They aren't confidential, at least not more than your full name. It's a common myth, probably stemming from the fact that there's plenty of laws about how to treat information that can be used to identify people. But those laws pretty much also applies if you just a have list of peoples full name.
Edit: Reading through the law, they are more confidential than your full name, though not by much. Generally you can't publish them publicly. And usage within companies and the state are regulated, but fairly permissive. Datatilsynet has explicitly said that they shouldn't be used to identity that a person is who they say they are, and only should be used as a primary key to differentiate people.
Considering everyone and their cousin has your CPR number over here, I fail to see how it could be seen as confidential. My landlord has my CPR, my company has my CPR, my network operator has my CPR, and my language school has my CPR.
Not knowing my CPR has never been a problem, but knowing it has never been an advantage. It's a unique ID as a citizen, but that's as far as it goes.
Every time I call my bank, I have to give the amount of cash available on my account for them to "authenticate" me, or tell them when was the last time I logged on to the website.
They used to be regarded as confidential here in Norway but that has been rather de-emphasised in recent years. But you won't get anywhere asking for information from a bank if you only have the account and personnummer because all the banks here require two factor authentication, as far as I know.
Edit: Reading through the law, they are more confidential than your full name, though not by much. Generally you can't publish them publicly. And usage within companies and the state are regulated, but fairly permissive. Datatilsynet has explicitly said that they shouldn't be used to identity that a person is who they say they are, and only should be used as a primary key to differentiate people.