During 2022, the non-profit organization None of Your Business (NOYB) lodged 226 complaints with data protection authorities across the EU, including with the Swedish Authority for Privacy Protection (“IMY”). The complaints concerned how companies designed their cookie banners – i.e. the pop-up notices that inform website visitors about cookie usage and allow them to manage their cookie preferences. It was argued that these cookie banners were not compliant with the GDPR and as a result, the IMY initiated investigations of three Swedish companies.
Last week, on April 30 2025, the IMY published information on recently issued reprimands for each company and offered legal guidance on the topic. Below, CMS Wistrand has summarized the key takeaways:
- Information about the data subject's right to withdraw consent must be clearly presented in the cookie banner. Simply providing information regarding the option to “manage cookie settings” is not sufficient; the banner must explicitly inform the data subject that consent may be withdrawn.
- It shall be just as easy for data subjects to withdraw consent as to provide consent. Therefore, each process should require approximately the same number of clicks.
- The cookie banner must be designed in a way that is not misleading to data subjects. This means that the option to provide and withdraw consent should be presented in a similar manner. Highlighting only the “accept cookies” option by using prominent colours and contrasts, is considered misleading.
- When legitimate interest is used as legal basis for the personal data collected through cookies, the option to object to such processing must be presented in the first “layer” of the cookie banner. Thus, the data subject shall not be required to “click through” additional steps or pages in order to object.
- Personal data collected through cookies requires a high level of privacy protection. This enhanced protection must be taken into consideration when relying on legitimate interest as legal basis, particularly when conducting a balancing test. It is essential that the data controller is able to demonstrate a legitimate interest and that an adequate balancing test has been conducted.
CMS Wistrand provides continuous support on matters related to privacy and data protection. If you have any questions or would like to learn more about cookies, you are welcome to contacts us.
IMY’s decisions are available in Swedish here.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.