Cookie Consent and Analytics in Norway: What Norwegian Website Owners Need to Know in 2026

Until January 2025, Norway had the weakest cookie consent standard in the entire EEA. Browser settings counted as valid consent. While Austria, France, and Italy were ruling Google Analytics illegal, Norwegian websites could technically claim their visitors had "consented" by not changing their default Chrome preferences. That loophole is closed. The new ekomloven took effect on New Year's Day 2025, and Datatilsynet is already sanctioning sites that haven't caught up.

From Europe's weakest cookie law to active enforcement

Cookie consent in Norway is governed by the ekomloven (Electronic Communications Act), Norway's implementation of the ePrivacy Directive. Before January 2025, the operative provision was § 2-7 b. It had a loophole that existed nowhere else in Europe: consent could be satisfied through pre-configured browser settings. Enabling cookies in your browser preferences technically counted as consent.

Datatilsynet itself called this "the decidedly worst solution," noting it enabled "extensive collection of personal information with very limited user control."

The new § 3-15, in force since January 1, 2025, eliminates that loophole entirely. Consent must now meet all seven GDPR requirements: voluntary, specific, informed, unambiguous, based on active user action, documented, and easily revocable. No ambiguity.

Only two exemptions exist. A cookie is exempt if its sole purpose is transmitting a communication over a network, or if it's strictly necessary to deliver a service the user explicitly requested. Session cookies, login state, shopping carts. That's it.

Analytics cookies are not exempt. Norway has no first-party analytics exemption. Unlike France, where CNIL allows 22 tools to operate without a cookie banner under strict conditions, Norway has no exemption framework, no approved list, and no carve-out for first-party analytics. This is the same position as Sweden and Denmark.

There's a critical legal nuance here. Under ekomloven, consent is the only valid legal basis for non-essential cookies. GDPR technically permits other bases like legitimate interest for data processing, but for device storage and access, § 3-15 requires consent. Period. Datatilsynet's own guidance states that the E-Com Act "imposes practically stricter requirements than the privacy regulation."

Enforcement is split between two authorities. Nkom (Norwegian Communications Authority) determines whether a technology falls under § 3-15 and whether exemptions apply. Datatilsynet evaluates whether consent is valid and whether data processing complies with GDPR. Both can sanction. Nkom can impose fines up to 5% of global revenue. Datatilsynet can impose standard GDPR fines up to EUR 20 million or 4% of global turnover.

In April 2025, Datatilsynet published comprehensive guidance on the new rules: reject must be as prominent as accept, no pre-ticked boxes, no blocking site access for non-essential cookies, granular choice by purpose, and documented consent records. In March 2026, they held a public webinar because website owners were struggling with compliance.

Datatilsynet: 69 employees, NOK 65 million in fines

Datatilsynet has 69 employees and a budget of approximately EUR 7.5 million (NOK 84 million). For comparison, France's CNIL has over 300 staff. Norway's regulator is small, but it hits hard.

Director General Line Coll, appointed in April 2022, frames privacy as an enabler rather than an obstacle: "Privacy is not an obstacle, but a resource for ensuring responsible digitalization."

In 2024, Datatilsynet registered 4,736 new cases, a record. Complaints from individuals hit 902, a 53% increase over 2023. They conducted 18 inspections, including 6 focused specifically on digital tracking. The authority received 3,191 data breach notifications, with intentional attacks up 39%.

Norway is an EEA member, not an EU member. GDPR applies through the EEA Agreement, implemented via the Norwegian Personal Data Act of 2018. Datatilsynet sits on the European Data Protection Board (EDPB) but without voting rights and without the right to be elected chair. Norway is bound by GDPR, enforces GDPR, but has no vote in shaping it.

One detail says more than any statistic: Datatilsynet does not use analytics cookies on its own website. When the privacy regulator won't use cookie-based analytics, that tells you where the legal standard is heading.

Google Analytics: ruled illegal, then saved by sixteen days

On August 17, 2020, noyb filed 101 complaints across 30 EU/EEA countries. Three targeted Norwegian companies. Complaint #18 targeted Telenor for using Google Analytics.

On March 1, 2023, Datatilsynet issued a preliminary decision finding that Telenor's use of Google Analytics violated GDPR Article 44. The technical problem: IP anonymization happened on Google's US servers, meaning IP addresses were transferred to the US before being truncated. Standard Contractual Clauses plus Telenor's supplementary measures were found insufficient against US surveillance under FISA Section 702.

Tobias Judin, Datatilsynet's Section Chief for International Affairs, stated: "Regarding Google Analytics use, a clear European consensus has emerged." He told Norwegian media: "The likelihood that Datatilsynet would reach a different conclusion is not very large. Therefore, there is no reason to wait for a final ruling."

Datatilsynet also noted that GA4 "will not necessarily correct those problems we have so far identified," citing the Danish DPA's parallel conclusion.

The final decision came on July 26, 2023. Because Telenor had already stopped using Google Analytics in January 2021, Datatilsynet issued a reprimand, not a fine. No Norwegian company has been fined for GA use. Sweden remains the only country that put a price tag on it.

The timing was remarkable. The EU-US Data Privacy Framework was adopted on July 10, 2023. Datatilsynet's final ruling came sixteen days later. In the same announcement, they declared that "what has been a major problem with Google Analytics appears to be resolved" under the DPF, while adding the caveat: "we do not rule out that there may be other privacy challenges with the tool."

There's a detail most articles miss. Because Norway is EEA, not EU, the DPF didn't apply there until the EEA Joint Committee formally adopted it (Decision 169/2024) on July 5, 2024, a full twelve months after the EU decision. During that gap, Norwegian companies transferring data to the US under the DPF had no legal basis. The DPF became effective for Norway on July 6, 2024.

The Grindr precedent and the tracking pixel crackdown

Datatilsynet's largest fine has nothing to do with analytics. It has everything to do with consent.

In January 2020, the Norwegian Consumer Council (Forbrukerrådet) and noyb filed a complaint against Grindr for sharing user data, including GPS location, IP addresses, age, gender, and the fact someone used a gay dating app, with advertising partners without valid consent. The critical legal finding: simply being identifiable as a Grindr user constitutes disclosure of sexual orientation, which is Article 9 special category data.

Datatilsynet fined Grindr NOK 65 million (~EUR 6.3 million) in December 2021. Grindr appealed. Three times. Lost every time. The Privacy Appeals Board upheld it in September 2023. Oslo District Court upheld it in July 2024. The Borgarting Court of Appeal upheld it in October 2025.

Line Coll stated: "Consent is a tool for giving users control over their own personal data. If users are not made able to understand what they are consented to, or if they are not granted real freedom of choice, the consents are illusory."

Then there's Disqus, the comment platform. Datatilsynet proposed a NOK 25 million fine in 2021 for tracking visitors to major Norwegian news sites (NRK, TV2) via its comment widget and sharing their data with parent company Zeta Global for ad profiling. Disqus didn't even know GDPR applied to Norway. They assumed it was EU-only. Norway is EEA, and GDPR is Norwegian law.

In June 2025, Datatilsynet sanctioned six websites for transmitting sensitive visitor data through tracking pixels without legal basis. The targets: a children's crisis helpline, an online pharmacy, a health information portal, a Bible distribution site, a medical booking service, and a support service for children with incarcerated parents. All six were sharing visitor data revealing health conditions, religious beliefs, or children's identities with third-party advertising platforms.

The children's helpline 116111.no received a NOK 250,000 fine. Its privacy policy had falsely claimed visitor data was "completely anonymized." The health portal NHI.no had a dark pattern banner: bright blue "Allow all cookies" button, while "Only necessary cookies" sat in low-contrast text on a plain white background.

In 2023, Datatilsynet used emergency powers to impose a temporary ban on Meta's behavioral advertising in Norway, backed by a NOK 1 million per day coercive fine. They then referred the matter to the EDPB, which extended the ban EU-wide. A 69-person authority in a country of 5.6 million forced a global advertising model change.

The Data Privacy Framework keeping GA4 alive

Google Analytics is technically legal in Norway right now. The Data Privacy Framework provides the legal basis for US data transfers. Google is DPF-certified. But Datatilsynet is not optimistic about how long this lasts.

On February 26, 2025, Datatilsynet published explicit guidance warning businesses about the DPF's fragility. The Trump administration dismissed most members of the Privacy and Civil Liberties Oversight Board (PCLOB), leaving it with a single member. Datatilsynet considers PCLOB a key pillar of the adequacy decision.

Their recommendation to all Norwegian businesses: "The most important advice is to have an exit strategy" for a scenario where US transfers become restricted. They warn that if the DPF is revoked, "there will most likely not be a transition period."

In September 2025, the EU General Court upheld the DPF in the Latombe case. Datatilsynet acknowledged this as "good news" but cautioned that the ruling "assessed conditions from 2023" and does not address what has changed since. An appeal was filed with the CJEU in October 2025. The CJEU previously struck down Safe Harbor (2015) and Privacy Shield (2020).

If the DPF falls, Datatilsynet has already established the legal reasoning. The Telenor ruling found that Standard Contractual Clauses plus supplementary measures were insufficient for Google Analytics. Every Norwegian website using GA4 would face the same legal situation that existed in March 2023, except now with a clear precedent on the books.

What you lose when visitors click "Reject"

Even if GA4 stays legal, you still need a cookie banner. And a cookie banner on a Norwegian website means data loss.

A 2025 study from Aarhus University (CHI 2025, 254,148 websites across 31 countries) found that only 11% of Norwegian cookie banners are minimally compliant. That's the lowest of all Nordic countries. Sweden scored 14%, Denmark 17%, Finland 18%.

A Cookie Information compliance report from April 2024 found that 86% of Norwegian websites have compliance issues and 81% fire non-essential cookies before consent is obtained. Norway had the lowest cookie banner adoption rate among the 10 European countries studied.

This isn't just a compliance problem. It's a data accuracy problem. Datatilsynet's own Personvernundersøkelsen 2024 (national privacy survey, 1,519 respondents) found that 74% of Norwegians have avoided downloading an app, using a service, or making an online purchase due to uncertainty about data handling. Only 29% feel they have control over how their data is used. 67% are negative toward personalized ads based on their browsing activity.

Safari holds 48% of Norwegian mobile browser traffic with Intelligent Tracking Prevention limiting cookie lifetime. 31% of Norwegians use ad blockers. Opera, founded in Oslo, holds 18.5% of all Norwegian browser traffic, the highest domestic market share for any browser in its home country.

If Clickport tracks your Norwegian traffic, you see 100% of visitors. No consent needed for analytics, no scripts blocked, no data lost to rejection.

What's coming

The EU Digital Omnibus (proposed November 2025) would create a consent exemption for aggregated audience measurement under Article 88a(3)(c). The conditions: controller's own service, solely for internal use, aggregated data only, no third-party sharing, easy opt-out.

Google Analytics would not qualify. Data flows to Google's infrastructure, Google can reuse data across its ecosystem, and GA4 operates cross-customer infrastructure. Cookieless, privacy-first analytics would qualify, though they don't need the exemption to begin with since they already operate without consent.

For Norway, there's an additional delay. EU legislation reaches Norway through the EEA Joint Committee, then requires parliamentary adoption. The DPF took 12 months to reach Norway. The Omnibus, which modifies GDPR itself, will require Storting (parliament) action. Realistic timeline: if the EU adopts the Omnibus by late 2026, Norway could implement it by 2028 at the earliest. Norway's current strict E-Com Act rules will be in force for years before any Omnibus exemption arrives.

Datatilsynet is not waiting. Their 2026 theme is "digital sovereignty", noting that approximately 80% of Europe's digital services are supplied by foreign vendors. They are inspecting all 357 Norwegian municipalities in 2026 for data security. They have been designated to oversee behavioral marketing under the Digital Services Act. And 7 noyb cookie banner complaints from 2021-2022, targeting companies like Innovation Norway, Toyota Norge, and Live Nation Norway, remain pending with no decisions issued.

What this means for your Norwegian website

If you're using Google Analytics with a cookie banner: your US data transfers are covered by the DPF (for now), but you need valid cookie consent under ekomloven § 3-15. That means equal-prominence accept and reject buttons, no pre-loaded cookies, granular purpose selection, and easy withdrawal. Datatilsynet's April 2025 guidance is explicit. The June 2025 tracking pixel action shows they're enforcing it.

If your cookie banner isn't compliant: you're in the 86%. Only 11% of Norwegian banners are minimally compliant. Both Datatilsynet and Nkom can sanction. The NHI dark pattern case (blue accept, invisible reject) shows that design choices are enforcement targets.

If you want accurate data without the compliance risk: switch to analytics that don't touch the visitor's device. No cookies, no fingerprinting, no cross-site tracking means ekomloven § 3-15 does not apply. 100% of traffic visible. No banner needed for analytics. No dependency on the Data Privacy Framework. No enforcement risk from cookie-focused audits.

Norway pioneered global connectivity in 1973 and enacted one of the world's first privacy laws five years later. Its citizens have near-universal internet access, 4.6 million BankID enrollments, and deep skepticism toward how private companies handle their data. Cookie-based analytics show you the visitors who didn't think about the banner. The ones who did are invisible.

Start your free 30-day trial at clickport.io/register. No credit card required. See your real Norwegian traffic in under two minutes.

Frequently asked questions

Is Google Analytics legal in Norway?

Datatilsynet ruled in July 2023 that Telenor's use of Google Analytics violated GDPR Article 44 due to unlawful US data transfers. The EU-US Data Privacy Framework (adopted July 2023 for the EU, July 2024 for Norway) resolved the specific transfer issue. GA4 is currently legal if Google is DPF-certified and you have valid cookie consent under ekomloven § 3-15. But Datatilsynet warns the DPF may not survive its next court challenge.

Do Norwegian websites need a cookie banner?

Yes, if you use analytics cookies. Ekomloven § 3-15 (in force since January 1, 2025) requires explicit, active consent before any non-essential data is stored on or accessed from a visitor's device. The only exemptions are for communication transmission and services the user explicitly requested. Analytics cookies are not exempt. Cookieless analytics that don't store data on the visitor's device fall outside § 3-15 entirely.

What changed in Norway's cookie law in January 2025?

The old ekomloven § 2-7 b allowed browser settings to count as consent, the weakest standard in the EEA. The new § 3-15 requires full GDPR-grade consent: voluntary, specific, informed, unambiguous, active, documented, and easily revocable. Accept and reject must be equally prominent. No pre-ticked boxes. No cookie walls. Enforcement is shared between Datatilsynet and Nkom.

What is Datatilsynet?

Datatilsynet is Norway's Data Protection Authority. It has 69 employees, a budget of approximately EUR 7.5 million, and is headed by Director General Line Coll (since April 2022). It enforces GDPR in Norway through the EEA Agreement and the Norwegian Personal Data Act. It registered 4,736 cases in 2024 and its largest fine is NOK 65 million against Grindr.

Can I use cookieless analytics without consent in Norway?

Analytics tools that don't set cookies, don't fingerprint visitors, and don't track across sites avoid ekomloven § 3-15's consent trigger. The law applies to "storage of or access to information" on a user's device. If the tool also processes no personal data (anonymous aggregation only), the GDPR consent requirement doesn't apply either. This is why cookieless, privacy-first analytics operate without a consent banner in Norway.

Does GDPR apply in Norway?

Yes. Norway is not an EU member but is an EEA (European Economic Area) member. GDPR was incorporated into the EEA Agreement on July 6, 2018 and is implemented through Norway's Personal Data Act. Datatilsynet sits on the EDPB but without voting rights. For day-to-day compliance, including cookie consent, Norway is treated identically to EU member states.

What are the fines for cookie violations in Norway?

Datatilsynet can impose standard GDPR fines up to EUR 20 million or 4% of global turnover. Nkom can impose fines up to 5% of previous year's global revenue under the E-Com Act. The largest Norwegian GDPR fine to date is NOK 65 million against Grindr for sharing data without valid consent. For the 2025 tracking pixel enforcement, fines started at NOK 250,000 with an explicit warning that future penalties will be "much stricter."

What is the difference between Nkom and Datatilsynet?

Nkom (Norwegian Communications Authority) enforces the E-Com Act from the technical side: does a technology fall under § 3-15? Do exemptions apply? Datatilsynet enforces GDPR: is the consent valid? Is the data processing lawful? Both have sanctioning authority. A non-compliant cookie banner can trigger enforcement from either authority. In practice, Datatilsynet handles most analytics and tracking cases because they nearly always involve personal data.