Sweden's data protection authority, Integritetsskyddsmyndigheten (IMY), has steadily increased its enforcement activity throughout 2025. What was once considered a relatively lenient regulator has become one of the EU's most technically focused DPAs, with a particular emphasis on cookie compliance and automated tracking technologies.
The shift began in late 2024 when IMY published updated guidance on the interpretation of the ePrivacy Directive as transposed into Swedish law (LEK). The guidance made clear that analytics cookies, advertising pixels, and fingerprinting scripts all require prior informed consent — a position that, while consistent with CJEU case law, caught many Swedish organizations off guard.
Per IMY's published enforcement record (imy.se/tillsyner/), audits of public-sector websites and major e-commerce platforms have repeatedly found tracking deployed before valid consent. Common patterns include pre-ticked consent boxes, cookie walls that condition access on consent, and reject buttons hidden behind multiple clicks. See EDPB Cookie Banner Taskforce Report (Jan 2023) for the EU-wide pattern documentation.
Enforcement actions follow a tiered escalation pattern under GDPR Art 58. Initial violations may result in a formal reprimand with a compliance deadline (Art 58(2)(b)). Continued non-compliance can escalate to administrative fines under Art 83. Per Vakteye's curated Swedish enforcement records (scripts/data/swedish-enforcement-cases.ts), Swedish IMY fines for cookie/consent violations range from SEK 300,000 (CDON, Dagens Industri 2023) to SEK 58 million (Spotify, DI-2021-2318).
For businesses operating in Sweden, the message is clear: self-assessment is no longer sufficient. IMY expects organizations to conduct regular technical audits of their cookie implementations, maintain evidence of consent collection mechanisms, and demonstrate that reject options are as accessible as accept options. The authority has specifically noted that it uses automated scanning tools in its preliminary assessments — meaning your website's compliance posture is being evaluated even before a formal investigation begins.
IMY has signaled that 2026 enforcement priorities will expand to include cross-border data transfers (particularly to US-based analytics providers) and AI systems that process personal data. Organizations should prepare by reviewing their data flows, updating Data Protection Impact Assessments, and testing that their cookie consent implementations withstand automated scrutiny.