IMY's Cookie Crackdown: What Five Swedish Companies Got Wrong

Between December 2024 and April 2025, Integritetsskyddsmyndigheten issued formal reprimands against five Swedish companies for cookie consent violations. ATG, Aftonbladet, SVT, Warner Music Sweden, and Aller Media AB each received a reprimand under GDPR Article 58(2)(b). The decisions were published on 30 April 2025. All five cases originated from complaints coordinated by noyb through the EDPB Cookie Banner Taskforce.

What IMY found wrong — company by company

Each decision addressed a distinct violation. IMY did not treat these as a single enforcement action. The violations were different in kind.

• ATG (IMY-2023-16453, decided 19 December 2024): The accept button was green with white text. The reject option was a gray text link with lower contrast. Rejecting required navigating to a settings panel. Withdrawing consent was buried in the site footer, making it harder than giving consent. IMY cited GDPR Articles 6 and 7(3).
• Aller Media AB (IMY-2023-16452, decided 28 April 2025): Aller claimed legitimate interest under Article 6(1)(f) for profiling and precise geodata via cookies on recept.se. IMY found Aller never conducted an interest-balancing assessment and could not demonstrate that a legitimate interest existed. The CMP vendor had recommended dual legal bases (consent + legitimate interest) and Aller followed the recommendation without their own legal evaluation. IMY cited GDPR Article 6.
• Warner Music Sweden (IMY-2023-16448, decided 16 December 2024): The cookie banner did not clearly inform users about their right to withdraw consent. While a settings link existed on the site, the withdrawal process was not as easy as giving consent. IMY cited GDPR Articles 6 and 7(3).
• Aftonbladet and SVT (decided December 2024): Cookie banners made accepting cookies significantly easier than rejecting them. The accept button was visually prominent while the reject option required additional navigation. IMY issued reprimands for failure to obtain freely given consent.

Why these decisions matter

These decisions show IMY enforcing three distinct consent requirements simultaneously. ATG was about visual design (color contrast and button prominence). Aller Media was about choosing the wrong legal basis entirely. Warner Music was about failing to inform users of their withdrawal right. Previous Swedish enforcement focused on cookies firing before consent (the 2023 Google Analytics decisions) or unauthorized data transfers (the 2024 pharmacy pixel cases). Now IMY is examining the consent mechanism itself: how you ask, what legal basis you claim, and whether withdrawal is genuinely accessible.

The decisions reference the EDPB Guidelines 05/2020 on consent and the EDPB Cookie Banner Taskforce findings from 2023. Freely given means the user faces no disadvantage for refusing. If your banner makes accepting easier than rejecting, that consent is not freely given.

What IMY requires

1. Reject must be as easy as accept: same layer, same visual weight, same number of clicks. The ATG decision specifically flagged color contrast asymmetry between accept and reject options.
2. Do not rely on legitimate interest for cookie-based tracking. The Aller Media decision makes clear that Article 6(1)(f) requires a documented interest-balancing assessment. Following your CMP vendor's default settings is not a legal basis.
3. Inform users clearly about withdrawal. The Warner Music decision requires that the cookie banner itself tells users they can withdraw consent, and that the withdrawal path is as easy as giving consent.
4. Consent must be granular. Users must be able to choose per category, not just all-or-nothing.
5. Reject must actually work. Clicking reject should stop all non-essential cookies immediately.

The real risk: fines are the least of it

All five companies received reprimands, not fines. IMY classified the violations as minor under GDPR Recital 148, citing factors like first-time offences and partial remediation during the investigation. But a reprimand is a formal finding of violation. If these companies fail to fix the issues, IMY can escalate to administrative fines under GDPR Article 83. For consent violations, that means up to 4% of annual global turnover or EUR 20 million.

A reprimand is also public. Your customers, competitors, and partners can see it. For companies that handle consumer data, the reputational damage often costs more than any fine.

How Vakteye detects these exact patterns

The Vakteye platform tests your consent banner against the requirements from IMY's enforcement decisions. Here is what we check:

• Button prominence analysis: We measure the visual weight of accept vs. reject buttons (size, color contrast, placement) — the exact issue in the ATG decision.
• Legal basis validation: We detect banners that claim legitimate interest for tracking cookies — the Aller Media violation.
• Click-path measurement: We count how many clicks it takes to reject vs. accept, and verify that withdrawal is accessible from the first layer.
• Post-reject verification: After clicking reject, we check whether non-essential cookies were actually blocked.
• Zombie cookie detection: We clear cookies after rejection and wait. Some respawn within seconds.

Every finding comes with forensic evidence: browser session recordings, HAR files, cookie diffs, and timestamped screenshots. The kind of evidence that holds up in an IMY investigation.

What you should do this week

Open your website in a private browser window. Look at your cookie banner. Count the clicks to reject. Compare the reject button to the accept button. Check whether your CMP uses legitimate interest as a fallback legal basis for any cookie category. Look for a clear withdrawal mechanism. If any of these checks fail, you have the same exposure these five companies had.

Or let Vakteye do it for you. The platform takes 90 seconds and tests every pattern IMY flagged in these decisions. For the NIS2 side of the same checks, see our Cybersäkerhetslagen audit guide (/insights/nis2-audit-sverige-cybersakerhetslagen-2025-1506).