Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial emblem — NOStylized flag-color motif for editorial reference. Not an official symbol.NO
Norway Kongeriket Norge

WEB ANALYTICS · COOKIE COMPLIANCE · NORTHERN EUROPE · NO

Norway — analytics & cookie compliance reference

EEA member (not EU); Datatilsynet enforces GDPR via EEA Agreement. Strong precedent on digital marketing and adtech — Grindr €6.5M (Dec 2021) was the first major EEA fine for sharing app-user data with the adtech ecosystem without consent.

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Norway. Norway is NOT an EU member but applies GDPR via EEA Joint Committee Decision 154/2018 (in force 20 July 2018). Sectoral rules touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

Personopplysningsloven
Lov om behandling av personopplysninger (Personal Data Act 2018)
Norwegian implementation of GDPR opening clauses + EEA-specific carve-outs (national security, archival, freedom of expression). Confirms Datatilsynet as supervisory authority; sets child consent age at 13.
  • § 5 Child consent age — lowered to 13 (one of the lowest GDPR-derogation thresholds in Europe)
  • § 11 Freedom of expression / journalism exemption — broader than typical GDPR Art 85
  • § 20 Datatilsynet's investigatory and enforcement powers
  • § 26 Administrative fines — full GDPR Art 83 ceiling (€20M / 4% global turnover)
LOV-2018-06-15-38, in force 20 July 2018 alongside GDPR incorporation via EEA
Ekomforskriften § 7-3a
Forskrift om elektronisk kommunikasjonsnett og elektronisk kommunikasjonstjeneste
Cookies + terminal-equipment access. Historically softer than EU baseline (notice-and-objection model until 2024), but Datatilsynet now aligns with EDPB guidance: prior, informed, freely-given consent for non-strictly-necessary cookies. Reform draft to fully align with EU 2009/136 pending.
  • § 7-3a(1) Storage / read access on terminal equipment requires informed consent
  • § 7-3a(2) Strictly-necessary exception — narrowly construed for analytics/marketing
FOR-2004-02-16-401, cookie clause § 7-3a in force since 2013, transposing ePrivacy Art 5(3)
Markedsføringsloven
Lov om kontroll med markedsføring og avtalevilkår mv. (Marketing Control Act)
Direct marketing — email/SMS opt-in (double opt-in standard) + telemarketing reservation register. Enforced by Forbrukertilsynet (Consumer Authority) in parallel with Datatilsynet.
  • § 15 Email/SMS marketing — prior express opt-in required (double opt-in)
  • § 13 Telemarketing — Reservation Register check mandatory
  • § 14 Soft opt-in — narrow existing-customer + similar-products exception
LOV-2009-01-09-2

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
Datatilsynet · Datatilsynet (Norwegian Data Protection Authority)
All public and private controllers and processors in Norway; cooperates with EDPB as observer (non-EU). EEA Joint Committee Decision 154/2018 binds Norway to GDPR + ECJ jurisprudence via EFTA Court.
https://www.datatilsynet.no/

Coordination body

Personvernnemnda · Privacy Appeals Board
Independent appeals body — reviews Datatilsynet decisions before judicial review at Oslo District Court. Functionally equivalent to a specialist administrative tribunal.
  • 2021-12-13 · Grindr — adtech consent — Datatilsynet final decision (€6.5M / NOK 65M): Grindr shared user data including sexual-orientation signals with adtech partners without valid consent. Confirmed special-category data treatment for app-derived inferences.
  • 2023-08-14 · Meta behavioural advertising — Datatilsynet imposed temporary ban on Meta's behavioural ads in Norway (NOK 1M/day coercive fine) — first national-level injunction against Meta in Europe before EDPB Article 66 binding decision.
  • 2024-09 · OpenAI ChatGPT — Datatilsynet investigation into ChatGPT training-data lawfulness and Art 16 rectification rights — coordinated with Italian Garante and EDPB ChatGPT taskforce.
https://www.personvernnemnda.no/

Notable enforcement

Norway punches above its weight in EEA enforcement. Datatilsynet's Grindr decision (Dec 2021) was the first major EEA fine for the adtech-ecosystem consent gap and set persuasive precedent for subsequent EU actions (Belgian APD vs IAB Europe TCF, Irish DPC vs Meta). The Meta behavioural-advertising injunction (Aug 2023) — NOK 1M/day coercive fine — preceded the EDPB's Article 66 binding decision and demonstrated that an EEA non-EU regulator can move faster than the GDPR One-Stop-Shop where local users are at risk. Fines are issued in NOK; the EUR figures cited are conversions at the date of decision.

  1. 2021-12 €6.5M
    Grindr LLC Datatilsynet · Art 6, 9 stood

    App shared user data (including sexual-orientation inference) with adtech partners without valid consent. First major EEA fine for the adtech-ecosystem consent gap; confirmed special-category treatment for app-derived inferences. NOK ~65M.

  2. 2023-07 €400k
    Aktiv Kapital / Lindorff Datatilsynet · Art 5, 6 stood

    Debt-collection retention beyond purpose limitation; insufficient deletion routines. NOK 4M.

  3. 2020-01 €250k
    Disqus Inc. Datatilsynet · Art 6, 13, 14 stood

    Tracked non-users on Norwegian publisher sites without lawful basis or transparency; pre-DPF Schrems II concerns also flagged. NOK 2.5M.

  4. 2022-03 €250k
    Argon Medical Devices Datatilsynet · Art 32, 33 stood

    Inadequate breach response and security measures after ransomware incident affecting employee data. NOK 2.5M.

GA4 status

Datatilsynet aligns with the broader EU Datenschutzkonferenz / CNIL posture: GA4 is usable in Norway only with prior, explicit, granular consent under Ekomforskriften § 7-3a + GDPR Art 6. After EU-US DPF (10 Jul 2023) transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. Datatilsynet has not issued a Norway-specific Google Analytics decision, but its Grindr precedent and Schrems II hawkishness signal that default deployments without consent will not survive scrutiny.

DPAStance
DatatilsynetPermissive post-DPF — transfers lawful with DPF + explicit consent + documented TIA. Cookieless / EU-residency variants (Plausible, Matomo) are the lowest-risk defaults.

Cross-border transfers + Schrems II

Norway+EU adequacy via EEA Agreement — intra-EEA transfers are unrestricted. Post-DPF (10 Jul 2023) Datatilsynet accepts adequacy for DPF-certified US importers. Datatilsynet was an early Schrems II hawk pre-DPF (Disqus 2020) and continues to expect documented Transfer Impact Assessments + supplementary measures for non-DPF US recipients.

EU 2021/914 SCCs apply directly via EEA. When DPF certification is absent or revoked, controllers must execute SCCs + TIA + supplementary measures. Datatilsynet scrutinizes Module 2 (controller-processor) onward-transfer clauses in line with EDPB Recommendations 01/2020.

Topic: International transfers

Employee data

Key thresholds

Child consent age
13 years
Article 27 representative
Required
Marketing consent
Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red
VendorStatusRationale
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Norway vs Sweden
COMPARE
Norway vs Denmark
COMPARE
Norway vs Finland
COMPARE
Norway vs Germany

Common questions

Is Norway in the EU?
No. Norway is an EEA member (European Economic Area) but not an EU member state. GDPR nevertheless applies in Norway via EEA Joint Committee Decision 154/2018, in force 20 July 2018. ECJ jurisprudence binds Norway through the parallel EFTA Court. For practical analytics purposes, Norway is treated as an EU country — including intra-EEA transfer freedom and the EU-US Data Privacy Framework adequacy.
Is Google Analytics legal in Norway in 2026?
Yes, conditionally. GA4 is usable in Norway only with prior, explicit, granular consent under Ekomforskriften § 7-3a (the Norwegian transposition of ePrivacy Art 5(3)). After EU-US DPF (10 Jul 2023) transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. Datatilsynet has not issued a Norway-specific Google Analytics decision, but its Schrems II precedents signal that default deployments without consent will not survive scrutiny.
What was the Grindr fine and why does it matter?
In Dec 2021 Datatilsynet imposed a €6.5M (NOK 65M) fine on Grindr LLC for sharing user data — including sexual-orientation inference — with adtech partners without valid consent. It was the first major EEA fine for the adtech-ecosystem consent gap and set persuasive precedent for the Belgian APD vs IAB Europe TCF decision (2022) and the Irish DPC vs Meta decisions (2023). Practical takeaway for analytics: app-derived inferences can become Art 9 special-category data, and 'we asked the SDK' is not valid consent.
What is the child-consent age in Norway?
13 — one of the lowest GDPR-derogation thresholds in Europe (alongside Sweden, Finland, Denmark). Personopplysningsloven § 5 lowered the default GDPR age of 16 to 13. For Information-Society services targeting under-13s in Norway, parental authorization is still required. The 13-year line aligns Norway with the US COPPA standard but is below the German (16) baseline — relevant if your CMP age-gate uses a single EU-wide threshold.
Which language must my privacy notice be in?
Norwegian (bokmål or nynorsk) for Norwegian-targeted sites. Datatilsynet expects notices in a language the data subject understands; English-only is acceptable for clearly international services but insufficient when targeting signals are Norwegian (.no domain, NOK pricing, Norwegian-language marketing). Both bokmål and nynorsk are legally equivalent — most controllers publish in bokmål.
Do I need a Norwegian Article 27 representative?
Yes if you are a non-EEA controller offering goods/services to or monitoring behavior of people in Norway, unless the small-business exception in GDPR Art 27(2) applies. The representative can be located in Norway or in any other EEA state. Datatilsynet has actively pursued non-designation cases.
How does Norway differ from EU member states for data transfers?
It doesn't, in practical terms. EEA Agreement extends EU adequacy decisions, SCCs, and DPF to Norway automatically. Intra-EEA transfers (Norway ↔ Germany, Norway ↔ France, etc.) are unrestricted. Transfers to non-EEA third countries follow the same Chapter V rules as EU member states. Datatilsynet was an early Schrems II hawk pre-DPF (Disqus 2020) and remains stricter than the EU median on TIA documentation.
Is 'legitimate interest' a valid basis for analytics in Norway?
No, for non-essential analytics that store or read on terminal equipment. Ekomforskriften § 7-3a is independent of GDPR Art 6 — it requires consent for any non-strictly-necessary cookie or device-storage technology, regardless of GDPR lawful basis. § 7-3a governs the cookie/tracking layer; GDPR governs subsequent processing. Datatilsynet's Meta behavioural-advertising injunction (Aug 2023) confirmed legitimate-interest is not curative for adtech-style processing.
What about the Arbeidsmiljøloven and analytics tools?
Norway's Working Environment Act (Arbeidsmiljøloven) chapter 9 sets strict limits on workplace surveillance: written-notice requirement to all monitored staff, mandatory union/employee consultation before deployment, and a documented necessity-and-proportionality assessment. This applies on top of GDPR consent and is independent of it — relevant for Hotjar on internal dashboards, productivity-tracking pixels, and any server-side logging of staff behavior.
Does Datatilsynet enforce harder than EU DPAs?
On adtech and behavioural advertising, yes. Grindr (Dec 2021), the Meta behavioural-ads injunction (Aug 2023, NOK 1M/day before EDPB Art 66 binding decision), and the Disqus tracking case (Jan 2020) demonstrate that Datatilsynet moves earlier and more decisively than the GDPR One-Stop-Shop on cross-border issues affecting Norwegian users. On routine analytics deployments with proper consent + DPF + cookieless defaults, Datatilsynet is in line with EU median posture.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Norway's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.