purpose of transferring communication in an electronic communications network remains the same. The second exception's wording has been changed by the Ministry, where "strictly necessary" replaces "necessary". We do not believe the change in wording will have much impact. However, it will make it more visible that the exception may only be asserted when the use of cookies is strictly necessary to deliver the online service, in accordance with the user's explicit request. Also, it may make it easier for the authority to prove that a specific type of cookie is not necessary to supply the service. In any case, we believe the exceptions will still be important for website and service providers to place cookies that are required to make the online service function according to the user's expectations.

The changes set out in the Proposal will likely impact internet players that are using cookies as tracking technology on their websites or in their online services such as streaming or social media. The use of pre-ticked checkboxes, which the user must deselect to refuse consent, will likely be history. The same goes for solely depending on predetermined settings in the browser and distribution of bare minimum information via a pop-up window. Website owners and online service providers should verify that their cookie consents are compliant with the GDPR's requirements – freely given, specific, informed, and unambiguous.

^{[1] Prop. 69 L (2012-2013), p. 102.
[2] C-673/17, para. 65.
[3] Ibid.
[4] Prop. 93 LS (2023-2024), p. 291, with further references to GDPR, recital 32.}