Norway Data Privacy Laws: GDPR via the EEA, Personal Data Act, and Datatilsynet (2026)

Norway enforces the full EU General Data Protection Regulation through the EEA Agreement, supplemented by the Personal Data Act (LOV-2018-06-15-38), in force since 20 July 2018. Datatilsynet, the national supervisory authority, can impose fines of up to EUR 20 million or 4% of global annual turnover for violations.

Quick Answer

Norway applies the full text of the EU General Data Protection Regulation (GDPR) through the EEA Agreement, supplemented by the Norwegian Personal Data Act of 2018. The supervisory authority is Datatilsynet, which is one of the more aggressive GDPR enforcers in Europe. Fines can reach EUR 20 million or 4% of global annual turnover. The framework is substantively identical to that of EU member states, with a handful of Norway-specific rules on children's consent, employment, and national identification numbers.

Organizations operating in Norway, or targeting Norwegian residents, must comply with the same rules as they would in any EU member state. The practical difference is structural: Norway sits outside the formal EU institutional framework, so Datatilsynet participates in the European Data Protection Board (EDPB) as an observer rather than a voting member, and the GDPR's one-stop-shop mechanism does not apply to Datatilsynet the same way it does for EU lead supervisory authorities.

Constitutional Foundation: Section 102

Data protection in Norway has a constitutional anchor. Section 102 of the Constitution (Grunnloven) establishes the right to respect for private life, home, and communication, and expressly obliges the state to safeguard personal integrity. Courts and regulators treat this provision as a fundamental backstop that applies even where statutory rules are silent or ambiguous.

The constitutional protection is not merely symbolic. Norwegian courts have cited Section 102 in cases involving surveillance, access to records, and the scope of employer monitoring. It operates alongside the GDPR and the Personal Data Act as a reinforcing layer of privacy protection.

How the GDPR Applies Through the EEA Agreement

Norway is not an EU member state and does not participate in EU legislative processes. However, Norway is a member of the European Economic Area through the EEA Agreement, which extends the EU's internal market -- including its data protection rules -- to Norway, Iceland, and Liechtenstein.

The GDPR was incorporated into Annex XI of the EEA Agreement by a Joint Committee Decision on 6 July 2018. The decision imposed a short adaptation, requiring Norway to notify its supervisory authority to the EEA Joint Committee rather than to the European Commission, and providing that the GDPR's supervisory cooperation mechanisms operate between Datatilsynet and EU member state authorities through EEA-specific channels.

The practical effect is near-complete alignment. Norwegian law applies the GDPR's definitions, principles, legal bases, rights, obligations, and penalty structure without modification. Controllers subject to both the GDPR (from EU establishment) and Norwegian law (from Norwegian activities) face a single coherent ruleset.

One structural difference affects multinational companies: the GDPR's one-stop-shop mechanism allows companies with an EU main establishment to deal primarily with their lead supervisory authority. Datatilsynet can coordinate with EU supervisory authorities through the EDPB, but the formal one-stop-shop mechanism that routes complaints to a lead authority does not extend to Datatilsynet in the same way. In practice, Datatilsynet can and does open parallel investigations of the same company even where an EU lead authority is also involved.

The Norwegian Personal Data Act (Personopplysningsloven)

Structure and Scope

The Personal Data Act (Lov om behandling av personopplysninger, LOV-2018-06-15-38) entered into force on 20 July 2018, replacing the earlier Personal Data Act of 2000. The 2018 Act is deliberately concise. Rather than restating GDPR obligations in full, it primarily incorporates the GDPR by reference (through EEA law) and addresses the specific areas where the GDPR grants member state discretion.

The Act covers the processing of personal data by automated means and manual processing where data forms part of a filing system. It applies to controllers and processors established in Norway and, through Article 3 of the GDPR, to organizations outside Norway that process data of individuals located in Norway while offering goods or services to them or monitoring their behavior.

National Supplementary Provisions

Norway has exercised its GDPR discretion in several substantive areas:

Children's digital consent. Section 5 of the Act sets the digital consent age at 13. The GDPR allows member states to choose any age between 13 and 16. Norway chose 13, the lowest permissible threshold, to maximize digital participation for young people. For children below 13, parental or guardian authorization is required.

This threshold is under review. In October 2024, the Norwegian government proposed raising the digital consent age from 13 to 15, specifically targeting social media platforms. The proposal remains in public consultation.

National identification numbers. Section 12 of the Act places restrictions on the processing of Norwegian national identification numbers (fodselsnummer), limiting their use to situations where there is a clear need and requiring appropriate safeguards. National ID numbers are considered sensitive in the Norwegian context because of their broad use in administrative and financial systems.

Employment data. The Act includes provisions allowing the processing of employees' sensitive personal data where necessary for the performance of employment law obligations or the exercise of employment law rights. Employers retain specific obligations regarding workplace monitoring under the Working Environment Act (arbeidsmiljoloven) and its supplementary regulations, which impose necessity and proportionality requirements and prior notification duties before any monitoring program is implemented.

Research, archives, and statistics. Section 17 of the Act limits certain data subject rights -- access, rectification, and restriction -- in cases where their exercise would seriously impede processing for archiving, research, or statistical purposes, provided that the processing is subject to appropriate safeguards. Section 16 permits limitations on transparency and subject access rights where disclosure would threaten national security, crime prevention, or another person's private interests.

Public access and data protection balancing. Norway's strong tradition of open government -- embodied in the Freedom of Information Act (offentleglova) -- creates a recurring tension with data protection requirements. Public bodies must balance transparency obligations with data protection when responding to access requests, and the Personal Data Act provides a framework for that balancing exercise.

Direct marketing and electronic communications. The Norwegian Electronic Communications Act (ekomloven) restricts direct electronic marketing to individuals without prior consent, consistent with the ePrivacy Directive framework that Norway also implements through EEA obligations. Opt-out mechanisms alone do not satisfy the consent requirement for most categories of direct marketing.

Datatilsynet: Role, Powers, and Organization

Independence and Governance

Datatilsynet was established in 1980, making it one of the oldest data protection authorities in Europe. It operates as an independent public body and is not subject to government instruction in individual cases. The authority is led by a Director General and employs approximately 70 staff with expertise in law, technology, and policy.

Datatilsynet is funded through the national budget but exercises its investigative and enforcement powers independently. It reports annually to the Storting (parliament) through the relevant ministry but makes its own enforcement decisions without ministerial approval.

Supervisory and Enforcement Powers

Under Article 58 of the GDPR, Datatilsynet holds the full range of investigative, corrective, and advisory powers:

Investigative powers include the ability to compel controllers and processors to provide information, access to any premises (including by on-site inspections), and the ability to carry out data protection audits.

Corrective powers include issuing warnings before processing begins, issuing reprimands for violations, ordering compliance with data subject requests, ordering the rectification or erasure of data, imposing temporary or permanent processing bans, withdrawing certification, and imposing administrative fines.

Advisory powers include issuing opinions on legislative proposals, publishing guidelines, and providing guidance to the public and organizations.

Datatilsynet can also impose coercive fines (tvangsmulkt) on a daily or periodic basis where a controller or processor fails to comply with a corrective order. This mechanism creates a strong financial incentive for prompt compliance that runs separately from the main administrative fine.

EDPB Participation

Datatilsynet participates in the European Data Protection Board through EEA channels. It attends EDPB plenary meetings, can contribute to binding decisions and guidelines, and is subject to EDPB consistency mechanisms. However, Datatilsynet does not vote in the formal sense that EU member state authorities do, and the formal dispute resolution mechanism under Article 65 does not directly apply to Datatilsynet in the way it applies to EU lead authorities.

Despite this structural difference, Datatilsynet actively shapes EDPB outputs by submitting written contributions and participating in working groups. The authority's position on consent and behavioral advertising, developed through the Grindr and Meta cases, has influenced EDPB guidance on these topics.

Privacy Appeals Board (Personvernnemnda)

Decisions by Datatilsynet may be appealed to the Privacy Appeals Board (Personvernnemnda), an independent administrative appeals body. The Board reviews the merits of Datatilsynet's decisions and can uphold, modify, or overturn them. Decisions of the Board can in turn be challenged in the ordinary courts.

The Personvernnemnda has issued a series of notable decisions. In the Grindr matter, it upheld Datatilsynet's NOK 65 million fine in September 2023. In PVN-2024-04 (Meta/Facebook), the Board upheld an appeal by Meta Ireland regarding the calculation of daily penalty fines, though it left intact the underlying ban on behavioral advertising. In PVN-2024-06, the Board dismissed an appeal relating to a child welfare service, holding that the data subject had no standing to challenge a corrective measure they considered too lenient.

The Board's decisions are published on its website and on GDPRhub, making Norwegian administrative case law accessible to practitioners across Europe.

Legal Bases for Processing

The GDPR's six legal bases under Article 6 apply in full:

Consent must be freely given, specific, informed, and unambiguous. In the digital context, pre-ticked boxes, bundled consent, and consent obtained through deceptive interface design (dark patterns) are invalid. Datatilsynet has been particularly vigilant about consent quality in the advertising technology context.

Contract performance permits processing that is necessary for the performance of a contract with the data subject, or to take steps at their request before entering into a contract.

Legal obligation covers processing required by Norwegian law or EEA law.

Vital interests is a narrow basis applicable where processing is necessary to protect someone's life.

Public task covers processing by public authorities in the performance of official functions conferred by law.

Legitimate interests requires a three-part test: the controller must have a legitimate interest, processing must be necessary for that interest, and the interest must not be overridden by the data subject's interests or fundamental rights. Datatilsynet scrutinizes legitimate interests claims closely and has rejected arguments by advertising companies that behavioral profiling meets this test.

For special categories of personal data -- including health data, biometric data, genetic data, data revealing racial or ethnic origin, religious beliefs, political opinions, trade union membership, and data concerning sex life or sexual orientation -- the Article 6 legal basis must be combined with one of the conditions in Article 9. Processing criminal conviction data requires a further condition under Article 10 and is generally reserved for public authorities.

Data Subject Rights

Norwegian residents hold the complete set of GDPR rights, and Datatilsynet actively enforces them:

Right of access (Article 15). Data subjects may request confirmation of whether their personal data is processed and receive a copy. The controller must respond within one calendar month, extendable by a further two months for complex requests. The first copy must be provided free of charge; controllers may charge reasonable fees for additional copies.

Right to rectification (Article 16). Individuals may demand correction of inaccurate personal data and completion of incomplete data.

Right to erasure (Article 17). The right to be forgotten applies where the data is no longer necessary for its original purpose, consent has been withdrawn and no other legal basis exists, an Article 21 objection succeeds, the data was processed unlawfully, or erasure is required by law. The right has limits: it does not apply where processing is necessary for freedom of expression and information, for compliance with a legal obligation, for public interest tasks, or for the establishment, exercise, or defense of legal claims.

Right to restriction (Article 18). Data subjects can request a pause on processing in defined circumstances, such as where accuracy is contested or a legitimate interests objection is pending.

Right to data portability (Article 20). Where processing is based on consent or contract and carried out by automated means, individuals may receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to object (Article 21). Data subjects may object to processing based on legitimate interests, public task grounds, or direct marketing. Objections to direct marketing are absolute; the controller must stop immediately. Objections to other grounds require the controller to demonstrate compelling legitimate grounds that override the individual's interests.

Rights related to automated decision-making (Article 22). Individuals have the right not to be subject to decisions based solely on automated processing -- including profiling -- that produce legal or similarly significant effects, unless specific conditions are met, such as explicit consent or contractual necessity, combined with the right to obtain human review.

Sensitive Personal Data

The GDPR's special categories (Article 9) are reproduced in Norwegian law without modification. The prohibition on processing these categories is strict, and exceptions are narrowly construed. Datatilsynet has taken enforcement action against controllers that relied on incorrect legal bases for health data, biometric data, and sexual orientation data.

Norway's employment derogation permits employers to process sensitive personal data -- including health records and trade union membership -- where necessary for employment law obligations. The Working Environment Act sets out the specific circumstances in which employee health monitoring, genetic testing, and other intrusive practices are permissible, generally limiting them to safety-critical roles.

Breach Notification

Controller Obligations

Controllers must notify Datatilsynet of a personal data breach without undue delay, and where feasible within 72 hours of becoming aware of it. If notification cannot be made within 72 hours, the controller must provide a reasoned explanation for the delay.

The notification must include a description of the nature of the breach (including categories and approximate number of data subjects and records), contact details for the DPO or other contact point, a description of the likely consequences, and a description of measures taken or proposed to address the breach.

Where the breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must also notify affected individuals without undue delay. A high-risk breach typically involves sensitive data, financial information, or circumstances where identity theft or physical harm is possible.

Minor breaches that are unlikely to result in any risk to individuals do not need to be notified to Datatilsynet, though they must be documented internally so that Datatilsynet can verify compliance.

Processor Obligations

Processors must notify their controller without undue delay upon becoming aware of a breach. The processor's notification to the controller triggers the controller's 72-hour clock. Processors are not required to notify Datatilsynet directly; that obligation rests with the controller.

Documentation

Controllers must maintain internal records of all personal data breaches, whether notified or not. These records form part of the accountability documentation that Datatilsynet may inspect.

Data Protection Officers

Mandatory Appointment Triggers

A DPO must be appointed where:

• The controller or processor is a public authority or body (with limited exceptions for courts in their judicial capacity).
• The core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale.
• The core activities consist of processing of special categories of data on a large scale, or processing of personal data relating to criminal convictions and offenses.

The Telenor case in March 2025 illustrated the practical stakes. Datatilsynet fined Telenor ASA NOK 4 million specifically because the company had not properly organized its DPO function: it failed to document whether a DPO was required, did not establish a direct reporting line from the DPO to senior management, and did not ensure the DPO's operational independence. The fine was based on Articles 37 to 39 and Article 24 GDPR.

DPO Role and Protections

The DPO must possess expert knowledge of data protection law and practice. They advise the organization on GDPR compliance, monitor internal compliance, provide DPIA guidance, cooperate with Datatilsynet, and serve as the authority's primary contact point.

DPOs cannot be dismissed or penalized for performing their duties. They must report directly to the highest level of management. Where a conflict of interest exists -- for example, where the DPO also holds a role with decision-making authority over processing -- the appointment may be invalid. Datatilsynet has cited conflict of interest as a basis for enforcement action.

Data Protection Impact Assessments

Controllers must carry out a Data Protection Impact Assessment before undertaking processing that is likely to result in high risk to individuals. Datatilsynet has published a list of processing types that always require a DPIA, including systematic monitoring of publicly accessible areas on a large scale, large-scale processing of special categories, and the use of new technologies with uncertain privacy implications.

Where a DPIA reveals a high residual risk that the controller cannot mitigate, the controller must consult Datatilsynet before proceeding. Datatilsynet will provide a written opinion and may ultimately prohibit the processing.

Cross-Border Data Transfers

Transfers Within the EEA

Personal data flows freely between Norway and all EU and EEA member states. No additional transfer mechanism, assessment, or safeguard is needed for transfers within this zone.

Transfers to Third Countries

Transfers of personal data from Norway to countries outside the EEA require one of the following:

Adequacy decision. The European Commission has recognized several countries as providing adequate protection, including Japan, the United Kingdom, Switzerland, Canada (commercial organizations), South Korea, New Zealand, Israel, Uruguay, Argentina, and the Faroe Islands. Transfers to certified organizations in the United States are covered by the EU-U.S. Data Privacy Framework, which the Commission adopted in July 2023.

Appropriate safeguards. Where no adequacy decision exists, controllers must implement appropriate safeguards. The most common mechanisms are standard contractual clauses (SCCs) -- the Commission adopted updated SCCs in June 2021 -- and binding corporate rules for intra-group transfers. Codes of conduct and certification schemes approved under Article 46 can also serve as safeguards.

Transfer impact assessments. Following the Court of Justice of the EU's Schrems II ruling, controllers relying on SCCs must carry out a Transfer Impact Assessment to verify that the legal system of the destination country does not undermine the protections in the SCCs. Datatilsynet issued guidance on transfer impact assessments and has taken enforcement action where organizations used Google Analytics to transfer data to the United States without conducting adequate assessments of US surveillance law.

Derogations. Article 49 derogations are available for isolated, non-repetitive transfers based on explicit consent, contract necessity, vital interests, important public interest, or legal claims. Datatilsynet treats these derogations as narrow exceptions and has warned against relying on them as a substitute for implementing proper transfer mechanisms.

U.S. data transfers (2025 guidance). In February 2025, Datatilsynet issued specific guidance on transfers to the United States in light of evolving U.S. government access policies. The authority cautioned controllers to monitor developments, document their transfer impact assessments thoroughly, and implement supplementary technical measures where feasible. The EU-U.S. Data Privacy Framework remains in effect, but Datatilsynet noted that its adequacy could be affected by U.S. legal changes.

Penalties and Enforcement

Administrative Fine Structure

The GDPR two-tier structure applies:

Tier 1 (less serious violations): Up to EUR 10 million or 2% of total worldwide annual turnover of the preceding financial year, whichever is higher. This tier covers violations of processor obligations, DPO obligations, certification obligations, and breach notification obligations.

Tier 2 (more serious violations): Up to EUR 20 million or 4% of total worldwide annual turnover, whichever is higher. This tier covers violations of the basic principles for processing, violations of the conditions for consent, violations of data subjects' rights, unlawful transfers, and violations of member state obligations.

Coercive Fines

In addition to administrative fines, Datatilsynet can impose tvangsmulkt (coercive fines) on a periodic basis until a controller or processor complies with a corrective order. These fines run independently of the administrative fine and are designed to incentivize prompt compliance rather than to punish past conduct.

Criminal Sanctions

The Personal Data Act preserves the possibility of criminal prosecution for intentional or grossly negligent violations. Criminal penalties can include fines and imprisonment, though criminal enforcement remains rare. Criminal cases are referred to the public prosecutor by Datatilsynet and proceed in the ordinary courts.

Major Enforcement Actions

Grindr LLC (NOK 65 million, 2021 -- upheld 2025). Datatilsynet issued a NOK 65 million fine against Grindr in December 2021 for sharing users' personal data with advertising partners without valid consent. The sharing included precise location data and data revealing sexual orientation, which is a special category under Article 9. The Privacy Appeals Board upheld the fine in September 2023. Oslo District Court confirmed it in 2024. Borgarting Court of Appeal upheld it again in October 2025, comprehensively rejecting Grindr's arguments on all points. This case established that Datatilsynet will pursue substantial fines against major international technology companies and that Norwegian courts will support those fines on appeal.

NAV (NOK 20 million, March 2024). Datatilsynet imposed a NOK 20 million fine on NAV (the Norwegian Labour and Welfare Administration) following an inspection that found structural failures in access management and log control. Inspectors identified that NAV had not given data protection sufficient priority or resources at the management level, resulting in unauthorized access to sensitive welfare and health records. NAV appealed; the matter was with the Privacy Appeals Board as of late 2024.

Telenor ASA (NOK 4 million, March 2025). Datatilsynet fined Norway's largest telecommunications company NOK 4 million for DPO-related failures. Telenor had not documented whether it was required to appoint a DPO, had not established a direct reporting line from the DPO to senior management, and had not ensured the DPO's independence and involvement in processing decisions. This case is significant as a signal that Datatilsynet will pursue structural governance failures, not only individual data breaches.

Tracking pixel sweep (2025). Datatilsynet inspected six websites and found that all were sharing visitor personal data with third parties -- including Meta and Snapchat -- through tracking pixels without a valid legal basis. The six websites were 116111.no (a public service for vulnerable children), apotekfordeg.no (pharmacy), bibel.no (Christian content), drdropin.no (medical services), ifengsel.no (children with imprisoned parents), and nhi.no (health information). Datatilsynet fined 116111.no NOK 250,000 and issued reprimands to the others. The case highlighted particular concern about tracking pixels on websites handling children's data and sensitive health information.

University of Agder (NOK 150,000, September 2024). Datatilsynet fined UiA for failing to implement appropriate technical and organizational measures to protect personal data in its use of Microsoft Teams, violating Article 32 GDPR.

Grue Municipality and Eidskog Municipality (NOK 250,000 each, 2024). Both municipalities were fined for GDPR breaches: Grue for a confidentiality failure in public records, and Eidskog for processing personal data without a valid legal basis.

Datatilsynet's AI Regulatory Sandbox

Since 2020, Datatilsynet has operated a regulatory sandbox for artificial intelligence -- one of the first data protection-specific AI sandboxes in Europe. The program offers free, expert guidance to a small cohort of selected organizations in exchange for full openness about their AI systems and privacy assessments.

The sandbox is designed to stimulate privacy-by-design in AI development and to help Datatilsynet build regulatory expertise. Insights from sandbox projects inform Datatilsynet's published guidelines on AI and are shared with the EDPB.

Sandbox projects have covered machine learning for healthcare diagnostics, federated learning for anti-money laundering, education analytics, employee cybersecurity risk profiling, digital identity verification, and analysis of Microsoft Copilot for Office 365. In its fifth round (2024), Datatilsynet selected four new projects focused specifically on generative AI and large language models.

The sandbox is available to organizations of all sizes and sectors. Applications are evaluated on novelty, public interest, potential privacy risks, and the applicant's willingness to share findings publicly. Participating organizations receive written assessments that can function as informal guidance for similar projects in the broader market.

The EU AI Act and Norway

Norway has committed to incorporating the EU AI Act into the EEA Agreement, which would make it binding in Norwegian law alongside the GDPR. The EU AI Act was published in the Official Journal of the EU on 12 July 2024 and entered into force on 1 August 2024, with its most significant obligations applying from August 2026.

In June 2025, the Norwegian government published a consultation package proposing a national AI Act (KI-loven) to implement the EU regulation. The consultation deadline was 30 September 2025, and the government has stated the law is intended to enter into force in summer 2026, aligned with the EU's own phase-in calendar.

Once incorporated, the AI Act will impose tiered obligations based on the risk level of AI systems. High-risk AI systems -- covering areas such as biometric identification, critical infrastructure, education, employment, essential private services, law enforcement, migration management, and administration of justice -- will require conformity assessments, registration in an EU database, and ongoing monitoring. Prohibited AI practices, including social scoring by public authorities and real-time biometric surveillance in public spaces (with narrow exceptions), will be banned in Norway as in the EU.

Datatilsynet is expected to serve as the competent market surveillance authority for AI systems involving personal data processing, in coordination with other Norwegian market surveillance bodies.

Workplace Monitoring

Norway has among the most detailed regulation of workplace monitoring in Europe. Employers may not implement monitoring of employees without satisfying requirements under both the Working Environment Act and the GDPR:

Necessity and proportionality. Monitoring must be necessary for a legitimate purpose. Datatilsynet has consistently held that business efficiency interests alone do not justify intrusive monitoring. Employee surveillance must be proportionate to the specific purpose.

Prior notice. Employers must inform employees and employee representatives before implementing monitoring. In unionized workplaces, consultation with union representatives is typically required.

Permissible monitoring forms. The regulations distinguish between different monitoring types. CCTV surveillance of the workplace is permitted where necessary for security or accident prevention but not for general supervision of employees. Email monitoring and internet monitoring are permitted only in specific, narrowly defined circumstances. GPS tracking of company vehicles is permissible for route planning and safety purposes but not for continuous location surveillance of employees.

Sectoral rules. The health, finance, and security sectors have additional sector-specific rules on employee data. The Working Environment Act regulations on monitoring provide the framework.

Business Compliance Checklist

Organizations processing personal data in Norway should ensure:

1. Legal basis documentation. Every processing activity in the record of processing activities must have a clearly identified legal basis. Legitimate interests assessments must be written and documented.

2. Data subject rights procedures. Organizations must have defined procedures for handling access, rectification, erasure, restriction, portability, and objection requests within the one-month timeframe. Requests received in Norwegian must be handled in Norwegian.

3. DPO appointment and governance. Confirm whether a DPO is required. If so, document the appointment, establish a direct reporting line to the board or senior management, and ensure the DPO has no conflicts of interest.

4. Breach notification readiness. Maintain an incident response procedure that can trigger a Datatilsynet notification within 72 hours. Designate who is responsible for making breach notifications.

5. DPIA process. Identify processing activities that require a DPIA before deployment. Apply Datatilsynet's published list of mandatory DPIA triggers and conduct DPIAs for new technologies, AI systems, and large-scale tracking.

6. Transfer mechanisms. Audit all data flows outside the EEA. Verify that adequacy decisions still apply, that SCCs are in their 2021 form, and that transfer impact assessments have been conducted for transfers to high-risk jurisdictions.

7. Consent management. Review consent mechanisms for cookies, tracking, and marketing. Ensure consent is granular, freely given, and documented. Use a consent management platform that maintains an audit trail.

8. Children's data. Apply heightened safeguards for services that may be used by children. Verify age where the service is aimed at, or likely to attract, under-15s (in anticipation of the proposed age increase).

9. AI governance. Prepare for the AI Act. Categorize AI systems by risk level and identify which systems will require conformity assessments or registration under the EU framework.

10. Datatilsynet guidance. Monitor Datatilsynet's website for updated guidelines and enforcement decisions. The authority publishes English-language guidance on most major compliance topics.

For a related discussion of Norwegian recording consent law, see our guide to Norway recording laws.

This article is for informational purposes only and does not constitute legal advice. Data protection law changes frequently, and organizations should consult a qualified attorney for advice specific to their situation.