Dark Patterns and Cookie Banners: What the Sweden DPA Ruling Means for Your Shopify Store

If your Shopify store sells to customers in Sweden, or even if Swedish users occasionally browse your site - there’s a recent case you should know about.

In April 2025, Sweden’s Authority for Privacy Protection (Integritetsskyddsmyndigheten (IMY) in Swedish) criticized three global companies for using cookie banners that violated GDPR standards. 

Their concerns? Misleading banner designs, unclear information processing, and unclear consent flows. This is known as “dark patterns” in cookie consent.

The findings from the IMY can impact any business collecting personal data in Sweden, including Shopify stores of all sizes.

In this blog post we are going to look at what the Swedish regulator saw as not GDPR-compliant during its reviews of the companies, and also:

• Why certain cookie banner designs are now considered illegal

• What your store must do to stay compliant and avoid costly fines

• How Consentmo can help you meet all Swedish requirements easily

Let’s get into it!

What triggered the investigation?

As it is with most cases, it was due to individual complaints from users (in fact most of them outside Sweden) who argued that the websites weren’t respecting their choices when it came to cookies and data collection.

The three companies investigated were all based in Sweden, which brought them under IMY’s jurisdiction.

Each website was found to be violating a different part of the GDPR which is one of the main privacy laws active in Sweden.

Next we are going to review each violation of the companies so you can avoid making the same mistakes on your store.

Main GDPR violations from the April 2025 enforcement

Imbalanced Cookie Banner Design and Lack of Direct Reject Option

ATG, Sweden’s national horse betting company, was critisized by IMY for failing to offer users a straightforward way to reject cookies. The cookie banner prominently featured a green “Accept all cookies” button, while the only way to reject cookies was hidden behind a secondary step via the “Information and adaptation” link.

This setup meant users could accept cookies in one click but had to take multiple steps to opt out - creating what IMY referred to as an imbalanced consent flow. 

ATG had already faced scrutiny from the Swedish DPA in a previous supervision that concluded on 21 October 2021. The problem then was that “the option to accept cookies had a visually stronger contrast to the background than the option to refuse cookies.”

‍

GDPR Violations

• Article 6 GDPR – Lawfulness of processing (consent not validly obtained)
• Article 7(3) GDPR – The right to withdraw consent must be as easy as giving it

As a result, the IMY issued a formal warning to ATG.

Pre-Checked Boxes and Misleading Consent Design

Aller Media AB, a major Swedish media company behind the popular cooking website Recept.se was warned by the IMY for several serious violations related to cookie consent.

The investigation revealed that users visiting recept.se were presented with:

• Pre-checked boxes for consenting to non-essential cookies by default (like marketing) 
• A multi-step process to reject cookies, requiring navigation through layered settings
• Vague and unclear language in the cookie interface that obscured the meaning and implications of consent
• A claimed legal basis of legitimate interest for processing personal data - without explaining why this legal basis applied

‍

IMY concluded that these design choices amounted to the use of dark patterns - tactics that make it easier to accept cookies than to decline them. This undermines the GDPR principle that consent must be freely given, specific, informed, and unambiguous.

The regulator also stressed that relying on standard templates from a Consent Management Platform (CMP) provider does not excuse Aller Media AB of its legal obligations.

GDPR Violations:

• Article 6 (1) GDPR - No valid legal basis for processing (illegitimate reliance on legitimate interest)
• Article 5 (1)(a) GDPR – Failure to ensure transparency and lawfulness
• Article 13 GDPR – Failure to provide adequate information to users

Lack of Transparency and Misleading Language

Warner Music AB, a global entertainment brand with a strong presence in Sweden, was also investigated but in this case the problem was a lack of transparency, not dark patterns.

IMY found that Warner’s cookie banner:

• Did not explain the specific purposes of the cookies being used
• Failed to disclose which third parties would receive the collected data
• Omitted information about how long cookies would be stored
• Included misleading language claiming that “the functionality and performance of the Website may be impaired if you choose not to accept our use of cookies” - even though this was not true for non-essential cookies

Such statements risk forcing users into accepting cookies and weaken the legal foundation for consent. IMY made it clear that functionality warnings must be correct.

‍

GDPR Violations:

• Article 5 (1)(a) GDPR - Lack of transparency and fairness in data processing
• Article 12(1) GDPR - Failure to present information in a concise and clear manner
• Article 13 GDPR - Inadequate disclosure of essential information about the processing of personal data

What the law requires in Sweden (2025 Update)

If you’re collecting data from visitors in Sweden, your cookie banner must comply with both the GDPR and Sweden’s Electronic Communications Act (LEK). 

Together, these regulations form a strict rulebook for how cookies must be presented, explained, and managed.

• GDPR (EU Regulation) – Overlooks processing of personal data, including cookie-based tracking.
• LEK (Lagen om Elektronisk Kommunikation) – Requires prior consent for any non-essential cookies.

To meet these requirements, your cookie banner must follow 5 key rules:

Sweden's Cookie Compliance Checklist (2025)

1. Equally visible consent Options
   Both “Accept” and “Reject” options must be presented on the same level, with equal design in color, size, and position.
   
   
2. Clear and Informed Consent
   The banner must explain:
   
   • What cookies do
   • Why they are used
   • Who receives the data
   • How long data is stored

All in plain, understandable language.

3. Granular Control
   Users must be able to:
   
   • Accept or reject cookies by category
   • Adjust preferences easily
   • See detailed information before choosing
     

‍

3. Easy Withdrawal Option
   Users must be able to change or withdraw their consent just as easily as they gave it - for example through a persistent link (like Cookie Policy) or widget.
   
   
4. No Cookies Without Consent
   Non-essential cookies must not be set until the user gives explicit, affirmative consent. Pre-checked boxes and implied consent are not allowed.
   

Pro tip for Shopify merchants: If you serve Swedish or EU customers, using a highly trusted Consent Management Platform (CMP) like Consentmo helps you comply with these requirements and offers you a free compliance check

Consequences for Non-Compliance

Honestly, it is best to follow regulatory rules for consent and cookie banners, otherwise you risk:

• Official warnings
  IMY issued official reprimands to ATG, Aller Media AB, and Warner Music AB in 2025. This is often a first step before fines.
  
• GDPR Fines
  You risk having to pay up to €20 million or 4% of global annual turnover - whichever is higher. Meaning even smaller penalties can seriously impact your business.
  
• Reputational Damage
  Often cases are reported in the media and discussed within the privacy community. Merchants risk losing credibility and trust with privacy-focused users and partners.
  
• Team resources
  If you're caught off guard, you may need to stop marketing campaigns or implement emergency changes and fixes all of which take up resources from product, legal, and dev teams.

Make Cookie Compliance Easy with Consentmo

Selling to customers in Sweden or the EU? Consentmo helps Shopify merchants stay compliant with GDPR and LEK - no legal guesswork, no messy setups.

✅ Region-aware cookie banners
✅ Design control for equal accept/reject buttons
✅ Full consent logs and granular cookie control
✅ Free store compliance check

Trusted by merchants across the globe. Start for free on the Shopify App Store.

Conclusion

From hidden rejection paths to vague consent language, IMY has shown that dark patterns won't go unnoticed.

The good news? Staying compliant is not hard at all - when trusting the right tools and having a user-first mindset.

Whether you're a global brand or a newly opened Shopify store, the rules apply equally.

Don’t wait for regulation trouble to fix up your cookie banner. Get ahead, respect your visitors' choices, and keep your business legally secure - starting today.

In fact, we suggest reading more on risky banner designs - What are Dark Patterns in GDPR Compliance?