Prior consent before non-essential cookies — the Swedish way, under LEK and the GDPR.
In Sweden, the rule that governs cookies and similar tracking technologies is found in Chapter 9, Section 28 of the Electronic Communications Act — Lag (2022:482) om elektronisk kommunikation (LEK) — which transposes Article 5(3) of the ePrivacy Directive. It permits storing information in, or reading information from, a user's terminal equipment only after the user has received clear information about the purpose and has given consent, with a narrow exemption for what is strictly necessary to transmit a message or to deliver a service the user has explicitly requested. Two authorities share oversight: the Swedish Post and Telecom Authority (Post- och telestyrelsen, PTS) supervises the LEK cookie rule itself, while the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) supervises the GDPR, including the validity of the consent that LEK requires. The meaning of "consent" is borrowed directly from the GDPR, so it must be freely given, specific, informed, and unambiguous.
9 kap. 28 § LEK: information may be stored in or read from a user's terminal equipment only after the user has been given clear information about the purpose and has consented, unless strictly necessary to transmit a message or to provide an explicitly requested service.
Applicable laws
Supervisory authority
IMY
Integritetsskyddsmyndigheten (Swedish Authority for Privacy Protection)
www.imy.se2022:482
The SFS number of LEK, the Electronic Communications Act that carries Sweden's cookie rule; it entered into force on 3 June 2022, replacing the 2003 Act
Sveriges riksdag, Lag (2022:482) om elektronisk kommunikation, riksdagen.se
4 of 4
Organisations PTS inspected in its 2022–2023 cookie supervision (Tele2, Swedbank, Folkhälsomyndigheten, Konsumentverket) that failed to obtain valid consent for non-essential cookies
Post- och telestyrelsen (PTS), cookie supervision decisions, pts.se
3
Major companies (ATG, Aller Media, Warner Music) formally criticised by IMY in April 2025 over dark-pattern cookie banners
Integritetsskyddsmyndigheten (IMY) decisions, April 2025
2
Supervisory authorities for Swedish cookies — PTS for the LEK consent rule and IMY for GDPR compliance of the consent collected
Post- och telestyrelsen (pts.se) and Integritetsskyddsmyndigheten (imy.se)
Under 9 kap. 28 § LEK, you may not store or read information on a visitor's device until they have consented. Non-essential cookies — analytics, marketing, third-party trackers — must not fire before the user actively agrees. Only strictly necessary storage (e.g. delivering a requested service or transmitting a message) is exempt.
PTS made clear in its 2022–2023 supervision that users must be able to decline non-essential cookies on the first layer of the banner, in the same view and just as easily as they can accept. Asymmetrical designs — a prominent 'Accept all' next to a buried reject link — do not produce valid consent.
Consent takes its meaning from the GDPR: it must be informed, specific, and unambiguous. Visitors need clear information, in plain Swedish, about which cookies are used, their purposes, and which third parties receive data — before they decide. Pre-ticked boxes and bundled, all-or-nothing choices are not valid.
IMY's April 2025 decisions against ATG, Aller Media, and Warner Music targeted dark patterns: high-contrast accept buttons against low-contrast reject options, pre-selected non-essential cookies, multi-step rejection, and unclear language. Banner design must not nudge users toward acceptance.
Consent must be as easy to withdraw as to give, so visitors need an accessible way to change their choice at any time. As a GDPR-accountable controller, you must also be able to demonstrate that valid consent was obtained — meaning records of what was shown and what each user agreed to.
Sweden's cookie regime has an unusual feature for B2B teams to grasp: it is supervised by two authorities at once. The substantive rule lives in Chapter 9, Section 28 of LEK and is policed by Post- och telestyrelsen (PTS), the telecom regulator. But because LEK borrows the GDPR's definition of consent, the quality of that consent — whether it was freely given, specific, informed, and unambiguous — falls to Integritetsskyddsmyndigheten (IMY), the data protection authority.
In practice this means a non-compliant cookie banner can be challenged from two directions. PTS looks at whether you obtained consent before placing non-essential cookies at all; IMY looks at whether the consent you collected, and what you then did with the resulting personal data, met GDPR standards. A banner that satisfies one test can still fail the other, so Swedish sites need to reason about both.
PTS opened supervision of four organisations in October 2022 — Tele2, Swedbank, Folkhälsomyndigheten, and Konsumentverket. When the findings landed in June 2023, the common thread was stark: none of the inspected websites had obtained valid consent for non-essential cookies. PTS's central demand was that users be able to refuse just as easily as accept, on the first layer of the banner. All four corrected their practices, and PTS closed the cases in late October 2023.
IMY then carried the baton on the GDPR side. In April 2025 it issued formal criticism against ATG, Aller Media, and Warner Music over dark-pattern banners — asymmetrical accept/reject buttons, pre-selected non-essential cookies, multi-step rejection flows, and consent buried in the footer. No administrative fines were imposed, but IMY signalled that dark patterns remain an enforcement priority. The message across both regulators is consistent: the design of the choice matters as much as the words.
The recurring failure in Swedish enforcement is not a missing banner — every inspected site had one — it is cookies firing before consent and choices that are not genuinely free. That is precisely the gap an audit closes. CookieSentry loads your live site the way a real visitor's browser would and flags every cookie and tracker that fires before any consent is given, naming the source, so you can see whether analytics or third-party scripts are breaching 9 kap. 28 § the moment the page loads.
CookieSentry is not a consent banner and not a CMP — keep the banner you already run. What it adds is evidence: a pre-consent scan you can export as a report and PDF, plus GDPR documents such as cookie and privacy policies localized to Swedish requirements. Used alongside your existing banner, it gives a Swedish site the proof PTS and IMY expect — that nothing non-essential runs before the visitor has truly chosen.
Information får lagras i eller hämtas från en abonnents eller användares terminalutrustning endast om abonnenten eller användaren får tillgång till information om ändamålet med behandlingen och samtycker till den. (Information may be stored in, or retrieved from, a subscriber's or user's terminal equipment only if the subscriber or user is given access to information about the purpose of the processing and consents to it.)
Sweden's cookie rule is 9 kap. 28 § of Lag (2022:482) om elektronisk kommunikation (LEK), in force since 3 June 2022. It implements Article 5(3) of the ePrivacy Directive and requires informed prior consent before storing or reading information on a user's device, except where strictly necessary. Source: Sveriges riksdag, riksdagen.se.
Post- och telestyrelsen (PTS) supervises the LEK cookie rule, while Integritetsskyddsmyndigheten (IMY) supervises GDPR compliance, including the validity of consent. PTS: pts.se. IMY: imy.se. A single non-compliant banner can be reviewed under both regimes.
PTS's 2022–2023 supervision found all four inspected organisations (Tele2, Swedbank, Folkhälsomyndigheten, Konsumentverket) had failed to collect valid consent. In April 2025, IMY formally criticised ATG, Aller Media, and Warner Music for dark-pattern cookie banners. Sources: pts.se; IMY decisions, April 2025.
CookieSentry scans your live site and flags every cookie and tracker that fires before consent — the failure IMY is most likely to act on — and names the source so you can fix it. Run the free public scan to get exportable evidence of what fires before consent, mapped to Sweden's rules. It is not a consent banner — keep your banner and add the audit and evidence layer on top.
Cookies are governed by Chapter 9, Section 28 of the Electronic Communications Act — Lag (2022:482) om elektronisk kommunikation (LEK), which entered into force on 3 June 2022 and implements Article 5(3) of the ePrivacy Directive. It requires informed prior consent before storing or reading information on a user's device, with a narrow exemption for what is strictly necessary. The GDPR supplies the definition of valid consent.
Two authorities share oversight. The Swedish Post and Telecom Authority (Post- och telestyrelsen, PTS, pts.se) supervises the LEK cookie rule and whether consent was obtained before non-essential cookies were set. The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY, imy.se) supervises the GDPR, including whether that consent was valid and how the resulting personal data is handled.
Yes. In its 2022–2023 supervision, PTS made clear that visitors must be able to decline non-essential cookies on the first layer of the banner, in the same view and just as easily as they can accept. IMY's April 2025 decisions reinforced this by criticising dark patterns such as prominent accept buttons paired with hard-to-find reject options.
CookieSentry runs an automatic pre-consent scan: it loads your live site like a real visitor and flags every cookie or tracker that fires before consent — the exact failure PTS and IMY have penalised — naming each source, with an exportable report and PDF evidence. It also generates GDPR documents such as cookie and privacy policies localized to Swedish requirements. It is not a banner or CMP; you keep your existing banner and add the audit plus documents on top.
Operating across the EU? The rules differ by market — check the country that applies to you.
Run a free CookieSentry scan on your live pages, catch cookies firing before consent, and export evidence mapped to Sweden's rules — no signup required.
Run a free scan →Last reviewed 2026-06-14. General information on Sweden cookie rules, not legal advice; verify current requirements with IMY or qualified counsel.