Privacy Regulations in Iceland

The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.

Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.

Iceland implements the GDPR through Act 90/2018 as part of its EEA obligations. Cookies can only be used with informed consent, except where strictly necessary. Iceland's penalty cap at 2% of turnover (versus the EU's 4%) reflects its EEA rather than EU membership. Daily penalty fines are available for ongoing non-compliance.