Skip to main content
CompliantHQ

Cookies and tracking before consent — what is allowed?

May a website set cookies before the visitor has answered the banner? The main rule is no — anything that is not strictly necessary for the service requires consent first. The rule covers more than cookies: all storage of and access to information on the visitor's device — localStorage, tracking pixels and fingerprinting techniques — is treated the same way. And the requirement does not stop at the banner: a "reject all" must be respected in practice, not merely recorded.

ePrivacy art. 5.3LEK 9 kap. 28 §GDPR art. 7

What does the law say?

The base rule comes from article 5.3 of the ePrivacy Directive, implemented in Sweden in the Electronic Communications Act (LEK), chapter 9 section 28: storing information on the visitor's device, or reading information already there, requires consent. The exemption covers what is strictly necessary to deliver the service the visitor has requested. The technology is irrelevant — cookies, localStorage, pixels and fingerprinting are all covered alike.

What counts as valid consent is governed by the GDPR: it must be freely given, specific, informed and unambiguous (article 4.11), and it must be as easy to refuse as to give (article 7). The EU Court of Justice ruled in Planet49 (C-673/17, 2019) that pre-ticked boxes do not qualify — the visitor must make an active choice. Until that choice is made, the main rule applies: no non-essential cookies, no tracking requests.

In Sweden, supervision is split: PTS (the Swedish Post and Telecom Authority) oversees the cookie rule in LEK, and IMY (the Swedish Authority for Privacy Protection) oversees the GDPR side when the tracking processes personal data — which in practice it almost always does.

Which cookies can be set without consent?

Strictly necessary cookies may be set right away: session cookies that keep the visitor logged in, the cart in a web shop, language preferences, security and load-balancing cookies. What they have in common is that the service the visitor asked for does not work without them.

"Necessary" is a legal assessment, not a label you pick yourself in the consent tool. Analytics cookies are the clearest example: the statistics may feel necessary for the business, but they are not necessary to deliver the service to the visitor — so they require consent. A "necessary" category containing analytics or marketing cookies makes the whole consent setup misleading.

Iframes and embedded content

Embedded videos, maps and social media feeds are an easy channel to overlook. A standard YouTube or Google Maps iframe often sets third-party cookies the moment the page loads — before the visitor has even seen the banner. That the content comes from someone else does not shift the responsibility: it is your website that loads it.

The solution is not to load the iframe until the visitor has consented — either through the consent tool's blocking, or with a two-click solution (facade): a still image or placeholder is shown first, and the actual embed loads when the visitor clicks.

Common failures we measure

  • Google Tag Manager or GA4 loads before the banner is answered — the tags fire on the first page view, regardless of what the visitor then chooses.
  • Tracking requests go out even though the visitor clicked "reject all" — the banner records the choice but does not control what actually runs.
  • Cookies are set after consent was rejected, often by scripts outside the consent tool's control.
  • Iframes for video, maps and social media load directly on page load, third-party cookies included.
  • The "necessary" category contains analytics cookies — which are then always set, both before and after a no.

How CompliantHQ tests this

The scanner visits the website in a real browser in three modes: without touching the banner, after clicking reject, and after clicking accept. In each mode it measures which cookies are actually set and which network requests are actually sent — a deterministic measurement of real behaviour, not a self-declaration from the consent tool.

You see whether non-essential cookies are set before consent, whether tracking requests go to third parties before the visitor has answered, whether third-party iframes load straight away — and whether a no is actually respected. The measurement is included already in the trial.

How to fix it

  • Load tracking scripts only after consent — through the consent tool's blocking (automatic or manual tagging) or with correctly configured Consent Mode for Google's tags.
  • Check the load order: the consent tool must run before Tag Manager and other tags, otherwise they fire before the blocking is in place.
  • Replace directly embedded iframes with a two-click solution, or let the consent tool keep them blocked until the visitor consents.
  • Clean up the categories: only strictly necessary cookies in "necessary". Analytics and marketing require consent.
  • Verify after every change with an actual measurement — in the browser's network tab or with a fresh scan. The configuration can lie; the traffic does not.

What the check covers

  • That no non-essential cookies are set before the visitor has given consent.
  • That no cookies are set after the visitor has rejected consent.
  • That no tracking requests to third parties (analytics, advertising) are sent before consent.

Common questions

May cookies be set before the visitor has given consent?

Only cookies strictly necessary for the service the visitor requested — login, cart, security. Everything else, including analytics cookies, requires consent first.

Does the consent requirement also cover localStorage, pixels and fingerprinting?

Yes. The rule in LEK covers storage of and access to information on the visitor's device, regardless of technology. Swapping cookies for localStorage or fingerprinting changes nothing.

Do analytics cookies count as necessary?

No. They may be valuable to you, but they are not necessary to deliver the service to the visitor — so they require consent. That holds even if they sit in a category labelled "necessary".

We have a cookie banner — isn't that enough?

Only if it actually controls what loads. One of the most common failures we measure is a banner that exists while the tags fire anyway — before the answer, or despite a no. Measure the real behaviour, not the banner's presence.

Want to see what we find on your site?

Run a free scan — all four modules included for 30 days, no card required.

Start free scanSee pricing

More deep dives