Sweden's data protection authority, Integritetsskyddsmyndigheten (IMY), has steadily increased its enforcement activity throughout 2025. What was once considered a relatively lenient regulator has become one of the EU's most technically focused DPAs, with a particular emphasis on cookie compliance and automated tracking technologies.
The shift began in late 2024 when IMY published updated guidance on the interpretation of the ePrivacy Directive as transposed into Swedish law (LEK). The guidance made clear that analytics cookies, advertising pixels, and fingerprinting scripts all require prior informed consent — a position that, while consistent with CJEU case law, caught many Swedish organizations off guard.
In the first half of 2025, IMY conducted coordinated audits of 40 public-sector websites and 25 major e-commerce platforms. The results were striking: over 70% of audited sites were found to deploy tracking technologies before obtaining valid consent. The most common violations included consent banners with pre-ticked boxes, cookie walls that conditioned access on consent, and reject buttons hidden behind multiple clicks.
Enforcement actions have followed a clear escalation pattern. Initial violations typically result in a formal reprimand with a compliance deadline. Organizations that fail to remediate within 90 days face administrative fines under Article 83 GDPR. IMY has issued fines ranging from SEK 500,000 to SEK 12 million in 2025, with the average penalty sitting around SEK 3 million.
For businesses operating in Sweden, the message is clear: self-assessment is no longer sufficient. IMY expects organizations to conduct regular technical audits of their cookie implementations, maintain evidence of consent collection mechanisms, and demonstrate that reject options are as accessible as accept options. The authority has specifically noted that it uses automated scanning tools in its preliminary assessments — meaning your website's compliance posture is being evaluated even before a formal investigation begins.
IMY has signaled that 2026 enforcement priorities will expand to include cross-border data transfers (particularly to US-based analytics providers) and AI systems that process personal data. Organizations should prepare by reviewing their data flows, updating Data Protection Impact Assessments, and testing that their cookie consent implementations withstand automated scrutiny.