Earlier this year, Norway’s new Electronic Communications Act (E-Com Act) transformed the country’s digital privacy landscape. Working alongside GDPR, the Act establishes some of Europe’s most robust user protections by setting a higher standard for digital consent and granting individuals unprecedented control over their personal data, fundamentally reshaping digital rights in the country.
A Specialized Law Built on a GDPR Foundation
It is important to understand that the E-Com Act is not a replacement for GDPR in Norway, but rather a specialized law that builds upon its principles. In legal terms, it functions as lex specialis, meaning it provides specific rules for the electronic communications sector that complement GDPR’s broader framework.
Where GDPR establishes the overarching principles of lawful and transparent data processing, the E-Com Act applies these principles directly to cookies, online tracking, and other digital communication technologies. While Norway has long followed the EU’s ePrivacy Directive, the 2025 Act represents a deliberate move by the Norwegian Parliament to solidify user rights and reinforce digital sovereignty.
Key Amendments in the 2025 E-Com Act
The Act introduces several groundbreaking changes designed to enhance user control and privacy online. The most significant of these amendments focus on three core areas: how consent is given, the level of choice offered to users, and the clarity of information provided about data collection
The End of Implied Consent
The most profound change is the definitive move away from “implied consent” for cookies and similar trackers. For years, internet users encountered banners stating that by continuing to use a site, they consented to cookie use. This passive form of acceptance is now illegal.
Under the 2025 E-Com Act, consent must be an explicit and affirmative action. This means a user must actively signal their agreement, for instance, by clicking an “Accept” or “Agree” button before any non-essential cookies can be placed on their device.
Pre-ticked boxes, consent inferred from scrolling, or banners that lack a clear rejection option are no longer compliant. If a user doesn’t provide a clear “yes,” the default answer is “no.”
Granular Consent: Empowering User Choice
The Act also dismantles the “all-or-nothing” approach to consent that was once common. Websites can no longer bundle all cookies into a single accept/reject choice. Instead, they must provide granular consent mechanisms, allowing users to make separate choices for different categories of cookies. A compliant website now presents users with clear options, typically broken down into categories such as:
- Strictly Necessary Cookies – Essential for a site’s core functions, which do not require consent but whose purpose must be explained.
- Analytical/Performance Cookies – Used to measure website traffic and user engagement.
- Functional Cookies – Remembers user settings like language or login details.
- Marketing/Advertising Cookies – Tracks browsing activity to deliver personalized ads.
Crucially, the law mandates that it must be as easy for a user to reject cookies as it is to accept them. This means a prominent “Reject All” button is now a standard feature, preventing the use of “dark patterns” – deceptive designs that nudge users toward accepting cookies against their better judgment.
A New Mandate for Transparency
For consent to be meaningful, it must be informed. The 2025 E-Com Act places a strong emphasis on transparency, legally requiring that websites provide clear, accessible, and easily understandable information about their data practices. Users now have a legal right to know:
- What data is collected by each type of cookie (e.g., IP address, device type, browsing patterns).
- The specific purpose behind the data collection for each category.
- A list of any third parties (such as ad networks or analytics services) the data will be shared with.
- The duration of each cookie – how long it will be stored on the user’s device.
This information must be presented in plain, jargon-free language and be readily accessible from the initial consent banner.
Broader Implications: A New Standard for Digital Rights
The enforcement of Norway’s 2025 E-Com Act marks a pivotal moment for data privacy. By mandating explicit, granular, and fully informed consent, the law fundamentally rebalances the relationship between individuals and the digital services they use. It shifts power back to the user, transforming consent from a passive formality into an active and meaningful choice.