← Back to blog
GDPRPrivacyWeb DevelopmentNorwegian Law

GDPR and Privacy on Norwegian Websites: What You Actually Need to Have in Place

16 April 2026·8 min read·Bendik Krause

Every website handles personal data — most don't know how

You don't need to run an online store to be subject to GDPR. Do you have a contact form? Google Analytics? A cookie that remembers a user's preferences? Then you are processing personal data — and the regulation applies to you.

GDPR (General Data Protection Regulation) became Norwegian law in 2018 through the Personal Data Act, and the Norwegian Data Protection Authority (Datatilsynet) enforces it actively. The fines are not symbolic: in 2023, Grindr received a fine of 65 million NOK. Company size provides no immunity — Datatilsynet has fined municipalities, health authorities, and sole traders alike.

The good news: becoming compliant is not rocket science. But it does require you to actually do something.

What GDPR is really about

The core of GDPR is simple: you may only collect personal data for which you have a lawful basis, you must tell users what you are doing, and they have the right to ask you to delete their data.

Personal data is broader than most people realise. It includes:

  • Name and email address (contact form)
  • IP addresses (web server logs, analytics tools)
  • Cookies that can be linked to an individual
  • Device and browser information (via analytics services)
  • Geolocation

In other words: almost everything a modern website collects qualifies as personal data.

The five things your website actually needs

1. A privacy policy that actually explains something

A privacy policy is legally required — but copying a generic template from the internet is not enough. It must specifically explain:

  • Who is the data controller? (name, address, organisation number)
  • What data is collected? (be specific: email, IP address, cookie data)
  • What is it used for? (responding to enquiries, analysing traffic, etc.)
  • What is the legal basis? (consent, legitimate interest, contract)
  • How long is it stored? (not "as long as necessary" — be specific)
  • Who is it shared with? (Google, email provider, hosting provider)
  • What rights does the user have? (access, correction, deletion, data portability)
  • Who can they contact with complaints? (Datatilsynet, and your contact details)

The policy must be written in clear, plain language — not legal jargon.

2. Correct cookie handling

This is where most websites fail. There are two categories of cookies:

Necessary cookies — do not require consent. These are cookies strictly required for the website to function: session cookies, shopping cart, login status.

Non-necessary cookies — require explicit consent before they are set. This includes:

  • Analytics cookies (Google Analytics, Hotjar, Plausible)
  • Marketing cookies (Meta Pixel, Google Ads)
  • Personalisation and preference cookies

A cookie banner with only an "OK" button is not sufficient. Users must be able to decline cookies just as easily as they can accept them. Pre-ticked consent boxes are not valid under GDPR.

3. Contact forms with minimal data collection

A contact form asking for name, email and message is perfectly fine — but be aware of:

  • Don't collect more than necessary. Do you really need a phone number, company name and job title to respond to an enquiry?
  • Explain what you do with the data. A line beneath the form — "Your data is used solely to respond to your enquiry" — is not sufficient on its own, but it is good practice.
  • Set a retention limit. You cannot keep contact form emails indefinitely. Set an internal policy — for example, delete enquiries older than 12 months.
  • Secure transmission. The form must be sent over HTTPS (SSL certificate), not plain-text HTTP.

4. Data processing agreements with third-party providers

Do you use Google Analytics, Mailchimp, HubSpot, a Norwegian email provider, or a hosting service? These providers process personal data on your behalf — and GDPR requires you to have a written Data Processing Agreement (DPA) with each of them.

Most major providers offer standard DPAs within their terms of service. Google Workspace has one. Mailchimp has one. You need to actively accept these — they do not activate automatically.

For a typical Norwegian SMB website, the list might look like this:

| Service | What they process | DPA available? | |---|---|---| | Google Analytics | Behavioural data, IP addresses | Yes (Google Ads / Analytics) | | Google Workspace / Gmail | Email content | Yes | | Vercel / Netlify | Server logs, IP addresses | Yes | | Mailchimp | Email lists, open rates | Yes | | Stripe | Payment data | Yes |

5. Procedures for handling data subject rights

GDPR gives users concrete rights. You need a way to handle them:

  • Right of access: the user can request to see all data you hold about them
  • Right to rectification: incorrect data must be corrected
  • Right to erasure ("right to be forgotten"): the user can request deletion of their data
  • Data portability: data must be deliverable in a machine-readable format

You don't need a sophisticated technical solution — but you do need an email address or form where people can submit such requests, and an internal procedure for responding within 30 days.

Google Analytics: The big question

Google Analytics is the most widely used analytics tool on Norwegian websites — and it's also the one most commonly handled incorrectly.

GA4 (the current version) sends behavioural data to Google's servers in the US. This is lawful in principle with the correct DPA and consent in place, but you cannot load Google Analytics without consent. Your cookie banner must block GA until the user has accepted.

Alternatives many are now choosing:

  • Plausible — EU-hosted, cookie-free, GDPR-compliant by default
  • Fathom — similar, privacy-focused
  • Umami — open source, self-hosted alternative

These provide traffic insights without requiring cookie consent, because they do not set identifying cookies.

A common mistake: "We have nothing to hide, so we don't need to worry"

GDPR is not about having something to hide. It's about handling other people's data with respect and transparency — and being able to document that you do so.

Datatilsynet can request documentation: what do you collect? Why? Who has access? How long is it stored? If you cannot answer these questions, you are not compliant — regardless of whether you have done anything "wrong" with the data.

Practical checklist for Norwegian websites

Use this as a starting point:

  • [ ] Privacy policy is published and is specific to your website
  • [ ] Cookie banner blocks non-necessary cookies before consent
  • [ ] Users can decline cookies just as easily as they can accept them
  • [ ] Contact form collects only necessary information
  • [ ] HTTPS is active (padlock icon in the address bar)
  • [ ] Data processing agreement accepted with all relevant providers
  • [ ] There is a way for users to request access or deletion
  • [ ] Internal procedure for responding to such requests within 30 days
  • [ ] Retention limits are defined (how long are contact enquiries stored?)
  • [ ] Analytics tools are not loaded without consent (or use a privacy-first alternative)

Need help?

GDPR compliance is not a one-time action — it's a state your website is either in or not in. A review of your current website typically takes only a few hours, but gives you documentation and peace of mind.

Get in touch if you would like a technical review of what your website actually processes, and what should be adjusted.

Frequently asked questions

Does GDPR apply to my small Norwegian business? Yes. GDPR applies to all businesses that process personal data about individuals in the EU/EEA — regardless of size. There are some simplifications for very small organisations, but these do not exempt you from the core requirements.

What happens if I'm not compliant? Datatilsynet can issue warnings, orders to stop processing, and fines of up to 4% of global annual turnover (or €20 million for serious breaches). In practice, most cases begin with guidance or a warning, but fines do occur — particularly following complaints from users.

Do I need a cookie banner if I don't use Google Analytics? If you only use technically necessary cookies (session cookies, non-identifying preference cookies), you do not need a consent banner. You should still have a privacy policy explaining this.

Is it enough to copy a free privacy policy template? No — or at least not on its own. The template must be adapted to what your website actually does. A generic template that doesn't mention the services you use doesn't give users the information they are entitled to.

What is the difference between a privacy policy and a cookie policy? A privacy policy covers all processing of personal data on the site. A cookie policy focuses specifically on which cookies are set, what they do and how long they last. Many choose to combine the two in a single document — that is perfectly acceptable.

Related articles

Web AppWeb Development

Website vs. Web App: What's the Difference — and Which Does Your Business Need?

6 min read