IMY enforcement, cookie consent,
and the engineering work that closes the gap.

IMY (Integritetsskyddsmyndigheten) is Sweden's data protection authority. Among EU DPAs, it has been comparatively active in 2024–2026, with enforcement actions across cookie practices, third-party data transfers, and IT security measures under Article 32.

The pattern across cases: the gap that triggers the fine is rarely a missing policy document. It's that the production system did not enforce what the documents said it would.

• check_circle
  Sportadmin · Jan 2026

  Sanctioned for inadequate IT security measures. Article 32 territory — the article that gets engineering teams fined when nothing else does.
• check_circle
  Apoteket + Apohem · Aug 2024

  Fined for transferring personal data to Meta via tracking pixels without a valid lawful basis. The fix was infrastructure, not a policy update.
• check_circle
  Klarna · earlier years

  Among the largest GDPR fines in the Nordics. Pattern: data minimisation and processing-purpose enforcement gaps.

The throughline: each of these is a place where engineering work — or its absence — produced the violation. Cookie tags loaded before consent. Tracking pixels routed personal data to Meta. IT security controls were not in place at the level Article 32 requires.

Cookie consent is the most visible IMY enforcement target, and the easiest to get wrong if the implementation is bolted on. The engineering version, in 2026:

• check_circle
  Block tags before consent

  No analytics, ads, or third-party tracking script loads until the user has actively consented. Default = nothing fires.
• check_circle
  Granular categories

  Necessary / Functional / Analytics / Advertising as separate consents. Pre-ticked boxes are not consent under GDPR.
• check_circle
  Persist + audit the consent

  Store the consent record (timestamp, categories, version of policy) in a way that is auditable for the retention period.
• check_circle
  Honour withdrawal

  Withdrawal must be as easy as giving consent. Tags must actually stop loading, not just visually disappear.
• check_circle
  Document the lawful basis per processing purpose

  Cookie banners are the visible part; the documented lawful basis (Article 6) is the underlying legal artifact. Both must align.

Cookie consent is one wedge of the broader Article 32 surface — security of processing, audit logging, access control, encryption. IMY's recent enforcement against IT security measures (e.g. Sportadmin) is on this surface, not the cookie one.

If you're a Swedish or EU SaaS team looking at IMY enforcement and wondering where to start, the answer is the same as it would be for any GDPR engineering programme: lock the perimeter (encryption + access), build the DSR pipeline, ship the audit log. The cookie work is a subset.

1. 01
   Map your tag-loading order

   Document what loads before consent vs after. Most teams find more pre-consent tags than they expected.
2. 02
   Audit Article 32 surface

   Encryption (in transit + at rest), access control, audit log. These are the surfaces IMY reaches for in IT-security enforcement.
3. 03
   Run a GDPR audit with your coding agent

   Hand the codebase to Claude Code, Cursor, or Codex with the RuleMesh MCP server. Returns concrete file-path findings, not a PDF.

RuleMesh is built specifically for the gap IMY's enforcement record points at: the place where engineering work translates regulation into running code. Free MCP install, no credit card. Stockholm-based, registered in Sweden — so the framing matches Swedish supervisory practice rather than US-style certifications.

• RuleMesh på svenska — översikt →
• Article 32 checklist for engineering teams →
• Run a GDPR audit with your coding agent →
• The RuleMesh manifesto — why this category exists →