In October 2024, IMY published its most detailed cookie guidance to date, clarifying expectations for consent management platforms (CMPs) and cookie implementations across Swedish websites. The guidance, while not legally binding in itself, reflects IMY's interpretation of the ePrivacy Directive as transposed into the Swedish Electronic Communications Act (LEK) and provides a roadmap for compliance.
The guidance establishes several key principles. First, consent must be obtained before any non-essential cookies are placed. This includes analytics cookies, marketing cookies, and any technology that accesses information stored on the user's device. Only cookies that are strictly necessary for a service explicitly requested by the user are exempt.
Second, the reject option must be as easy to find and use as the accept option. IMY explicitly states that consent banners requiring users to navigate through settings panels to reject cookies do not meet the standard for freely given consent. The authority recommends presenting accept and reject as equally prominent options on the first layer of any consent banner.
Third, IMY addresses the practice of cookie walls — conditioning access to a website on the user's consent to non-essential cookies. The guidance states that cookie walls generally do not produce valid consent, as consent given under such conditions cannot be considered freely given. There are narrow exceptions for paid alternatives, but the bar is high.
For organizations operating in Sweden, the practical implications are clear. Review your CMP configuration to ensure reject is as accessible as accept. Audit your cookie inventory to confirm that no non-essential cookies fire before consent is obtained. Document your lawful basis for each cookie category. And critically, test your implementation — IMY has stated that it uses automated tools to verify compliance, meaning theoretical compliance that breaks down in practice will be caught.