Back to Insights
COMPLIANCE

IMY's Cookie Crackdown: What ATG, Aller Media & Warner Music Mean for You

Vakteye TeamMar 15, 20265 min read

Three Swedish companies woke up to formal decisions from Integritetsskyddsmyndigheten in April 2025. ATG, Aller Media AB, and Warner Music Sweden all received reprimands for the same thing: their cookie banners were designed to trick users into accepting tracking. IMY's cookie banner enforcement had arrived.

IMY found that the design of consent solutions at all three companies steered users toward accepting cookies rather than rejecting them, failing the requirement for freely given consent.

Based on IMY decisions, published April 2025

What IMY found wrong

The violations across all three companies followed the same pattern. Large, colorful "Accept All" buttons. Small, gray reject links buried in submenus. Pre-checked category boxes. The textbook dark pattern playbook.

  • ATG: "Accept All" was a prominent button. Rejecting required navigating to a settings panel and toggling individual categories, significantly more effort than the single-click accept.
  • Aller Media AB: Pre-checked boxes for advertising and analytics cookies. Users had to actively uncheck each category, the opposite of affirmative consent.
  • Warner Music Sweden: IMY found insufficient information about the right to withdraw consent, and that the banner language was misleading. It suggested website functionality would be impaired if cookies were rejected.

Why these decisions matter

These are IMY's first formal decisions specifically targeting cookie banner design. Previous enforcement focused on cookies firing before consent or missing consent entirely. Now IMY is saying: even if you ask for consent, how you ask matters.

The decisions reference the EDPB Guidelines 05/2020 on consent. Freely given means the user faces no disadvantage for refusing. If your banner makes accepting easier than rejecting, that consent is not freely given. Full stop.

What IMY requires now

  1. Reject must be as easy as accept: same layer, same visual weight, same number of clicks.
  2. No pre-checked boxes. Every cookie category must default to off.
  3. No dark patterns. Color contrast, button size, and placement must not steer the user.
  4. Consent must be granular. Users must be able to choose per category, not just all-or-nothing.
  5. Reject must actually work. Clicking reject should stop all non-essential cookies immediately.

European data protection authorities increasingly use automated scanning tools for preliminary website assessments. Your cookie banner may be evaluated before any formal investigation begins.

The real risk: fines are the least of it

ATG, Aller Media, and Warner Music received reprimands, not fines. That sounds mild. It is not. A reprimand is a formal finding of violation. If these companies fail to fix the issues, IMY can escalate to administrative fines under GDPR Article 83. For consent violations, that means up to 4% of annual global turnover or EUR 20 million.

A reprimand is also public. Your customers, competitors, and partners can see it. For companies that handle consumer data, the reputational damage often costs more than any fine.

Is your cookie banner compliant?

Vakteye scans your consent banner the same way IMY does: automated, evidence-backed, with screenshots and cookie diffs.

Scan Your Cookie Banner

How Vakteye detects these exact patterns

Vakteye's consent scanner tests your banner against the requirements from IMY's enforcement decisions. Here is what we check:

  • Button prominence analysis: We measure the visual weight of accept vs. reject buttons (size, color contrast, placement).
  • Pre-checked box detection: We inspect checkbox states before any user interaction.
  • Click-path measurement: We count how many clicks it takes to reject vs. accept.
  • Post-reject verification: After clicking reject, we check whether non-essential cookies were actually blocked.
  • Zombie cookie detection: We clear cookies after rejection and wait. Some respawn within seconds.

Every finding comes with forensic evidence: browser session recordings, HAR files, cookie diffs, and timestamped screenshots. The kind of evidence that holds up in an IMY investigation.

What you should do this week

Open your website in a private browser window. Look at your cookie banner. Count the clicks to reject. Compare the reject button to the accept button. If reject is harder to find or requires more steps, you have the same problem ATG, Aller Media, and Warner Music had.

Or let Vakteye do it for you. Our scanner takes 90 seconds and tests every pattern IMY flagged in these decisions.

Don't wait for IMY to find the problem

Run a free compliance scan and see exactly what IMY would find on your website today.

Start Free Scan
Next

SEK 45 Million in Fines: How Meta Pixel Leaked Health Data from Swedish Pharmacies

Related Articles

COMPLIANCE7 min read

NIS2 is here: Sweden's cybersecurity act since January 2026

Sweden's NIS2 implementation (Cybersäkerhetslagen) is live since January 15, 2026. No grace period. Here's what it requires and what happens if you ignore it.

COMPLIANCE6 min read

EDPB 2026: Why Transparency Enforcement Hits Swedish Businesses

The EDPB's 2026 coordinated enforcement focuses on transparency. If your privacy policy doesn't match what your website actually does, you're a target.

COMPLIANCE8 min read

GDPR in Sweden: IMY Enforcement Trends 2025

How the Swedish Authority for Privacy Protection enforces GDPR and what it means for your business.