Cookie Laws Across Europe

Each EU country is required to modify their legislation to bring the original Cookie Directive into effect.

Each member country has done or is doing this at different times and in different ways. The net result of this is that the actual requirements of the law can differ between different countries. The aim of this page is to provide an overview of what has happened where.

We try to make this as complete as possible, but information on activity in some countries is difficult to verify. We welcome contributions that would help us to keep this page up to date.

Austria

The Directive was implemented in a new Telecommunications Act, which came into force November 2011.

The requirements for cookies is under section 96.3

There is no clear guidance on compliance at this time.

Belgium

A new act was passed on 28 June 2012 on electronic communications that implements the requirements of the Directive.

The wording of the Directive was replicated - which indicates a preference for consent to be obtained prior to the setting of cookies. However implied consent is considered allowable.

Browser controls are not acceptable for indicating consent.

The Belgian Data Protection Commission has recommended that crucial elements of the requirements need further clarification.

(a) what tracking technologies require consent, and what may be exempted

(b) what type of information should be provided to users so that their consent can be valid

(c) how should third party tracking be blocked/prevented.

These are expected to be clarified by Royal decree or by the Belgian Telecom Regulator (IBPT)

Bulgaria

The law came into force on 29 December 2011. It requires sites to publish information about cookies and give consumers the right to refuse them.

The Consumer Protection Commission is the body responsible for enforcement.

Croatia

Although Croatia is not a currently a member of the EU, it is adopting EU directives as part of its commitment to joining.

The law in Croatia requires explicit consent.

Czech Republic

The law is in effect but there is no current guidance for website owners.

Cyprus

No information.

Denmark

The law came into effect in December 2011.

There are specific requirements about the level of information required to be given to site visitors. Valid consent cannot be signalled through a browser, but implied consent is deemed to be a valid model.

The enforcement body is the Danish Business Authority, but the Danish Media trade association is developing a self-regulation programme for the use of cookies.

Guidance from the Danish Business Authority can be found here in English.

Estonia

Estonia has notified the EU that the Estonian Electronic Communications Act implements the requirements of the Privacy Directive, although it has not been amended.

The law contains a 'right to refuse' approach. The Ministry of Economics is responsible for the legislation.

Finland

The law is in effect. Valid consent can be signalled through a browser.

France

The law is in effect. It is enforced by the French data protection authority (CNIL). France requires explicit consent for cookies.

However they have released guidance that first party analytics cookies do not need prior consent under certain conditions - including clear notification to visitors and readily accessible opt-out mechanisms being provided.

French law includes the possibility of criminal sanctions being imposed for non-compliance - which can include up to 5 years in prison for a breach of the cookie law requirements. However it is considered extremely unlikely that such penalties will be used.

Guidance on the French law can be found on the CNIL website

Germany

The German government maintain that existing legislation was sufficient to comply with the Directive, so no law has been changed.

Despite this claim, as of September 2012, draft new legislation implementing the Directive has been drawn up by the government, but not yet taken effect.

The current rules in Germany are that there needs to be an opt-in for cookies collecting personal information, but opt-out is sufficient for all other types of cookies.

Germany has a federal system, meaning that there are separate data protection authorities in each state responsible for enforcement.

Some authorities are of the opinion that the Directive takes direct effect in German law.

Greece

The law came into effect on 10 April 2012. The Directive was transposed into Law 4070/2012.

There are no requirements for consent to be explicit or prior to the setting of cookies. Browser settings are considered appropriate for indicating consent.

Greece's Data Protection Authority has been given powers to determine the requirements for information and the method of consent.

Hungary

A new law for Hungary came into effect on 3 July 2011. This is actually more relaxed than previous requirements - the idea of consent being given prior to the setting of cookies was removed from the revised legislation.

The change is in Amended section 155.4 of Act C of 2003 on Electronic Communications.

Ireland

The law is in force. There is no official guidance on how to comply.

Italy

The law is now force. There is a clear Opt-in requirement - which is made clear in guidance from the Italian data protection authority.

Users are expected to be informed in advance of the use of cookies - and to have given their consent.

Consumer associations and industry views are being sought on the best ways to inform consumers in a standardised way, to aid public understanding.

An FAQ on the Garante (Italian Data Protection Authority) website provides some guidance to Italian websites wishing to comply with the law: FAQ

A consultation was also launched in December 2012: Public Consultation

Latvia

The law is in force. Consent via the browser is not sufficient.

Lithuania

The law is in force. Consent via the browser is not sufficient.

Luxembourg

The law is in force. Consent can be obtained via the browser.

Malta

No information.

The Netherlands

The EU initially started proceedings but the law is now in force in The Netherlands. The Dutch law requires explicit consent for the use of cookies - one of the strictest interpretations of the EU Directive.

An additional 'burden-of-proof' requirement comes into force on 1 Jan 2013, particularly for tracking cookies used in behavioural advertising.

With this in place OPTA the Dutch regulator will not need to prove that data processing is taking place with tracking cookies - site owners will need to prove that it is not - which will make enforcement easier for the regulator.

It is reported that OPTA is looking into automated methods of enforcement.

In late December 2012, a change in advice allows that first party analytics cookies may be set, under certain circumstances, without prior visitor consent. OPTA will be responsible for determining what those conditions are.

Norway

Norway is not part of the EU but is consulting on changing the law in respect of cookies. It is expected to be an opt-out regime and industry is being encouraged to develop self-regulation.

Poland

A new law transposing the cookie directive into Polish law was approved by the Polish parliament on Nov 16 2012, and is expected to come into force at the beginning of 2013.

The law requires that information about cookies and other local storage be unambiguous and easily understandable.

Although it allows that visitor consent may be given through adjusting browser settings, it also requires that consent should be obtained prior to any setting or reading of cookies.

It is therefore likely that websites will need to provide their own controls for users to block or allow cookies.

Portugal

Portuguese Law 46/2012 transposes the EU directive into law in Portugal, which came into effect on 30 August 2012.

The law requires prior consent for cookies - which makes it an opt-in model.

Both the Portuguese Data Protection Authority (CNPD) and the telecoms regulator (ICP-ANACOM) have powers to enforce the law.

Fines can be up to 5 million Euros - much more significant than most other countries.

CNPD is issuing guidelines on how to comply with the new rules on cookies.

Romania

Law is not yet in force.

Slovakia

The law is in force. Consent may be obtained from browser settings.

Slovenia

Law is not yet in force. The EU has initiated legal proceedings for failure to take appropriate action.

Spain

The regulator is the Spanish Data Protection Authority (AEPD). They issued guidance on compliance on 29 April 2013 – you can find the document here (Spanish only).

It states that cookie notices should be sufficiently visible in the header or footer of the website, and encourages the use of layered information.

Implied consent is allowed, however the guide also states that silence or inaction does not make for valid consent.

There is no news on enforcement as of Summer 2013, however the Spanish data protection authority has historically issued more fines for breaches of other data protection laws, than the rest of the EU put together.

Sweden

The law came in to force on July 1 2011.

The Post and Telecom Authority, PTS is responsible for the legislation. [1]

Their guidance is not prescriptive about how websites should obtain consent, but states that they would rather website owners work out the best way to achieve this.

Some useful guidance on the law (in English) can be found here.

United Kingdom

The law is in force. See Cookie Law in the UK.

EU Cookie Directive