The Electronic Communications Act (LEK)

The Electronic Communications Act (LEK)

The Electronic Communications Act, known as LEK (Lagen om elektronisk kommunikation) in Sweden, governs how electronic communications services and networks operate. For digital marketers, the most relevant sections deal with the rules around cookies and similar tracking technologies. Understanding LEK is essential for any company operating a website or digital service in Sweden, as non-compliance can result in enforcement actions from the Swedish Authority for Privacy Protection (IMY).

Background and Purpose

LEK implements the EU's Electronic Communications Directives into Swedish law. The legislation covers a broad range of topics related to electronic communications, but for website operators and digital marketers, the cookie provisions are by far the most impactful. The law was significantly updated in 2022 to better align with EU requirements and to strengthen the consent requirements for cookies and similar tracking technologies.

The purpose of the cookie provisions in LEK is to protect user privacy by ensuring that individuals have control over what information is stored on and accessed from their devices. The legislation recognizes that while some cookies are essential for providing services users have requested, others are used for purposes like advertising and analytics that require the user's informed consent.

What LEK Requires

LEK requires that website operators inform visitors about what cookies are being used and their purpose. Critically, it also requires obtaining consent before storing or accessing information on a user's device, with limited exceptions for cookies that are strictly necessary for providing a service the user has requested. This consent must be informed, specific, and freely given.

The consent requirements under LEK mean that your website must:

• Present clear information about each category of cookies before they are set.
• Allow users to accept or reject non-essential cookies before any non-essential cookies are placed.
• Provide the ability to withdraw consent at any time, and make withdrawal as easy as giving consent.
• Not condition access to the website on accepting non-essential cookies (known as "cookie walls"), unless specific conditions are met.
• Document and store records of consent to demonstrate compliance if questioned.

How LEK Relates to GDPR

LEK and GDPR work together but address different aspects of data protection:

• LEK governs the act of placing cookies on a device (the storage and access of data on a user's terminal equipment).
• GDPR governs the processing of personal data that may be collected through those cookies.
• Both regulations apply simultaneously, meaning you need to comply with LEK's consent requirements for cookies and GDPR's requirements for processing any personal data those cookies collect.
• The consent standard under LEK aligns with GDPR's definition of consent: it must be a freely given, specific, informed, and unambiguous indication of the user's wishes.

In practice, this dual requirement means that a single, well-implemented consent management solution can address both LEK and GDPR obligations, provided it meets the stricter requirements of both frameworks.

Practical Compliance Steps

Implement a cookie consent banner that clearly explains what cookies your site uses and why. Ensure that non-essential cookies are not loaded until the user gives consent. Maintain a cookie policy that describes each cookie, its purpose, its provider, and its duration. Review your setup regularly, as both the regulatory landscape and your website's cookie usage can change over time. The EDPB regularly publishes guidance that influences how these rules are interpreted.

Use a reputable consent management platform (CMP) that is regularly updated to reflect changes in regulatory requirements. Test your implementation to verify that cookies are actually blocked before consent is given, as many implementations have technical gaps where cookies fire despite the banner being in place. Schedule periodic audits to catch any new cookies that may have been introduced through website updates or third-party integrations.

Enforcement and Consequences

Non-compliance with LEK can result in enforcement actions from IMY, including orders to cease non-compliant practices and financial penalties. The enforcement landscape has become more active in recent years, with increased scrutiny of how Swedish websites handle cookie consent. Treating cookie consent as a legal requirement rather than a suggestion is important, both for regulatory compliance and for building trust with your users.