Tightening the cookie jar? A look at the proposed new E-com Act

Cookies have been instrumental for websites to offer personalised content and targeted advertising, benefiting both website providers and advertisers. A wide scope of businesses, such as those engaging in the ad-tech industry, base their entire business model on the use, analysis and trade of information collected through cookies for use in tracking, advertising, and other marketing operations. 

The proposal for a new E-com Act encompasses a wide range of new legal regulations related to electronic communication in general, and among these changes, we find new rules for the legality of setting cookies. Regarding the legality of cookies, the proposal aims to harmonise Norwegian rules with the corresponding regulations in the EU's ePrivacy Directive, which are the current applicable rules related to the legality of using cookies in the EU. There has long been a practically significant discrepancy between the rules included in the ePrivacy Directive and the Norwegian E-com Act, which the proposal for the E-com Act now intends to bridge. 

The main legal difference between EU's regulations and the current § 2-7 letter b of the Norwegian E-com Act has been that the ePrivacy Directive states that the legality of setting cookies is contingent on the user giving an active and GDPR-complaint consent, whereas in § 2-7 letter b, there has only been a requirement for the user's general consent without the requirement that the consent must be in line with the GDPR. By way of contrast, § 3-15 of the proposed new E-com Act explicitly requires that the user's consent to the setting and use of cookies must meet the requirements for consent in the GDPR. In short, this means that the setting of cookies in the user's browser and devices is only legal if the user has actively given a consent that is voluntary, specific, informed, unambiguous, documentable.

The most significant consequence of the legislative change will be that companies that set cookies on users' devices cannot have a solution where the user's consent is given by default without the user actively consenting, as has been the case for many businesses operating in Norway where consent mechanisms have been designed on a consent-by-default basis. 

The proposed consent requirement will apply to the setting of the vast majority of cookies, with the exception of cookies that are strictly necessary for the delivery of the services the user has requested. Further, case law from the European Court of Justice shows that such exceptions should be interpreted strictly and narrowly, which means that the use of cookies related to e.g. analysis and tracking for use in marketing and behavioural analysis will not fall under the exception. 

It seems reasonable to assume that the requirement for active consent may lead to fewer users accepting the use of cookies for analysis and tracking of online behaviour. Furthermore, companies relying on collection of huge amounts of data through the use of cookies, such as businesses within the ad-tech industry, will face challenges related to such collection as the scope of data collected through cookies may be reduced significantly. 

It is reasonable to assume that actors engaged within the ad-tech industry, among other companies using cookies in their daily operations, will be significantly affected by the consent requirements included in the proposed new E-com Act.