Cookie consent: Norway’s regulator elaborates on ambiguity

The requirement for consenting to non-essential cookies in Norway has been unclear, and the Norwegian Communications Authority (Nkom)'s 27 November 2019 update of its guidelines did not help much. Nkom stands by its uniquely Norwegian view that a browser's pre-setting represents consent, while it encourages the selection of active consent for the processing of personal data, "to be on the safe side".

By lawyer Kristian Foss and associate Anders Christie

Based on the EU Court's recent judgment in the "Planet 49" case regarding active consent requirements in other countries and under GDPR - a case Nkom specifically refers to - this conclusion is surprising. In its judgment, the European Court of Justice finds an active consent to be required, based on the same ePrivacy directive that applies to the Norwegian Electronic Communications Act. The judgment indicates that the consent requirement under GDPR and under the Electronic Communications Act are the same.

Nkom recommends an active consent procedure

• when it is difficult to establish whether the data processing is also regulated by GDPR
• for web pages addressing other European countries

The advice from Nkom, which manages the Electronic Communications Act and its "cookie rule" in section 2-7b, should also be evaluated on the basis of the ePrivacy Directive, which has been negotiated at length but is not yet approved. The regulation, which will replace the current cookie rule in the Electronic Communications Act, references the GDPR's definition of consent, which requires active user consent.

The question remains: Can you still let a browser setting give the consent?

Nkom's guidelines are more clear in regards to cookie information, recommending that it be made available through specific links on the web site.

The lack of clarity in Nkom's guidelines will probably be well received by many web page owners. There certainly is tension between a stricter requirement for consent and parts of the current Internet economy. Stricter requirements may result in fewer consents and thus less data collection. Many web pages are financed through the data they collect from cookies and other tracking technology. So, an absolute consent requirement may affect and even contribute to the demise of some of today's business models.

What should you do?

What should you do while waiting for the final ePrivacy Regulation to enter into force and eliminate your doubts?

If your business is not dependent on cookie-based data capture, implement a good consent tool to be on the safe side. This also reduces reputational risk.

If your business model is based on data capture through the use of cookies, assess whether anonymous data may serve your purposes.

If anonymous data are inadequate, fine tune your guidelines, present good information and try to skip consent if you feel you are on sturdy ground. If you are not, you can attempt to explain to the users why they should provide consent - and keep your fingers crossed. At the same time, you may wish to review your business model to make appropriate adjustments.

You may read Nkom's 27 November 2019 guidelines here (sorry, in Norwegian).

If you have any questions at all, feel free to contact us.

Kristian Foss | kf@bull.no | +47 97 06 26 55