Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial emblem — SEStylized flag-color motif for editorial reference. Not an official symbol.SE
Sweden Konungariket Sverige

WEB ANALYTICS · COOKIE COMPLIANCE · NORTHERN EUROPE · SE

Sweden — analytics & cookie compliance reference

What you can run on a Swedish-targeted website without a fine — GA4, cookies, vendor stack, and the rules behind them. IMY (Integritetsskyddsmyndigheten) is pragmatic by EU standards; Swedish-language privacy notices are recommended; updated 2023 cookies guidance confirmed the equal-weight reject layer.

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Sweden. Sectoral rules (healthcare, banking, employment, telecom) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

Dataskyddslagen
Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning
Swedish supplementary act to GDPR. Fills opening clauses on freedom of expression, archival, statistics, special-category data, and child-consent age. Lowers the GDPR Art 8 child-consent threshold from 16 to 13 — among the lowest in the EU (alongside BE/DK/EE/FI/LV/MT/PT/UK).
  • Ch 1 § 6 Scope — applies to processing wholly or partly automated; manual processing in structured filing systems
  • Ch 2 § 4 Child consent age lowered to 13 for information-society services (lowest tier in EU)
  • Ch 3 § 3 Special-category data — Swedish-specific permissions (employment, social security, health, research)
  • Ch 6 § 2 Administrative fines — IMY may issue fines against public authorities (capped at SEK 5M for state/SEK 10M for municipalities)
SFS 2018:218, in force 25 May 2018; latest amendment SFS 2023:813
LEK Ch 9 § 28  Stricter
Lag (2022:482) om elektronisk kommunikation
Swedish transposition of ePrivacy Directive Art 5(3) — cookies and terminal-equipment access. PTS (Post- och telestyrelsen) supervises telecom layer; IMY supervises the data-protection layer of cookie-consent. IMY's updated 2023 cookies guidance confirmed equal-weight reject button required.
  • Ch 9 § 28 Storage / read access on terminal equipment requires prior, informed consent
  • Ch 9 § 28(2) Strictly-necessary exception — narrowly construed; analytics/marketing never qualify
SFS 2022:482, replaced LEK 2003:389 on 3 June 2022
Marknadsföringslagen
Marknadsföringslag (2008:486)
Direct marketing — email/SMS opt-in for natural persons (§ 19). Konsumentverket / Consumer Ombudsman enforces. Double-opt-in is recommended (not statutory) but standard industry practice for evidentiary purposes.
  • § 19 Email/SMS marketing to natural persons — prior express opt-in required
  • § 19(2) Soft opt-in — narrow exception for existing-customer + similar products + opt-out at every contact
  • § 21 Telephone marketing — opt-out (NIX-registret) regime for natural persons
SFS 2008:486
OSL
Offentlighets- och sekretesslagen (2009:400)
Public-sector transparency + secrecy regime. Sweden's constitutional principle of public access (offentlighetsprincipen, since 1766) interacts with GDPR — public-sector controllers must balance disclosure obligations with data-subject rights. Relevant for analytics deployments on government/municipal websites.
  • Ch 21 § 7 Personal-data secrecy — disclosure prohibited where it would breach GDPR
  • Ch 40 Statistics and research — relaxed disclosure for archived public-sector data
SFS 2009:400
MBL § 11
Lag (1976:580) om medbestämmande i arbetslivet
Codetermination Act — employers must initiate negotiation with trade unions before deciding on significant changes affecting employees, including deployment of monitoring/analytics technology that affects employee behavior.
  • § 11 Primary negotiation duty — employer must negotiate with union before significant changes (incl. analytics/monitoring deployments)
  • § 19 Information duty — continuous information about operations and personnel policy
SFS 1976:580

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
IMY · Integritetsskyddsmyndigheten (Swedish Authority for Privacy Protection)
Single national DPA — supervises all data-protection matters in Sweden (private + public sector). Renamed January 2021 from Datainspektionen.
https://www.imy.se/en/

Coordination body

IMY · Integritetsskyddsmyndigheten
Sweden has a single unified DPA (no federal/state split). IMY publishes guidance, conducts audits, and coordinates with PTS (telecom regulator) on cookie/ePrivacy matters and with Konsumentverket (Consumer Ombudsman) on marketing-law overlap.
  • 2021-01-01 · Renaming — Datainspektionen renamed Integritetsskyddsmyndigheten (IMY) to reflect broader privacy-protection mandate beyond data inspection.
  • 2023-04 · Cookies guidance update — IMY updated cookie-consent guidance — equal-weight reject button required at first layer; pre-ticked boxes invalid; legitimate-interest unavailable for non-essential cookies under LEK Ch 9 §28.
  • 2023-07-03 · Google Analytics enforcement — IMY ordered four companies (Tele2, CDON, Coop, Dagens Industri) to stop using Google Analytics — Tele2 fined SEK 12M (~€1.1M), CDON fined SEK 300K (~€27K); Coop and Dagens Industri were not fined as their supplementary technical measures were considered sufficient. Pre-DPF case (DPF adopted 10 Jul 2023, 7 days later).
  • 2024-09 · Workplace monitoring — IMY guidance on employee monitoring — productivity/behavior analytics require GDPR legal basis + MBL § 11 codetermination negotiation with trade unions.
https://www.imy.se/en/

Notable enforcement

Sweden ranks mid-tier among EU member states by GDPR fine volume — well below Ireland, France, and Germany, but consistently active. IMY's pragmatic posture (relative to BW or CNIL) does not translate to leniency on systemic failures: the Klarna, Spotify, Swedbank, and Bonnier cases show consistent willingness to pursue household-name controllers for DSAR mishandling, transparency failures, and access-control weaknesses. The renaming from Datainspektionen to IMY in January 2021 signaled a broader mandate beyond traditional data-inspection. Sweden's child-consent age of 13 (vs Germany's 16) is a notable jurisdictional divergence relevant to any service offering information-society products to minors.

  1. 2020-03 €7.0M
    Google LLC (right to be forgotten) IMY · Art 17 stood

    Inadequate compliance with right-to-be-forgotten requests — Google failed to fully delist URLs after Swedish DPA orders. SEK 75M.

  2. 2023-06 €5.0M
    Spotify AB IMY · Art 12, 15 reduced-on-appeal

    DSAR (Art 15) failures — incomplete access responses to data subjects; insufficient transparency about data origin. SEK 58M (~€5M); on appeal reduced to SEK 40M (~€3.5M) by the Administrative Court of Appeal in 2024.

  3. 2024-03 €4.2M
    Bonnier News AB IMY · Art 5, 6, eP stood

    Unlawful direct marketing — failure to obtain valid consent for marketing emails to subscribers; cross-publication data sharing without legal basis.

  4. 2024-05 €4.0M
    Swedbank AB IMY · Art 32 stood

    Inadequate access controls — internal-system permissions allowed staff to access customer data beyond business need. ~SEK 43M.

  5. 2023-07 €1.1M
    Tele2 Sverige AB IMY · Art 44, 46 stood

    Google Analytics transfers to US — supplementary measures insufficient under Schrems II; SEK 12M. Tele2 had already stopped using GA on its own initiative.

  6. 2022-03 €700k
    Klarna Bank AB IMY · Art 12, 13 stood

    Transparency failures — incomplete privacy notice, unclear lawful-basis disclosure across multiple processing purposes. SEK 7.5M (~€700K).

  7. 2021-06 €280k
    MrKoll.se (Bisnode) IMY · Art 5, 6 stood

    People-search website — publication of personal data without valid legal basis under Swedish constitutional publishing-licence regime.

  8. 2023-07 €27k
    CDON AB IMY · Art 44, 46 stood

    Google Analytics transfers to US — supplementary measures insufficient under Schrems II; SEK 300K. Pre-DPF case (DPF adopted 10 Jul 2023, 7 days after this decision).

GA4 status

GA4 is usable in Sweden with prior, informed consent under LEK Ch 9 §28. IMY did issue a high-profile GA-related ruling on 3 Jul 2023 (one of Europe's first major GA enforcement actions): Tele2 fined SEK 12M, CDON SEK 300K, Coop and Dagens Industri ordered to stop without fines. The decisions covered pre-DPF transfers; after EU-US DPF (10 Jul 2023, 7 days later) transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. Controllers should document the consent layer and DPF reliance.

DPAStance
IMYGA4 actionable post-DPF — transfers lawful with DPF + LEK §28 consent. IMY's Jul 2023 GA ruling (Tele2/CDON fines + Coop/Dagens Industri orders) is binding precedent on supplementary-measures sufficiency for pre-DPF transfers.

Cross-border transfers + Schrems II

Sweden has historically taken a moderate post-Schrems II posture compared to BW or CNIL. IMY accepts adequacy for DPF-certified US importers post-10 Jul 2023. For non-DPF US transfers, IMY expects documented Transfer Impact Assessment and supplementary measures, but does not match the most aggressive German Land DPAs. Swedish controllers benefit from this pragmatic stance — fewer transfer-only fines than peer jurisdictions.

EU 2021/914 SCCs are the fallback when DPF certification is absent or revoked. IMY scrutinizes Module 2 onward-transfer clauses but does not impose German-style mandatory TIA documentation as a default.

Topic: International transfers

Employee data

Key thresholds

Child consent age
13 years
Article 27 representative
Required
Marketing consent
Single opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red
VendorStatusRationale
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Sweden vs Germany
COMPARE
Sweden vs Denmark
COMPARE
Sweden vs Norway
COMPARE
Sweden vs Finland

Common questions

Is Google Analytics legal in Sweden in 2026?
Yes, conditionally. GA4 is usable in Sweden with prior, informed consent under LEK Ch 9 §28. After EU-US DPF (10 Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. IMY did issue GA-specific decisions on 3 Jul 2023 (one week before the DPF) — Tele2 (SEK 12M / ~€1.1M) and CDON (SEK 300K / ~€27K) were fined for pre-DPF transfers, while Coop and Dagens Industri were ordered to stop using GA but escaped fines because their supplementary technical measures were considered sufficient. Post-DPF deployments with proper consent and DPF-certified recipients are not the target of this precedent.
Why was Datainspektionen renamed IMY?
Effective 1 January 2021, Datainspektionen was renamed Integritetsskyddsmyndigheten (IMY — Swedish Authority for Privacy Protection) to reflect a broader privacy-protection mandate beyond traditional data-inspection. The legal mandate, jurisdiction, and powers remained unchanged; only the name and branding shifted to align with EU peers (CNIL, AEPD, Garante).
What is the child-consent age in Sweden?
13 years — the lowest tier permitted under GDPR Art 8 (alongside Belgium, Denmark, Estonia, Finland, Latvia, Malta, Portugal, and the UK). Information-society services offered directly to children may rely on the child's own consent from age 13 in Sweden, vs 16 in Germany. This matters for any service targeting Swedish minors (gaming, social, ed-tech).
Do I need a DPO in Sweden?
DPO requirement follows GDPR Art 37 directly — Sweden has not lowered the threshold (unlike Germany's BDSG §38 ≥20-employee rule). Mandatory DPO when (a) public authority, (b) core activity = regular and systematic monitoring on a large scale, or (c) core activity = large-scale special-category or criminal-data processing.
What did IMY's 2023 cookie guidance change?
The April 2023 update clarified that an equal-weight reject button is required at the first layer of any cookie banner — 'reject all' must be as prominent and easy to access as 'accept all'. Pre-ticked boxes are invalid. Legitimate-interest is unavailable as a basis for non-essential cookies under LEK Ch 9 §28 (which is independent of GDPR Art 6). The guidance aligned Sweden with the EDPB cookie-banner taskforce position.
Do I need to negotiate with a Swedish trade union before deploying analytics?
Possibly — yes, when the analytics tool can monitor employee behavior. MBL § 11 (Codetermination Act) imposes a primary-negotiation duty on employers before significant changes affecting employees, which IMY's 2024 workplace-monitoring guidance treats as covering productivity-tracking, behavior-analytics, and HR-monitoring deployments. Failure is a labor-law breach enforced via the Labour Court, separate from GDPR.
What language must my privacy notice be in?
Swedish for Sweden-targeted sites is recommended and aligns with IMY guidance. English-only may be acceptable for B2B or expat-focused audiences but is risky for consumer-facing services. The targeting test mirrors GDPR Art 3(2) — Swedish-language site, .se domain, SEK pricing, Swedish-language marketing all signal targeting.
Do I need a Swedish Article 27 representative?
Yes if you are a non-EU controller offering goods/services to or monitoring behavior of people in Sweden (or any EEA state), unless the small-business exception in Art 27(2) applies. IMY does not maintain a public registry of representative-non-designation cases comparable to BlnBDI's, but representative obligations are enforced as part of regular complaint handling.
Is the offentlighetsprincipen (public access) compatible with GDPR?
Yes — Sweden's constitutional principle of public access to official documents (since 1766) is preserved through Dataskyddslagen and OSL (Offentlighets- och sekretesslagen). Public-sector controllers must balance disclosure obligations with GDPR data-subject rights — OSL Ch 21 § 7 is the key bridging provision. Private-sector analytics deployments are not directly affected.
Does Schrems II still affect transfers post-DPF?
Yes for non-DPF transfers. The DPF restored adequacy for DPF-certified US importers (renewed by EU General Court Sep 2025, T-553/23). For non-DPF US recipients, Schrems II logic still applies — Transfer Impact Assessment + supplementary measures required. IMY's posture is more moderate than the strictest German Land DPAs (notably LfDI BW); documented TIAs are expected but rarely the sole basis for enforcement.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Sweden's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.