23 October 2003

Kristina Walles

The Swedish Electronic Communications Act, which entered into force on 25 July 2003 (the “Act”), requires visitors/users of a website to be informed about the use of cookies on the website. If such information is not presented, the website will be violating the Act.

Cookies are frequently used by websites, inter alia, to monitor visitors browsing the website or to provide certain functions to the users. A cookie is a small text file, which is saved by the website on the website visitor’s computer. Cookies can be of different types. One type of cookie is saved on the visitor’s computer for a longer period of time as an identification instrument in order to provide the visitor with information concerning, for example, what is new on the website the next time the visitor pays a visit to that website. Another type of cookie is only saved temporarily on the visitor’s computer during the visitors session on that particular website. So called “session cookies” are used in order to monitor and to keep track of the visitors movements on the website.

Section 18, Chapter 6 of the Act states as follows:

Electronic communication networks may be used to store or gain access to information that is stored in the subscriber’s or user’s terminal equipment only if the subscriber or user receives information from the controller of personal data about the purpose of the processing and is given an opportunity to impede such processing. This does not prevent such storage or access that is required to perform and facilitate the transfer of electronic messages via an electronic communications network or which is necessary to provide a service that the user or subscriber has expressly requested.”

The Act does not prohibit the use of cookies and does not require any approval of the visitor to the use of cookies. However, it does require the visitor to the website to be informed of the following:

  • whether the website uses cookies,
  • what the cookies are used for, and
  • how the cookies can be avoided.

The Act requires this information to be clearly stated on the website. It does not require the information to be presented to visitors before entering the website.

Under the EC Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector all Member States of the EU will be required, inter alia, to implement similar legislation on the use of cookies.

Following the coming into force of the Act, it has been reported in the Swedish press that, inter alia, some of the Swedish parliamentary parties and even the National Swedish Judiciary Administration have failed to provide information regarding the use of cookies on their websites and consequently to comply with the provisions in the Act.

The Swedish National Telecom Agency has been given the task of supervising the market’s compliance with the Act. In order to be able to fulfil its role as the supervising authority, the Telecom Agency has been given the power to issue injuctions in relation to websites not following the Act. Such injuctions may be combined with fines. As a final measure, in case of non-compliance, the Telecom Agency has been authorised to prohibit non-compliant operators in pursuing their activities over the Internet. However, such prohibitions may not be issued if the violation of the Act is deemed to be of lesser importance. A violation of the provision in the Act requiring websites to provide information regarding cookies may, in cases of wilful misconduct or negligence, be considered as a criminal offence resulting in an obligation to pay monetary fines.

Important - The information in this article is provided subject to the disclaimer. The law may have changed since first publication and the reader is cautioned accordingly.