Introduction
Over the past week, several important developments have emerged in the European privacy and compliance landscape. Norway’s forthcoming cookie rules, Austria’s directives on cookie banner design, increased scrutiny of Google Tag Manager, and Denmark’s guidance on data ethics all highlight a common theme: explicit, informed user consent is now a non-negotiable cornerstone of compliant data collection. Together, these updates illustrate how regulators and authorities are pushing businesses to handle user data more transparently, responsibly, and ethically—without resorting to manipulative design tactics. For organizations, this means paying close attention to evolving standards, ensuring third-party services comply with the law, and prioritizing user trust at every step.
Norway’s New Cookie Rules Set for 2025
From January 1, 2025, Norway’s new cookie regulations will mandate that all non-essential cookies and similar tracking tools (e.g., pixels, beacons) remain disabled until users give explicit, informed consent. This rule aligns with the GDPR and the ePrivacy Directive, effectively banning “dark patterns” or other interfaces that pressure users into accepting tracking by default. Organizations must also ensure that users can easily withdraw consent, fostering a clear and balanced exchange of information rather than one-sided data capture.
Source: Norway’s New Cookie Rules (LinkedIn)
Google Tag Manager Under Scrutiny
Recent findings show that Google Tag Manager (GTM) may facilitate data collection before users have granted consent, including so-called “cookieless pings” that still transfer identifiable information. As regulators reinforce the principle that non-essential tracking must wait for user approval, organizations relying on GTM need to review their configurations. Ensuring that no third-party tags are triggered prematurely is essential to comply with both GDPR and ePrivacy requirements. Considering first-party consent solutions can help maintain compliant data flows and protect user privacy.
Source: Google Tag Manager Privacy Concerns (LinkedIn)
Austrian DPA Ruling on Cookie Banners
The Austrian Data Protection Authority’s decision emphasizes that all cookie banner options must be presented equally, without visual bias. “Accept All,” “Reject All,” and “Only Necessary” choices should be equally prominent in terms of size, color, contrast, and placement. Analytical and advertising cookies can only be placed after explicit user consent, and economic justifications cannot bypass this requirement. This ruling highlights the growing regulatory intolerance for banners designed to push users toward more invasive data collection.
Source: Austrian DPA Decision (LinkedIn)
Denmark’s Guide on Data Ethics and Third-Party Services
Denmark’s Agency of Digital Government has issued guidance underlining that strict legal compliance is just the start; organizations must also uphold high ethical standards in their data handling practices. This includes mapping out third-party service ecosystems, reassessing the necessity of external trackers, and embracing first-party alternatives where possible. By meeting these ethical benchmarks, organizations can improve user trust, differentiate themselves from competitors, and create a privacy-first culture that goes beyond mere regulatory obligations.
Source: Danish Guide on Data Ethics (LinkedIn)
Unified Summary
Collectively, these updates from Norway, Austria, Denmark, and the scrutiny around Google Tag Manager send a clear and cohesive message to organizations operating online:
- Informed Consent Before Tracking: Non-essential cookies, tags, and other tracking technologies must remain inactive until users clearly understand and voluntarily agree to their use.
- No Manipulative Design: Consent interfaces should be free from “dark patterns” or visual biases that nudge users toward acceptance.
- Responsible Third-Party Management: Businesses must monitor and control their third-party tools to prevent any unapproved data flows.
- Ethical and Transparent Data Handling: Beyond meeting the bare legal minimum, companies are encouraged to embed data ethics into their operations, use first-party solutions where feasible, and ensure trustworthy data relationships with users.
In essence, these developments challenge organizations to prioritize user autonomy and trust. Businesses that adapt to these evolving standards will not only remain compliant but also strengthen their reputations as responsible stewards of user data.
Ronni K. Gothard Christiansen // VikingTechGuy
Creator, AesirX.io
Concerned about your website’s compliance?
Does your site collect data or share it with third parties before obtaining valid user consent? The AesirX Privacy Scanner is a free privacy tool that identifies potential GDPR and ePrivacy Directive violations, enabling you to address them proactively.
