Consentify Blog

GDPR Cookie Consent for Norwegian Websites: Complete 2026 Guide

TL;DR Since January 2025, Norway's updated Ekomloven requires all websites using non-essential cookies to collect GDPR-standard consent. Datatilsynet has already audited Norwegian sites and issued a 250,000 NOK fine. This guide explains what changed, what valid consent looks like, and how to set it up correctly.

GDPR Cookie Consent for Norwegian Websites: Complete Guide 2026

Since January 1, 2025, stricter cookie rules apply to all Norwegian websites. The updated Electronic Communications Act (Ekomloven) closed the grey areas and aligned Norwegian law with EU standards. If your Norwegian website uses Google Analytics, Meta Pixel, or any other tracking tool without a valid consent banner that actually blocks them, you're breaking the law.

This guide explains what changed, what Norway's Data Protection Authority (Datatilsynet) actually looks for, and what you need to do to be compliant.

What Are the New Norwegian Cookie Rules?

The new rules came through Ekomloven § 3-15, which took effect January 1, 2025. The law says that using cookies and similar tracking technologies requires prior consent that meets GDPR standards. Passive consent is out. Pre-ticked boxes are out. A user continuing to browse your site does not count as valid consent.

Datatilsynet describes the change this way: Norwegian internet users now have the same protection against tracking as EU citizens. That means all four conditions for valid GDPR consent must be met: it must be freely given, specific, informed, and unambiguous.

Who Enforces the Rules in Norway?

Two authorities share responsibility. Nkom (Norwegian Communications Authority) assesses whether a technical solution falls under Ekomloven and whether any exemptions apply. Datatilsynet handles whether the consent itself meets GDPR requirements.

In practice, most websites using tracking tools are subject to both authorities. Nkom looks at the technical implementation. Datatilsynet looks at whether consent was collected correctly.

Has Datatilsynet Actually Started Enforcing?

Yes. In June 2025, Datatilsynet audited six Norwegian websites using tracking pixels. All six were sharing visitors' personal data with third parties without a legal basis. Kristiansand municipality received a fine of 250,000 NOK. The other five received formal reprimands.

The audited sites included a municipal child welfare service, a medical consultation site, a religious site, and a health information site. Findings included dark patterns nudging users toward consent, misleading information, and sensitive data about health, religion, and children being shared illegally with third parties. Datatilsynet was direct: future reactions may be significantly stricter.

What Counts as Non-Essential Cookies?

Non-essential cookies are anything not strictly required for your site to function. You need consent before these run:

  • Google Analytics 4
  • Meta Pixel (Facebook)
  • Google Ads conversion tracking
  • TikTok Pixel, LinkedIn Insight Tag, Snapchat Pixel
  • Hotjar, Clarity, and other behavioral analytics tools
  • Intercom, Crisp, and other live chat tools that track visitors

Exemptions are strictly necessary cookies: login sessions, shopping cart, security tokens. Ekomloven is technology-neutral and applies regardless of whether personal data is processed, which means the consent requirement is broad.

What Makes a Valid Consent Under Norwegian Law?

A valid consent under Ekomloven and GDPR must meet four conditions. It must be freely given, specific, informed, and unambiguous. Datatilsynet's guidance from April 2025 explains what this means in practice:

  • Freely given: It must be just as easy to say no as to say yes. The decline option must have the same visual prominence as the accept option.
  • Specific: Users must be able to consent to one category without accepting all. Analytics and marketing are separate categories.
  • Informed: The banner must explain what data is collected, the purpose, and who receives it.
  • Unambiguous: An active action is required. Continuing to browse doesn't count. Pre-ticked boxes don't count.

A large "Accept all" button with a small grey text link for "Decline" is a dark pattern. Datatilsynet used the word "nudging" in their June 2025 audit report to describe exactly this practice.

The Most Common Mistake Norwegian Websites Make

Most Norwegian websites that think they're compliant aren't. The most common pattern: the site has a banner that displays, but tracking scripts like Google Analytics and Meta Pixel load underneath it while the banner is shown. The user hasn't said yes. The tracking tools run anyway.

This isn't compliant, no matter how professional the banner looks. You can check whether tracking tools are actually blocked on your site with Consentify's free scanner. It shows you exactly what's running and which cookies are being set, so you know exactly what needs to be fixed.

How to Set Up a Compliant Consent Banner for a Norwegian Website

Step 1: Map What Your Site Uses

Before you set anything up, do you know which tracking tools your site actually runs? Many get added during development and forgotten. Use the domain scanner to get a full list.

Step 2: Create a Consentify Account

Sign up at consentify.app. The free plan covers one domain with no watermark and no time limit. Add your domain in the dashboard and configure your integrations, the tracking tools your site uses.

Step 3: Design a Compliant Banner

Use the visual editor to build your banner. Make sure the "Decline" option is as visible as "Accept all". The banner supports Norwegian language and lets you adjust text, colors, and position without writing code.

Step 4: Paste One Line of Code

Copy the script tag from your domain settings and paste it just before the </head> closing tag on your site. For Webflow, use Custom Code in project settings. For WordPress, add it to the theme header or via a plugin. For a complete walkthrough, see the setup guide.

Step 5: Add a Revoke Option

Norwegian users have the right to change their consent at any time. Add a button or link in your footer with the element ID revoke-consent-btn. Consentify attaches the consent panel to it automatically. Without this, your setup is legally incomplete.

What About Norwegian Websites Not Targeting the EU?

Ekomloven applies to all Norwegian websites regardless of whether they target EU citizens. It's enough that the site uses cookies and similar technologies on devices in Norway. GDPR additionally applies to anyone processing personal data about EU citizens. A Norwegian website with Norwegian visitors is subject to Ekomloven. A Norwegian website with European visitors is subject to both.

Do You Need a Separate Banner for Each Website?

Yes, each domain needs its own configuration. But you don't need separate accounts to manage them. With Consentify, you can manage consent banners for all client sites from one dashboard. Paid plans start at 39 NOK per month and cover up to three domains. The Agency plan covers up to 30 domains with white-label options, which is well suited to Norwegian agencies handling compliance on behalf of clients.

Ready to get started? Try Consentify free — one domain, no watermark, no time limit.

Start your cookie banner for free

Get your own customizable, GDPR-ready banner in minutes with Consentify.

Get Started Free

Frequently asked questions

Do the new cookie rules apply to all Norwegian websites?

Yes. Ekomloven § 3-15 applies to all Norwegian websites that use cookies or similar technologies that aren't strictly necessary for the site to function. It doesn't matter whether the site targets Norwegian or European users. The only exemption is for sites that exclusively use strictly necessary cookies.

What happens if my Norwegian website doesn't comply with the new cookie rules?

Datatilsynet and Nkom both have enforcement authority. In June 2025, Datatilsynet audited six Norwegian websites and issued a fine of 250,000 NOK to Kristiansand municipality. The authority warned that future enforcement actions may be significantly stricter. GDPR also allows fines of up to 20 million euros or 4 percent of global turnover for serious violations.

Is it enough to display a consent banner without blocking the tracking scripts?

No. A banner that displays while Google Analytics and Meta Pixel run in the background is not compliant. Tracking scripts must be technically blocked until the user actively gives consent. The technical blocking is the core of compliance, not the banner appearing on screen.

What is the difference between GDPR and Ekomloven for Norwegian websites?

GDPR regulates the processing of personal data and applies to Norwegian businesses via the Personal Data Act. Ekomloven § 3-15 specifically regulates the storage of and access to information on the user's device, and applies regardless of whether personal data is processed. Since January 2025, Ekomloven requires that consent for cookies meets GDPR standards. In practice, both frameworks apply to most websites using tracking tools.

How long is a consent valid under Norwegian law?

Neither Ekomloven nor GDPR specifies an exact duration, but Datatilsynet recommends requesting new consent after 12 months. You should also request new consent when you change which tracking tools you use, since consent is specific to the purposes the user originally agreed to.

Written by Consentify
Helping you stay GDPR compliant, one banner at a time.