Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
The Swedish Children’s and Parents’ Code (1949:381), as amended, provides that a person under the age of 18 is a child for the purposes of Swedish law.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
Yes.
The UNCRC has been directly incorporated into national law by way of reference in the Swedish Act on the UNCRC (2018:1197). As such, Articles 1-42 of the UNCRC in its original text are applicable as Swedish law.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
The Ombudsman for Children (Sw. Barnombudsmannen) is established by the Swedish Ombudsman for Children Act (1993:335).
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
Yes.
The Ombudsman for Children is responsible for upholding children’s rights and interests in accordance with the UNCRC, such as through the promotion and awareness and by monitoring that requirements are in compliance with the UNCRC. Its competence extends to investigating public bodies, filing cases to the Social Welfare Committee and the Health and Social Care Inspectorate if it receives information about children in danger, and proposing legislative amendments to ensure that the rights of children and young people are met.
The Ombudsman for Children also collaborates with the Swedish Authority for Privacy Protection, such as to provide the joint guidance “The rights of children and young people on digital platforms”.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. The requirement to collect parental consent under Article 8(1) of the GDPR only applies where the service provider is relying on consent as the legal basis under the GDPR for processing a child’s personal data. If another legal basis is relied on for processing, there is no requirement to collect parental consent for processing the child’s data.
Entirely separate to the requirement to collect parental consent under Article 8(1) is that a digital service provider (controller) may decide to seek parental permissions for a child to access different setting/ features/ functionalities etc. as part of the measures it implements under Articles 24 and 25 of the GDPR to ensure a high level of protection for child users.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
For children who are residents in Sweden, the consent of a child is valid from the age of 13 if it concerns the provision of information society services as defined in Article 4(25) GDPR. Examples of such services are online games, apps with games or other content, social media and more. For services other than information society services provided to children, children between the ages of 13 and 16 require an individual assessment to be made to assess whether the child understands the consequences of consent. This includes how sensitive the information provided is, how long the personal data is stored and the age and maturity of the child.
Chapter 9 of the Swedish Children and Parents Code (1949:381) allows minors aged 16 and above to have some ability to act on their own (such as enter into contracts under specific circumstances). Given this, the Swedish Authority for Privacy Protection considers there to be a presumption that children above the age of 16 are able to provide consent.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. While Article 8(2) of the GDPR does not set out an approved method for the collection of parental consent, it does require organisations to “make reasonable efforts” to verify such consent by a holder of parental responsibility over a child taking into account available technology. No such methods are expressly approved by law, regulation or legally binding regulator-issued guidelines in the Swedish jurisdiction.
However, consent in all scenarios must be freely given, specific, informed and unambiguous. Also, it needs to be obtained prior to the processing taking place.
Additionally, see information on the EU-level requirements here.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. Article 12(1) of the GDPR emphasises the particular importance of the requirement for clear and plain language when providing information to children. This requirement is interpreted by the Swedish Authority for Privacy Protection in its guidance “The Rights of Children and Young People on Digital Platforms” as meaning that children are entitled to receive information about the processing of their own personal data even if consent to the processing was given by a parent.
The information should be provided in a child-friendly manner and be capable of being understood by children.
In addition, the guidance suggests using short language, that the information to parents providing consent must clearly and early on state that the child is entitled to information and that consideration must be given to the fact that children may require information in different formats and at different stages of their user journey such as non-textual methods.
If a service provides tools for parental control or monitoring, specific, age-appropriate information must be provided to the child regarding such parental control or monitoring. This could, for example, be symbols or icons that show the child when such monitoring occurs. It is also recommended that information is provided to parents regarding the child’s right to a private life if tools for parental control or monitoring are provided.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
There are no national-specific laws which specify the age at which children have the legal right to exercise their data subject rights under the GDPR. The Swedish Authority for Privacy Protection, in its guidance “The Rights of Children and Young People on Digital Platforms” states that guardians do not need to be involved in the erasure of data, if the data subject is old enough to make the decision and must be completed immediately if the child requests it and has reached the age required to control their own data, even if the consent was originally provided by their guardian.
In addition, if the child is old enough to give consent, a request for deletion from a guardian should not be accepted without considering the child’s wishes.
While the Swedish Authority for Privacy Protection does not specify an age at which a child is able to exercise their rights, the above indicates that the age of digital consent should guide the age at which a child can exercise their rights i.e., between the ages 13 – 16, taking into consideration multiple factors such as the age and maturity of the child.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
The Swedish Authority for Privacy Protection in its guidance “The Rights of Children and Young People on Digital Platforms” considers that a child may exercise their data protection rights as long as they have the capacity to do so.
If the complaint is later brought into court, the capacity to continue pursuing the case is limited based on procedural law and may require a representative.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
There are no national-specific laws in this regard but requirements arise from the Swedish Authority for Privacy Protection (IMY) and its guidance “The Rights of Children and Young People on Digital Platforms”. The following are non-exhaustive examples of such requirements.
a) processing specific types of children’s personal data;
IMY consistently considers the sensitivity of children’s personal data in its decisions, pointing out that all personal data of children require special protection.
b) carrying out specific processing activities involving children’s personal data; and/ or
It is IMY’s position that organisations should not conduct profiling as it is difficult to justify it in light of the UNCRC and data protection rules, in particular as the best interests of the child has to be the leading consideration for this.
c) using children’s personal data for specific purposes.
In addition to restrictions relating to marketing/advertising towards children in general, there is a high burden of proof on an organisation to show how it is in the best interests of children to process their personal data for the purposes of profiling and/ or automated decision making, or otherwise, in order to advertise or market to them.
Binding decisions from the European Data Protection Board in the Irish Data Protection Commission’s cases also serve as guidance in Sweden - see further information on the EU-level requirements here.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
The Swedish Authority for Privacy Protection (IMY) has issued certain enforcement actions where processing of children’s data was one of the issues addressed in the decision. The following are non-exhaustive examples of such enforcement actions:
- The Stockholm City Education Committee was fined SEK 800,000 in October 2023 having been found to have infringed various GDPR requirements including those relating to failure to comply with transparency obligations under Articles 13 GDPR. IMY highlighted that children's personal data deserves special protection as children may be less aware of the risks, consequences and safeguards involved, as well as of their rights regarding the processing of personal data and that particular information efforts may be required.
- An education delivery service was issued a reprimand and corrective measures in August 2023 having been found to have infringed Article 32(1) of the GDPR. The learning platform provider was found to have exposed personal data from its learning platform on a publicly available website online. IMY highlighted that children’s personal data deserves special protection and that the platform therefore has a great responsibility to ensure security. In addition, the requirements set out in the binding decisions from the European Data Protection Board in the Irish Data Protection Commissions cases concerning social media platforms are also applicable in Sweden.
Are there specific rules concerning electronic direct marketing to children?
Yes.
Where unsolicited direct marketing to any person is carried out through the sending of electronic mail (i.e. any text, voice, sound or image message including SMS text message and automatic calling systems) the Swedish Marketing Act (2008:486) and the Swedish Electronic Communications Act (2022:482) (the Acts) will apply to such communications. These Acts transpose the ePrivacy Directive into Swedish law.
These Acts are not specifically directed at communications made to children but regardless of whether the communication is sent to an adult or a child, the general rule is that the consent of the individual recipient is required (which must be GDPR-standard consent) although there are certain strictly applied exemptions which can be relied upon in limited circumstances. Specific to children is that the use of personal data of children and young people for marketing must always be based on what is deemed to be in the child’s best interests.
In all cases, the Swedish Markets Court has consistently held that direct marketing targeting children under the age of 16 constitutes unlawful marketing practices and is thus prohibited under the Swedish Marketing Act (MD 1983:16, MD 1999:26, MD 2012:14). This has also been incorporated into guidance from the Swedish Consumer Agency “Guidance on Marketing towards Children”.
Please note that it is not permitted to make direct sales promotions to children under 18 nor encourage a child to convince adults to purchase something for the child.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
There are no national-specific laws in this regard but requirements arise from the Swedish Authority for Privacy Protection’s (IMY) guidance “The Rights of Children and Young People on Digital Platforms”. It is IMY’s position that organisations should not conduct profiling as it is difficult to justify it in light of the UNCRC and data protection rules, in particular as the best interests of the child has to be the leading consideration for this.
There is a high burden of proof on an organisation to show how it is in the best interests of children to process their personal data for the purposes of profiling and/ or automated decision making, or otherwise, in order to advertise or market to them.
Additionally, see further information on the EU-level requirements here.
Please note that it is not permitted to make direct sales promotions to children under 18 nor encourage a child to convince adults to purchase something for the child.
Are there specific rules concerning online contextual advertising to children?
Yes.
The Swedish Marketing Act (2008:486) and Swedish Consumer Agency “Guidance on Marketing towards Children” provide specific requirements on contextual advertising to children. Contextual advertising must be clearly distinguishable so that a child may identify what is a commercial message (advertising) and what is part of a game. As such, the ad itself may not take the form of a game or similar. Who the advertising is from must also be made clear to the child.
The Swedish Consumer Agency in its guidance “The Nordic Consumer Ombudsman’s viewpoint on e-commerce and online marketing 2010” further provide that using or contributing to the use of product placements or other forms of hidden advertising targeting children is prohibited on websites.
To the extent that contextual advertising relies even on minimal processing of children’s data, the GDPR rules and connected regulatory guidelines etc. will apply to such activities. For further information on the EU-level requirements see here.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
The Swedish Consumer Ombudsman and Swedish Consumer Agency are active in monitoring marketing activities in Sweden, including towards children. The following is a non-exhaustive example of such enforcement actions:
- A provider of an online game community, was prohibited from continuing with certain marketing activities subject to a potential fine of SEK 3 million in case of breach of these prohibitions. The company conducted direct advertising to children under the age of 16 and encouraged children to purchase products in the game interface (the use of “buy”, “buy more”, “upgrade”, “upgrade now” were specifically mentioned as prohibited), and pressured children to purchase products (the use of “it won’t stay long” and “before it’s too late!” are specifically mentioned as prohibited).
- A marketing company was prohibited from continuing with direct marketing to children under the age of 16 subject to a potential fine of SEK 1 million in case of breach of these prohibition.
- A company was prohibited and later fined for continuing with certain marketing activities for their toys. Jollyroom sent newsletters with text which encouraged children to purchase products and provided misleading price information to the average consumer. To date, the Swedish Authority for Privacy Protection has not taken any regulatory enforcement action concerning advertising to children.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
The Swedish Children’s and Parents’ Code (1949:381), as amended, provides that a person aged 18 and over in general has the civil capacity to enter into a contract in Sweden.
As a general rule, parental consent is required for children. There are some restrictive exceptions which apply.
Minors aged 16 and above are allowed to enter into contracts using money they have acquired through their own work, with limitations for certain types of contracts prescribed in law such as contracts relating to gambling, alcohol and similar.
In addition, in two cases driven by the Consumer Ombudsman (MD 2012:14 and MD 2013:9), the courts established that parental consent may in certain circumstances be presumed for children aged 14-18 depending on the nature and necessity of the purchase, including the price and potential financial effects of the agreement.
The Swedish Consumer Agency in its “Guidance on Marketing towards Children” clarifies that if a child has been provided with money, as a rule it can be presumed that the child has received consent to use the money as the child pleases unless specific circumstances provides otherwise. If the child has unlawfully taken the money from parents, the contract is always invalid.
In practice, there is a high burden of proof for digital service providers to show that valid consent exists or that the contract has been entered into with an individual with civil capacity.
Do consumer protection rules apply to children?
Yes.
The Swedish Consumer Services Act (1985:716), Swedish Consumer Purchases Act (2022:260), and Swedish Marketing Act (2008:486), as amended, apply to consumers including children.
These requirements affect everything from pre-sale information requirements, business practices, misleading or deceiving practices and more.
The interpretation of these requirements must be understood and interpreted with the best interests of the child in mind whenever children are concerned.
The concept of the ‘average consumer’ is also important in the context of the interpretation of the Swedish Marketing Act. If the average consumer is intended to be a child, the assessment must be made from the perspective of how a child will interpret the marketing e.g. if it is misleading or unclear. The Swedish Market Court established that the marketing must be viewed based on the actual recipients of the marketing and not only the intended recipients, as follows from the Swedish Marketing Act (MD 2012:14).
Withholding, omitting or concealing material information that the average consumer would need, in the context, to make an informed transactional decision, with such action causing or being likely to cause the average consumer to make a transactional decision they would not otherwise make also constitutes a misleading commercial practice.
Additionally, see further information on the EU-level requirements here.
Are there any consumer protection rules which are specific to children only?
Yes.
There are no national-specific laws in this regard but requirements arise from general consumer protection rules as consumer protection requirements in Sweden must be considered in the context of the ‘average consumer’. If this includes children, the consumer protection rules and the interpretation of the ‘average consumer’ must consider the inexperience of children and the best interests of the child.
Additionally, see further information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
The Swedish Consumer Ombudsman and Swedish Consumer Agency are active in monitoring consumer protection in Sweden, including towards children. The following is a non-exhaustive example of such enforcement actions:
- A provider of an online game community, was prohibited from continuing with certain marketing activities subject to a potential fine of SEK 3 million in case of breach of these prohibitions. The company conducted direct advertising to children under the age of 16 and encouraged children to purchase products in the game interface (the use of “buy”, “buy more”, “upgrade”, “upgrade now” were specifically mentioned as prohibited), and pressured children to purchase products (the use of “it won’t stay long” and “before it’s too late!” are specifically mentioned as prohibited). In addition, the Swedish Consumer Agency has conducted regulatory enforcement action concerning consumer protection requirements towards children relating to other products and services than digital services:
- A marketing company was prohibited from continuing with direct marketing to children under the age of 16 subject to a potential fine of SEK 1 million in case of breach of these prohibition.
- A company was prohibited and later fined for continuing with certain marketing activities for their toys. Jollyroom sent newsletters with text which encouraged children to purchase products and provided misleading price information to the average consumer.
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
There are no national-specific laws in this regard but requirements arise from general restrictions to certain goods and services. The following is a non-exhaustive example of such requirements:
- Gambling,
- Alcohol, and
- Tobacco.
To the extent such goods and services are accessed online by children, these restrictions will generally also apply.
Restrictions relating to consent and civil age for the use or purchase of certain services may also have an impact on age of access. Find more information in the section on ‘What age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?’ and ‘What age does a person acquire contractual capacity to enter into an agreement to use digital services?’.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
There are no formal or statutory meanings ascribed to the terms “digital safety” and “online safety” in Sweden.
Nevertheless, the offences of insulting behaviour, defamation and molestation, as regulated in the Swedish Criminal Code (1962:700) may be applicable depending on the circumstances.
In addition, the Swedish Act on Electronic Bulletin Boards (1998:112) provides additional requirements relating to content moderation.
Service providers for electronic transmission of messages are obliged to remove content containing (i) unlawful threat, (ii) unlawful breach of privacy, (iii) incitement of crime, (iv) agitation against a population group, (v) child pornography, (vi) unlawful depiction of violence, or (vii) public incitement to terrorism or other particularly serious crime. Service providers for electronic transmission of messages are also obliged to remove content if it is obvious that the user has infringed copyright or another intellectual property right by sending the message.
The service provider is obliged to have such supervision of the service as can be reasonably required in view of the scope and nature of the activity. Having said that, every single message transmitted does not have to be actively checked but some form of periodic check is required.
There is also an obligation on service provider for electronic transmission of messages (which in case law has covered for instance comment functions on webpages and Facebook-groups and which is also likely to covers social media platforms in general) to delete or otherwise prevent further dissemination of messages (i.e. text, pictures, sounds or other information, e.g. computer programs) containing child pornography.
Additionally, see further information on the EU-level requirements here.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
Currently there are no explicit statutory provision under Swedish law that establish a specific requirement to implement age assurance/age verification measures. See further information on the EU-level requirements here.
However, from a data protection regulatory perspective, the Swedish Authority for Privacy Protection in its guidance “The Rights of Children and Young People on Digital Platforms” provides that it may be legal and sometimes required to verify user ages depending on the context.
A child’s age may for example have an impact on whether they are able to consent to personal data processing.
Their age can also affect the risk assessment. For this reason, it may sometimes be appropriate or necessary to verify a child’s age. This is only legal where there is a clear need to do so. Requirements under other regulations may also necessitate an age check.
Video sharing platform providers are for example obligated to take appropriate measures to ensure that content that is harmful to children (such as realistic depictions of violence or pornographic images) are not provided in such a way that there is a significant risk that a child could see it.
There are no exact rules for how to carry out age checks, but such checks should be preceded by a risk assessment and not entail any unreasonable processing of personal data. More detailed age checks can be sensitive to a person’s privacy. Where a risk assessment is carried out and the risk is considered low, it may then be sufficient to ask new users to specify their year of birth or to fill out a form where they certify that they are not children under a certain age. More detailed verification can then be carried out in case of doubt.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
Yes.
There are no national-specific laws in this regard. See further information on the EU-level requirements here. However, the Swedish Authority for Privacy Protection and Swedish Ombudsman for Children in their guidance “The Rights of Children and Young People on Digital Platforms” require the child’s right to privacy under the UNCRC to be respected. Any tools for parental control may only be used if the child is able to understand that they are being monitored, when they are monitored, and how e.g. by the use of symbols and information which is age appropriate.
The guidance states that children must not be controlled or subjected to arbitrary or unlawful infringements on their personal and family lives. At the same time, parents under the Swedish Children and Parents Code (1949:381) are responsible for the child’s upbringing and development based on the best interests of the child.
As such, any parental controls must balance these rights and take into consideration the child’s development and ability to understand monitoring, and ultimately must consider the implementation of parental controls based on what is in the best interests of the child.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
However, after Australia's November 2024 ban on social media for children under 16, some public officials in Sweden have expressed support for this decision and stated that this topic will be closely monitored. This shows that the concerns about social media's impact on children's well-being is a growing topic in Sweden and more guidance/ legislation can be expected.
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific laws in this regard; the AI Act (Regulation 2024/1689) applies in this context. See EU-level response here.
Additionally, There is some general guidance related to children and AI in Sweden, please see below.
In February 2025 the Swedish Government’s AI Commission published a Government Official Report (SOU) which presented an analysis on what Sweden's future direction in AI, concrete proposals to enhance the Swedish AI ecosystem, and visions of achievable future goals in AI. The Report contains in Annex 2 the AI Commission's roadmap for Sweden. This roadmap highlights that ethical guidelines should consider how the use of AI may affect children's rights, and that schools have an important mission to make clear that AI should not be considered a miracle cure that can replace children's need for solid basic knowledge and training in analytical skills to understand and interpret their world. This report is available in Swedish here.
In June 2023 the research program Wallenberg AI, Autonomous Systems and Software Program - Humanities and Society (WASP-HS) published the report “AI, Education and Children”, which is available here. This report discusses AI opportunities and challenges in the context of children and education.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific requirements in this regard; see EU-level response here.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A.
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
The Swedish Authority for Privacy Protection has indicated that it is currently co-drafting updated guidance regarding children’s personal data online with its Nordic counterparts. The guidance is set to be more comprehensive than the existing guidance on the subject. No draft has been publicly revealed at the time of writing.
In May 2024 the Nordic data protection authorities from Sweden, Denmark, the Faroe Islands, Finland, Iceland, Norway and Åland met and signed the “Oslo Declaration” committing to join forces on different tasks, including children’s data protection in gaming. The Oslo Declaration can be found here.
During the meeting, the data protection authorities adopted joint principles on children and online gaming. The principles set out how children’s rights should be safeguarded by game developers. The joint principles can be read here: here (at the time of writing this, the file is not yet published on the website of the Swedish data protection authority).
In relation to marketing, the Swedish Consumer Agency regularly refers to the standards provided by the International Chamber of Commerce in its interpretation of national requirements.
Additionally, see further information on upcoming EU-level requirements here.
