Cookie Consent and Analytics in Sweden: What Swedish Website Owners Need to Know in 2026

Seven EU countries declared Google Analytics illegal. Only one put a price tag on it. Sweden fined Tele2 SEK 12 million, fined CDON SEK 300,000, and ordered two more companies to stop. The Stockholm Court of Appeal upheld the fine in October 2025. Then IMY fined two pharmacies SEK 45 million for Meta Pixel transfers. If you use cookie-based tracking on a Swedish website, the enforcement precedent is not theoretical. It's case law.

The rules you're actually subject to

Cookie consent in Sweden is governed by two laws, enforced by two separate authorities.

The first is LEK (Lag 2022:482 om elektronisk kommunikation), Sweden's Electronic Communications Act. The cookie provisions are in Chapter 9, Section 28. Consent is required before any non-essential data is stored on or accessed from a visitor's device. Supervised by PTS (Post- och telestyrelsen, the Swedish Post and Telecom Authority).

The second is the GDPR, enforced by IMY (Integritetsskyddsmyndigheten, Sweden's Authority for Privacy Protection). Once cookies collect personal data, the processing needs a lawful basis under GDPR Article 6. If consent was invalid, the processing is unlawful.

The 2022 version of LEK explicitly aligned the consent standard with GDPR Article 4(11): freely given, specific, informed, and unambiguous. No ambiguity.

Only two exemptions exist. A cookie is exempt if its sole purpose is transmitting a communication over a network, or if it's necessary to provide a service the user explicitly requested. Session management, shopping carts, login state. That's it.

Analytics cookies are not exempt. PTS itself asks for consent for its own statistics cookie on pts.se. When the cookie enforcement authority asks permission for its own analytics, that tells you everything about the legal standard.

This is the same position as Denmark and Austria. Unlike France, where CNIL allows 22 tools to operate without a cookie banner under strict conditions, Sweden has no exemption framework, no approved list, and no carve-out for first-party analytics.

PTS has established concrete design requirements. Both "Accept" and "Reject" must be visible on the same layer. Pre-ticked boxes are prohibited. Continued browsing is not consent. "I understand" is not consent. Colors cannot emphasize acceptance over refusal. And withdrawing consent must be as easy as giving it.

In October 2022, PTS investigated four websites for the first time: Swedbank, Tele2, the Public Health Agency, and the Consumer Agency. None were compliant. Not the bank. Not the telecom. Not even the government agencies whose job is consumer protection.

IMY: first in Europe to fine for Google Analytics

IMY has approximately 150 employees and a budget of SEK 220 million (~EUR 20 million). In 2024, they handled over 18,000 cases, initiated 421 supervisory matters, and imposed SEK 60.6 million in fines across 6 cases. In 2025, they received 12,276 data breach notifications, an 89% increase over 2024 and the highest since GDPR took effect.

Unlike Denmark, where Datatilsynet cannot issue fines directly (GDPR Recital 151 requires court prosecution), IMY issues administrative fines directly. No police referral. No court delay. When IMY decides, the fine is real.

Spotify. Klarna. Tele2. Apoteket. Avanza. Sweden's own unicorns and household names are not exempt. The same country that produces more tech companies per capita than almost anywhere on earth also fines them for privacy violations.

Google Analytics: fined, appealed, upheld

On June 30, 2023, IMY issued decisions against four companies for using Google Analytics. This was the first time any EU data protection authority imposed financial penalties for GA use. Austria, France, Italy, Denmark, Finland, and Norway had all found violations earlier. None fined.

Tele2 Sverige AB received the heaviest penalty: SEK 12 million (~EUR 1 million). Tele2 relied on Google Analytics' built-in IP anonymization, Standard Contractual Clauses, and Google's encryption and ISO 27001 certification. IMY found all of these insufficient. IMY found these insufficient: Google holds the encryption keys, US intelligence agencies can compel access under FISA Section 702, and it was unclear whether IP truncation even happened before data reached US servers.

CDON AB was fined SEK 300,000 (~EUR 25,000). Similar lack of supplementary measures.

Coop Sverige AB and Dagens Industri were ordered to stop using GA but received no fine. The difference: both had implemented server-side proxy servers that prevented visitors' IP addresses from reaching Google directly. Dagens Industri also hashed cookie identifiers with a salt. These measures showed good-faith effort, even though IMY still found them legally insufficient. The lesson: a proxy server is the difference between a million-euro fine and a compliance order.

IMY's legal advisor Sandra Arvidsson stated: "These decisions have implications not only for these four companies, but can also provide guidance for other organisations that use Google Analytics."

noyb's Marco Blocher called it "a pleasant change compared to other DPAs simply holding that there has been a violation but creating no incentive to comply in the future."

The timing is remarkable. IMY published the fines on July 3, 2023. The European Commission adopted the EU-US Data Privacy Framework on July 10, 2023. Ten days later. The DPF had no retroactive effect. The fines stood. And in October 2025, the Stockholm Court of Appeal confirmed every krona, while acknowledging the DPF has since changed the legal landscape for future transfers.

Tele2 had already stopped using Google Analytics voluntarily before the decision. They were still fined for the period of violation. Stopping early does not erase past non-compliance.

Beyond Google Analytics: Meta Pixel and dark patterns

The GA fines were not an isolated event. IMY has been systematically targeting tracking tools.

In August 2024, IMY fined two Swedish pharmacy chains for Meta Pixel data transfers. Apoteket AB received SEK 37 million. Apohem AB received SEK 8 million. The Meta Pixel had been sending customers' medication purchases, STI testing kit orders, and health-condition-related browsing to Meta. Up to 930,000 people affected at Apoteket alone. IMY's legal advisor Shirin Daneshgari Nejad stated: "The companies were obligated to take appropriate measures to safeguard the data from, for example, being shared with unauthorized parties."

Avanza Bank was fined SEK 15 million in June 2024 for accidentally activating Meta Pixel features that transmitted customers' securities holdings, loan amounts, and account numbers to Meta. Up to 1 million customers affected over 18 months.

Then in April 2025, IMY reprimanded three companies for dark pattern cookie banners: ATG (green accept button, grey refuse link), Aller Media (pre-checked boxes, multi-step rejection), and Warner Music Sweden (misleading claim that "functionality may be impaired" if cookies rejected). IMY's legal counsel Michaela Prieto Ceric stated: "A cookie banner must provide clear information to the visitor and it should be equally easy to give consent as to later withdraw it."

What you actually lose when visitors click "Reject"

Even with a perfect cookie banner, you lose most of your data.

A 2025 study from Aarhus University (CHI 2025, 254,148 websites across 31 countries) found that only 14% of Swedish cookie banners are minimally compliant. Only 49% of Swedish consent interfaces even offer a reject option. Accept buttons score 1.83 on visual prominence while reject buttons score 1.29. The banners are designed to get clicks, not informed consent.

Internetstiftelsen's 2024 report found that 1 in 4 Swedish internet users actively declines cookies, up 12 percentage points over the measurement period. And 83% accept terms of service without reading them. The people who click "Accept" are not making an informed choice. The people who click "Reject" are. Your analytics are seeing the uninformed segment and missing the deliberate one.

Sweden has 41% ad blocker adoption, the highest in the Nordics. Safari holds 22.1% of Swedish browser traffic (39% on mobile) with Intelligent Tracking Prevention blocking third-party cookies. Firefox holds 3.5% with Enhanced Tracking Protection.

If Clickport tracks your Swedish traffic, you see 100% of visitors. No consent needed for analytics, no scripts blocked, no data lost to rejection.

Europe's unicorn factory vs its own privacy regulator

Sweden produces more tech unicorns per capita than any country outside the United States. more tech unicorns per capita than anywhere outside Silicon Valley from a country of 10 million. Stockholm has the highest concentration of billion-dollar startups of any city outside Silicon Valley. Spotify, Klarna, King, Mojang, Skype. Sweden's R&D spending is 3.57% of GDP, the highest in Europe.

And 99.9% of Swedish adults use BankID, the national digital identity system. 7.6 billion authentications in 2024. Swedes voluntarily identify themselves online 240 times per second. This is a population that lives digitally.

That digital sophistication is precisely why cookie-based analytics fail here. These are not passive internet users. most Swedes say GDPR made no meaningful difference to their sense of security online. Only 16% have ever exercised their GDPR rights. They're not looking at cookie banners and thinking about regulation. They're looking at them and thinking: I don't want to be tracked.

There's a deeper Swedish paradox worth understanding. Sweden has had the Offentlighetsprincipen (principle of public access) since 1766: your neighbor's salary, tax returns, and court judgments are public record. Anyone can request them. But your website needs explicit consent before it can set a single analytics cookie. Sweden is simultaneously the most transparent country in the world and one of the strictest on digital tracking.

What's coming: Digital Omnibus and the DPF's uncertain future

Sweden's own Kommerskollegium (National Board of Trade) found GDPR is "often cited among the most burdensome EU regulations" for digital sectors, finding it has "hindered EU companies' productivity and thereby their competitiveness." Svenskt Naringsliv (Confederation of Swedish Enterprise) published "What's Still Wrong with GDPR?" calling for reform. IMY Director General Eric Leijonram called the Digital Omnibus "substantial GDPR modifications, larger alterations than we anticipated."

The Digital Omnibus (proposed November 2025) would create a consent exemption for aggregated audience measurement under a new Article 88a(3)(c). The conditions: controller's own service, solely for internal use, aggregated data only. Google Analytics would not qualify (data flows to Google's ecosystem). Cookieless, privacy-first analytics would. For a detailed analysis, see The EU Digital Omnibus Act and what it means for analytics.

Until the Omnibus passes (realistically 2027-2028), Sweden's current rules remain in full force. Every analytics cookie requires consent. The fastest path to 100% visitor visibility without waiting for EU legislation: use analytics that don't store anything on the visitor's device.

What this means for your website

If you run a website serving Swedish visitors, here's your risk assessment.

If you're using Google Analytics with a cookie banner: Your US data transfers are covered by the DPF (for now), but you need valid cookie consent under LEK. That means equal-prominence accept and reject buttons, no pre-loaded cookies, granular purpose selection, and easy withdrawal. IMY fined Tele2 SEK 12 million and the court upheld it. The dark patterns crackdown (April 2025) targets exactly the banner designs that inflate consent rates.

If your cookie banner isn't compliant: You're in the 86%. Only 14% of Swedish banners are minimally compliant. IMY and PTS are both enforcing. A non-compliant banner can trigger action from either authority: PTS for LEK violations, IMY for GDPR violations. The Aller Media and ATG cases show IMY will act on dark patterns.

If you want accurate data without the compliance risk: Switch to analytics that don't touch the visitor's device. No cookies, no fingerprinting, no cross-site tracking means LEK Chapter 9 Section 28 does not apply. 100% of traffic visible. No banner needed for analytics. No dependency on the Data Privacy Framework. No enforcement risk from cookie-focused audits.

Sweden ranks number one in Europe on the Innovation Scoreboard. Its citizens use BankID 7.6 billion times a year and barely carry cash. These are people who live online and know what tracking means. Cookie-based analytics show you the visitors who didn't think about the banner. The ones who did are invisible.

Start your free 30-day trial at clickport.io/register. No credit card required. See your real Swedish traffic in under two minutes.

Frequently asked questions

Is Google Analytics legal in Sweden?

IMY fined four companies for using Google Analytics in June 2023: Tele2 (SEK 12M) and CDON (SEK 300K) received fines, while Coop and Dagens Industri were ordered to stop. The Stockholm Court of Appeal upheld the Tele2 fine in October 2025. The EU-US Data Privacy Framework (July 2023) resolved the specific transfer issue, but you still need valid cookie consent under LEK and compliance with all other GDPR requirements. IMY has not issued post-DPF guidance on GA4.

How much was Sweden's Google Analytics fine?

Tele2 was fined SEK 12 million (~EUR 1 million) and CDON was fined SEK 300,000 (~EUR 25,000). Coop and Dagens Industri were ordered to stop using GA but received no fine because they had implemented server-side proxy servers as supplementary measures. Total GA-related fines: SEK 12.3 million. The Tele2 fine was upheld by the Stockholm Court of Appeal in October 2025.

Do I need cookie consent for analytics in Sweden?

Yes. LEK Chapter 9 Section 28 requires consent for all non-essential cookies, including analytics. Sweden has no consent exemption for analytics (unlike France's 22 CNIL-approved tools). PTS itself asks for consent for its own statistics cookie. Cookieless analytics that don't store data on the visitor's device fall outside LEK's scope.

Who enforces cookie law in Sweden: PTS or IMY?

Both, with different jurisdictions. PTS enforces LEK (the ePrivacy cookie rule): was consent obtained before cookies were placed? Was information adequate? IMY enforces GDPR: does the data processing have a valid legal basis? Is the consent valid under GDPR standards? A non-compliant cookie banner can trigger enforcement from either authority.

Can I use cookieless analytics without consent in Sweden?

Analytics tools that don't set cookies, don't fingerprint visitors, and don't track across sites avoid LEK Chapter 9 Section 28's consent trigger. The law applies to "storage of or access to information on terminal equipment." If the tool also processes no personal data (anonymous aggregation only), the GDPR consent requirement doesn't apply either. This is why cookieless, privacy-first analytics can operate without a consent banner in Sweden.

Does the EU-US Data Privacy Framework make Google Analytics legal in Sweden?

The DPF (adopted July 2023) resolved the specific US data transfer issue from IMY's June 2023 rulings. Google is DPF-certified. But you still need valid cookie consent under LEK, a data processing agreement with Google, and compliance with all GDPR requirements. IMY has issued no post-DPF guidance on GA4. And the DPF's durability is uncertain: the PCLOB has been gutted, and the framework is being challenged at the CJEU. If it falls, Sweden has the strongest enforcement precedent in the EU.