IMY resources
The Swedish data protection authority and your website
A summary of what IMY has said about Google Analytics, Schrems II and cookies. With concrete advice for Swedish sites, municipalities and regions.
The key point in one sentence
The Swedish data protection authority (IMY) has not explicitly banned Google Analytics 4, but after Schrems II it has consistently recommended that Swedish public bodies look for EU-based alternatives without third-country transfers.
What applies per sector
Private Swedish companies
GA4 is technically legal via the DPF. But the cookie banner requirements under ePrivacy still apply. The most common IMY enforcement cases in 2025-2026 concern incorrectly implemented cookie banners.
Municipalities, regions and government agencies
IMY guidance recommends EU-based alternatives. Many municipalities have already switched. Spårlös and similar services work in public sector procurement without any exemption.
Healthcare and health
Personal data within healthcare is handled under the Patient Data Act (PDL) in addition to GDPR. Third-country transfer of visitor statistics via GA4 is problematic even for public health sites. Use EU hosting.
Schools and education
The Swedish National Agency for Education has issued guidance on children's personal data. Cookie-based analytics services on web pages aimed at children should be avoided. Cookie-free analytics solves the problem.
SaaS companies with EU customers
Many B2B customers will ask in vendor questionnaires whether you use GA4. Answering no is an increasingly common soft competitive advantage.
External resources
- IMY official guidance on cookies
Official Swedish guidance on how cookies must be handled under ePrivacy.
- IMY official guidance on cloud services
How third-country transfers should be assessed after Schrems II.
- NOYB GA4 enforcement cases
Max Schrems organisation, which has pursued several GA-related enforcement cases against EU companies.
- EDPB on the EU-US Data Privacy Framework
The European Data Protection Board position on the DPF.
This is not legal advice. If you are unsure about your specific case, consult a lawyer or IMY directly.
Common questions
Is GA4 illegal in Sweden?+
No, not explicitly. But it is legally fragile and IMY recommends EU-based alternatives for the public sector. Private parties can use GA4 via the DPF but still need a compliant cookie banner and an updated privacy policy.
How quickly can IMY fine for incorrect GA4 use?+
IMY has historically focused its fines on the larger mistakes (massive unauthorised sharing, incorrect consent collection). The likelihood of a fine for GA4 use alone is low today, but the risk of a cookie banner fine is high if the banner is not compliant.
What does Spårlös do to solve this?+
We set no cookies on your visitors, so no banner is required and there is no risk of a cookie banner fine. We store all data in the EU, so there is no third-country transfer and no Schrems II risk. We provide a Swedish DPA, which means faster procurement.
Can I run Spårlös and GA4 in parallel?+
Yes, many customers start that way to compare the numbers for 48 hours. But running both does not remove the cookie banner requirement, so most remove GA4 once they have confirmed that Spårlös works.
Procurement ready today
Spårlös is built for Swedish procurement. A Swedish DPA, billing in SEK with F-skatt, ISO 27001-certified EU infrastructure.