As of January 1, 2025, businesses operating in Norway face new compliance challenges that demand immediate action to avoid penalties and safeguard user trust. The updated Norwegian E-Com Act (§3-15), introduces new rules governing the use of cookies and tracking technologies. This law aligns Norway with ePrivacy Directive (ePD) Article 5(3), UK Privacy and Electronic Communications Regulations (PERC), and EU / UK GDPR, emphasizing stricter standards for obtaining explicit consent.
The changes affect businesses of all sizes, whether relying on first-party analytics, third-party Consent as a Service (CaaS) platforms, or tools like Google Tag Manager (GTM). Here’s what you need to know to comply with the law and safeguard user trust.
I have written this detailed guide on the Norwegian E-Com Act to address the apparent misunderstandings being promoted by some third-party Consent Management Platforms. Many of these platforms falsely claim compliance with the law, even though their design inherently prevents it. Additionally, the notion that consent can be collected based on "categories" is incorrect, this approach does not meet the explicit consent requirements in Norway, the EU, or the UK.
Although the UK has exited the EU, its UK GDPR and PERC regulations remain aligned with the EU GDPR and ePD, ensuring consistent consent requirements.
This guide not only explains how to comply with the Norwegian E-Com Act and safeguard user trust but also clears up widespread misconceptions, especially regarding third-party Consent Management Platforms and their claims of compliance.
Understanding Consent Under the Norwegian E-Com Act
As stated in §3-15 of the E-Com Act, explicit consent is required before any data storage or access. Explicit consent is mandatory before storing or accessing any information in users’ terminal equipment, except for strictly necessary purposes. This aligns with ePrivacy Directive (ePD) Article 5(3), the UK Privacy and Electronic Communications Regulations (PERC), and builds on the consent requirements set forth in both the Article 7 of GDPR and UK GDPR.
What Does "Explicit Consent" Mean?
To be valid, consent must be:
- Freely Given: Users must have real choice without coercion.
- Specific: Consent must be purpose-limited, not bundled or broad.
- Informed: Users must understand what they are agreeing to, with clear explanations in plain language.
- Unambiguous: Opt-in requires affirmative action (e.g., clicking “Accept”), not inferred through pre-ticked boxes or user behavior (e.g., scrolling).
Unlike implied consent models, explicit consent ensures users are fully aware of how their data will be accessed or processed before any action is taken.
Are Consent Categories Required?
The 2025 Norwegian E-Com Act does not explicitly mandate the use of categories like "functional," "analytics," or "marketing" for consent. However, such categories are sometimes recommended as a best practice to simplify user choices.
That said, grouping purposes into broad categories raises significant concerns about compliance with explicit consent requirements. Explicit consent, as defined by the Norwegian E-Com Act (§3-15), ePrivacy Directive (ePD) Article 5(3), GDPR, UK Privacy and Electronic Communications Regulations (PERC), and UK GDPR, requires users to be fully informed about the specific purposes of data processing.
The absence of categories in the legislation reflects a clear intent: consent must be obtained for specific, individual purposes, not vague groupings. Using categories like 'analytics' or 'marketing' risks obscuring the specific processing activities and violates the principle of explicit, informed consent.
Why Categories Fall Short
- Lack of Specificity: When purposes are grouped into categories, users may not be fully aware of the individual processing activities within each group. For example, "analytics" could encompass vastly different purposes, such as tracking user behavior for performance improvements versus profiling users for targeted ads.
- Inadequate Transparency: Grouping can obscure the details of each processing purpose, potentially misleading users or preventing them from making informed decisions.
- Explicit Consent Requires Clarity: Consent must be purpose-specific. Listing each purpose individually (e.g., "We use cookies to measure site performance" or "We use cookies for targeted advertising") provides the clarity required to meet the standard of explicit consent.
Legal Implications
The law requires clear disclosure of each purpose for data processing, and users must actively opt-in for every purpose. Using categories could lead to non-compliance if users cannot understand or opt in to individual purposes within those categories.
Best Practice for Compliance
Unlike direct purpose-specific options, grouping purposes into categories like ‘analytics’ or ‘marketing’ often lacks transparency. Users may consent to the category without understanding the individual purposes included, which undermines the core principle of explicit consent.
While categories can be a useful way to organize purposes for simplicity, businesses must:
- Clearly explain each individual purpose within a category.
- Allow users to opt in to or reject individual purposes, not just entire categories.
- Avoid broad or vague labels (e.g., "marketing") without detailed descriptions of what data will be processed and why.
Transparency is not just a legal requirement; it’s a user expectation. Clear, straightforward communication about data processing builds trust and simplifies compliance. Transparency also requires providing users with granular control over each specific purpose for data collection or processing. Businesses must avoid vague language, overly broad categories, or coercive design practices that obscure the user’s ability to make informed, specific choices.
For explicit consent to be valid, businesses should implement user-friendly interfaces that allow users to toggle specific purposes individually. These interfaces should avoid dark patterns and prioritize clarity.
Strictly Necessary Purposes
§3-15 explicitly permits storage or access without consent only when 'strictly necessary' to deliver a service requested by the user, consistent with Article 5(3) of the ePrivacy Directive and UK PERC. This means that data storage or access on a user’s terminal equipment can occur without consent if it is strictly necessary to:
- Deliver a service explicitly requested by the user.
- Enable essential functionality required for the user to navigate or interact with the website.
- Facilitate the operation of a compliant first-party consent management platform designed solely to manage user consent preferences.
- Communication that cannot be achieved in other ways (PERC).
Examples of Strictly Necessary Purposes Include:
- Session Cookies: To maintain a shopping cart or user login during a browsing session.
- Security Functions: Such as cookies to prevent fraud or ensure website integrity.
- Core Functionalities: Enabling access to essential services, such as loading the site’s core content or managing consent.
However, third-party Consent as a Service (CaaS) platforms do not fall under strictly necessary purposes unless they are implemented as part of a compliant, first-party solution designed solely to facilitate the user’s explicit consent preferences. The mere presence of third-party tools or scripts pre-consent constitutes a violation of §3-15.
To ensure compliance, businesses must limit pre-consent data processing to only what is strictly necessary and provide clear explanations of these exceptions in their privacy notices.
The Role of Analytics, GTM, and Third-Party CMP's
First-Party Analytics Tools
Even first-party analytics tools (e.g., Matomo) fall under the requirements of E-Com Act (§3-15), ePD Article 5(3), and UK PERC. These laws govern access to terminal equipment, meaning explicit consent is required before activating any tracking technology, even if it’s first-party and designed to be GDPR-compliant.
Without explicit consent handling, first-party analytics tools cannot comply with the law, regardless of their privacy-centric design.
Google Tag Manager (GTM) and Consent Mode 2.0
Google Tag Manager and its Consent Mode 2.0 feature allow for limited data anonymization but still send "pings" and IP addresses to Google servers before user consent. These actions, regardless of anonymization, constitute terminal equipment access, which requires explicit consent under E-Com Act (§3-15), ePD Article 5(3), and UK PERC.
Under these frameworks, any pre-consent data transfer, such as the initiation of scripts or data sent to external servers, violates the explicit consent requirement unless users opt in beforehand and like all third-party tools, Google Tag Manager cannot fall under the strictly necessary exemption unless integrated into a first-party consent management platform that fully blocks scripts pre-consent.
Businesses relying on GTM should consider alternative tools or ensure GTM scripts are fully blocked pre-consent, using compliant consent management solutions that integrate seamlessly with GTM while adhering to the E-Com Act.
Third-Party Consent as a Service (CaaS) Platforms
Third-party Consent as a Service (CaaS) platforms that load tracking technologies or establish server connections as part of their initialization process before user consent is explicitly obtained are inherently non-compliant meaning they cannot comply with the §3-15, ePrivacy Directive (ePD) Article 5(3), or UK PERC. These platforms inherently access users’ terminal equipment without prior explicit consent, which violates the foundational principles of these legal frameworks.
Why Third-Party CaaS Platforms Are Inherently Non-Compliant
- Unauthorized Terminal Access: Third-party CaaS solutions access the user’s terminal equipment (e.g., by reading or writing cookies or other tracking technologies) to load scripts, track interactions, or establish external connections before the user provides explicit consent. This breaches the explicit consent requirement under all three legal frameworks.
- Pre-Consent Data Transfers: These platforms transmit data (e.g., IP addresses) to their own servers during initialization, even before users have opted in. Such transfers constitute unauthorized processing of personal data.
- External Data Processing: As external processors, these platforms cannot process any data or initiate tracking activities without a lawful basis, which explicit consent provides.
Even when configured to minimize data processing, third-party CaaS platforms introduce additional risks, such as data being transmitted to external servers during initialization. These risks further emphasize the need for self-hosted, first-party solutions.
Implications for Businesses
Businesses relying on third-party CaaS platforms must understand that:
- Any terminal access requires explicit consent: The act of accessing a user’s device, even to initialize a consent mechanism, cannot occur without prior consent.
- Fundamental non-compliance: Third-party platforms cannot block their own scripts or prevent terminal access during their operation, making them inherently non-compliant with the updated laws.
For third-party tools like consent management platforms to comply, they must be configured as strictly necessary components of a first-party consent solution. Without this integration, their pre-consent operations breach the requirements of §3-15.
Industries like eCommerce, digital advertising, and SaaS are particularly impacted by these changes due to their reliance on tracking technologies. Tailored compliance strategies are essential for these sectors.
Compliance Recommendations
- To align with the Norwegian E-Com Act and related regulations: Replace third-party CaaS platforms with self-hosted, first-party CMPs that ensure no terminal access, data transfers, or script execution occurs pre-consent.
- Conduct regular audits to verify that all scripts, first-party or third-party, are blocked until explicit consent is obtained using a privacy scanner that scans your website before consent is given.
- Prioritize solutions designed to comply with the E-Com Act, ensuring transparency, granular consent, and full user control.
The law is unambiguous: consent must come first, and no terminal access or data processing can occur without explicit, informed user agreement.
How to Ensure Compliance
To comply with the updated Norwegian E-Com Act (§3-15), ePrivacy Directive (ePD) Article 5(3), or UK PERC, businesses must implement privacy-first practices that align with the strictest consent standards. Key steps include:
- Block All Scripts Pre-Consent: CMPs must prevent both first- and third-party scripts (e.g., analytics, GTM) from loading until explicit consent is given.
- Use Transparent Consent Mechanisms: Provide clear, granular consent options for specific purposes or categories like marketing, analytics, and functional cookies.
- Replace Non-Compliant Tools: Transition away from third-party Consent Management platforms that load scripts or transfer data pre-consent. Self-hosted first-party consent management solutions are preferred.
- Audit and Monitor: Use tools like privacy scanners to test and verify that all first-party and third-party scripts are blocked until explicit consent is obtained. Ensure your CMP is configured to prevent any pre-consent data transfer, even for tools like GTM.
Ensure all vendors and tools integrated into your website are compliant with the E-Com Act. Businesses remain legally responsible for any non-compliance by third-party tools or platforms.
Why Compliance Matters
The Norwegian E-Com Act is part of a global trend toward stricter privacy regulations, ensuring that users have greater control over their personal data. Non-compliance risks include:
- Fines: Regulatory authorities like Datatilsynet and Nkom can impose significant penalties.
- Reputational Damage: Beyond avoiding penalties, embracing privacy-first practices fosters user trust and sets your business apart in an increasingly privacy-conscious market.
- Legal Liability: Ignorance of the law is not an excuse, and businesses are held accountable for vendor compliance.
Whether using first-party analytics, Google Tag Manager, or third-party consent platforms, the message is clear: consent must come first.
Are You Ready for 2025?
The Norwegian E-Com Act (§3-15) sets a new standard for privacy, aligning with ePrivacy Directive (ePD) Article 5(3) and UK PERC. It mandates explicit consent for any access to or processing of data on users’ terminal equipment, except for strictly necessary purposes.
Compliance is not optional. Businesses that fail to align with the E-Com Act risk severe penalties and loss of user trust which challenges businesses to rethink their use of first-party analytics, Google Tag Manager, and third-party Consent as a Service (CaaS) platforms. Tools and practices that fail to block scripts or data transfers pre-consent inherently violate the updated regulations.
This Act underscores a global shift toward stricter privacy enforcement, emphasizing user control and transparency. Businesses must embrace privacy-first strategies to meet these evolving standards and maintain user trust.
Is your business ready for the 2025 Norwegian E-Com Act? Now is the time to evaluate your tools, reconfigure your practices, and adopt privacy-first strategies to ensure compliance and protect user trust, starting with a free privacy scan.
Ronni K. Gothard Christiansen
Creator, AesirX.io
