How to make your cookie banner IMY-compliant: a step-by-step guide

Most Swedish websites fail basic cookie compliance checks. IMY's 2025 enforcement actions against ATG, Aller Media, and Warner Music showed that even large, well-resourced companies get consent wrong. The failures weren't obscure technical issues. They were basic consent banner problems that any site owner can fix. Cookie banner compliance in Sweden isn't optional, and regulators are actively checking.

The fines are real. IMY has issued fines in the millions of kronor for privacy violations: SEK 37 million against Apoteket and SEK 8 million against Apohem in 2024 for unauthorized data transfers via Meta Pixel. Cookie consent violations that aren't remediated after a formal reprimand can escalate to similar fines.

Why this matters right now

IMY updated its cookie guidance in late 2024 and has been enforcing it aggressively since. European data protection authorities increasingly use automated scanning in preliminary assessments, so your website may be evaluated before a formal investigation begins.

The legal basis is the ePrivacy Directive as transposed into Swedish law (LEK — Lagen om elektronisk kommunikation). Combined with GDPR Articles 6(1)(a) and 7, the requirements are clear: no tracking without valid, informed, freely given consent.

Step 1: Make reject as easy as accept

This is the single most common failure. Your cookie banner must present the reject option with equal prominence to the accept option. Same size button. Same visual weight. Same number of clicks to reach.

A large green "Accept All" button next to a small gray "Manage Preferences" link does not meet IMY's standard. Reject must be a button, not a link, not a settings menu, not a second-layer option.

Step 2: No pre-ticked boxes

The CJEU ruled in Planet49 (C-673/17) that pre-ticked consent boxes are invalid. This applies to all consent mechanisms: checkboxes, toggles, sliders. Everything must default to off.

If your CMP has categories like "Analytics" or "Marketing" toggled on by default, you are collecting invalid consent. Every category must start in the rejected state. The user must actively opt in.

Step 3: No cookie walls

A cookie wall blocks access to your website unless the visitor accepts cookies. IMY considers this coercive. Consent obtained under a "take it or leave it" condition is not freely given.

There is a narrow exception: you may offer a genuine paid alternative that provides the same content without tracking. But the paid option must be reasonable, not a fig leaf. Most organizations are better off simply allowing access without non-essential cookies.

Step 4: No tracking before consent

This is where most cookie banners fail technically, even if they look correct. Your website must not set any non-essential cookies or fire any tracking scripts before the user makes a choice.

That means no Google Analytics pageview on load. No Meta Pixel. No marketing cookies. If your tag manager fires before consent is recorded, you have a violation, regardless of how well your banner is designed.

• Audit your page load sequence. Use browser DevTools to check which cookies exist before any banner interaction.
• Configure your tag manager to block all non-essential tags until consent is received.
• Check for third-party scripts loaded in your HTML <head> that set cookies independently of your CMP.
• Verify that embedded iframes (YouTube, Google Maps, social widgets) don't set cookies before consent.

Step 5: Respect rejection and verify it actually works

Clicking "Reject" must actually stop tracking. This sounds obvious, but Vakteye's scans consistently find sites where cookies persist after rejection. The banner says one thing. The browser shows another.

Common causes: CMP misconfiguration, hardcoded analytics scripts that bypass the CMP, third-party widgets that ignore consent signals, and zombie cookies that respawn after deletion.

• Click Reject on your own site and immediately check cookies in DevTools. Are all non-essential cookies gone?
• Clear cookies, click Reject, wait 10 seconds, check again. Some cookies respawn (zombie cookies).
• Navigate to a second page after rejecting. Does the consent choice persist? Do new cookies appear?
• Check localStorage and sessionStorage. Some trackers store data there instead of in cookies.

Step 6: Test with automated tools

Manual testing catches obvious problems but misses the subtle ones. Cookie behavior changes between pages, between sessions, and between consent states. A cookie that doesn't appear on your homepage might appear on your checkout page.

Automated scanning provides the systematic coverage that manual testing can't. It tests baseline behavior (before any consent interaction), post-reject behavior, and post-accept behavior, then compares the three states.

Vakteye's consent scanner does exactly this: baseline snapshot, reject flow with cookie diff, and accept flow with full comparison. Every finding comes with forensic evidence: browser session recordings, HAR recordings, and cookie inventories.

Common mistakes that IMY catches

• "Continue browsing = consent": Implied consent is not valid consent. The user must take an affirmative action.
• Consent banner reappearing after rejection: Once rejected, the choice must persist until the user actively changes it.
• Different cookie behavior on mobile vs desktop: Your CMP must work consistently across all device types.
• Missing cookie in your privacy policy: Every cookie must be documented with its purpose, retention period, and provider.
• Consent for "functional" cookies that are actually analytics: Mislabeling cookies to avoid consent requirements is a violation.