Privacy Regulations in Europe

57 privacy and data protection laws across Europe

GDPR
EU + EEA
Flag of ATFlag of BEFlag of BG+27
Opt-inSupranational

The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.

ePrivacy Directive
EU + EEA
Flag of ATFlag of BEFlag of BG+27
Opt-inSupranational

Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.

PECR
United Kingdom
Flag of GB
Opt-in

PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.

FDPA
France
Flag of FR
Opt-in

France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.

UK GDPR
United Kingdom
Flag of GB
Opt-in

The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.

TDDDG
Germany
Flag of DE
Opt-in

Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

KVKK
Turkey
Flag of TR
Opt-in

Turkey's KVKK is modeled on the GDPR but lacks specific cookie legislation. Cookies processing personal data require explicit consent. The 2024-2025 amendments strengthened the framework with cross-border transfer rules, expanded personal data definitions, and data portability rights. Data controllers must register with VERBIS before processing.

SI 336/2011
Ireland
Flag of IE
Opt-in

Ireland implements the ePrivacy Directive through SI 336/2011. The DPC is the lead supervisory authority for major tech companies headquartered in Ireland including Meta, Google, Apple, and Microsoft. Uniquely, cookie consent is limited to 6 months and must then be refreshed.

Italian Privacy Code
Italy
Flag of IT
Opt-in

Italy implements the ePrivacy Directive through Article 122 of the Privacy Code with detailed Garante cookie guidelines effective January 2022. Only technically necessary cookies may load by default. Scrolling is not valid consent, and closing a banner with "X" closes it without granting consent.

FADP
Switzerland
Flag of CH
Opt-in

Switzerland has no cookie-specific legislation equivalent to the ePrivacy Directive. The FDPIC issued cookie guidelines in January 2025 establishing a tiered consent model: essential cookies need only disclosure, functional cookies allow opt-out, and advertising/profiling cookies require explicit consent. Legitimate interest may justify some non-essential cookies, unlike EU law.

LSSI
Spain
Flag of ES
Opt-in

Spain implements the ePrivacy Directive through Article 22 of the LSSI. Cookie violations are classified as slight offenses with EUR 30,000 fines per URL, but multiple URLs multiply penalties. AEPD allows consent-exempt analytics under privacy-friendly configurations, similar to CNIL.

Dutch Telecom Act
Netherlands
Flag of NL
Opt-in

The Netherlands implements the ePrivacy Directive through Article 11.7a of the Telecommunications Act. The AP launched a major enforcement sweep in April 2025, warning 50 organizations for misleading cookie banners or placing tracking cookies without consent. Cookie walls are not permitted.

Danish Cookie Order
Denmark
Flag of DK
Opt-in

Denmark implements the ePrivacy Directive through the Cookie Order (Cookiebekendtgørelsen), administered by the Danish Business Authority. Cookie consent is a declared 2026 enforcement priority for Datatilsynet, which will examine whether Danish websites give users a genuine choice.

Norwegian E-Com Act
Norway
Flag of NO
Opt-in

Norway's January 2025 amendment to Ekomloven marked a major shift from tolerating passive consent to strict opt-in. Pre-ticked boxes and browser settings are now explicitly invalid. Accept and reject options must have equal prominence. Datatilsynet sanctioned 6 websites for tracking pixel violations.

152-FZ
Russia
Flag of RU
Opt-inFederal

Russia's 152-FZ does not explicitly address cookies, but Roskomnadzor interprets cookies as personal data when they contain identifying information. Russia's strict data localization requirements add an additional compliance layer — personal data of Russian citizens must be stored on Russian servers.

Portuguese ePrivacy Law
Portugal
Flag of PT
Opt-in

Portugal implements the ePrivacy Directive through Law 41/2004, with a distinctive tiered penalty structure distinguishing between large companies, SMEs, and natural persons. The CNPD issued 90 fines totaling EUR 559,950 in 2023, demonstrating active enforcement.

LEK
Sweden
Flag of SE
Opt-in

Sweden implements the ePrivacy Directive through Chapter 9 Section 28 of LEK. In April 2025, IMY issued a landmark reprimand against Aller Media for dark patterns in cookie banners. Less than 25% of Swedish users accept cookies, reflecting strong privacy awareness.

Belgian E-Communications Act
Belgium
Flag of BE
Opt-in

Belgium enforces strict cookie consent with one of the EU's most active DPAs. Cookie walls are prohibited, and a Reject all button must appear on the first layer with equal prominence to Accept all. Dark patterns in cookie banners are actively enforced against.

Polish Telecommunications Law
Poland
Flag of PL
Opt-in

Poland implements the ePrivacy Directive through Articles 173-174 of the Telecommunications Law. While Article 173(2) technically permits consent via browser settings, PUODO recommends active consent. Since 2019, Article 174 requires cookie consent to meet full GDPR standards.

Hungarian E-Communications Act
Hungary
Flag of HU
Opt-in

Hungary implements the ePrivacy Directive through Section 155 of Act C of 2003. NAIH actively enforces cookie requirements with a focus on dark patterns and equal accessibility of consent options. Reject All must be equally accessible as Accept All in cookie banners.

Finnish ISC
Finland
Flag of FI
Opt-in

Finland implements the ePrivacy Directive through Section 205 of the Information Society Code with notably strict interpretations. Browser settings are explicitly insufficient for consent, and legitimate interest is not a valid legal basis for cookies — stricter than many EU countries.

TKG 2021
Austria
Flag of AT
Opt-in

Austria implements EU cookie consent through Section 165(3) of TKG 2021, requiring opt-in consent for all non-essential cookies. A split enforcement model assigns TKG cookie violations to the Fernmeldebüro and GDPR aspects to the DSB. Cookie-specific fines are capped at EUR 50,000.

ZEK
Croatia
Flag of HR
Opt-in

Croatia's ZEK implements the ePrivacy Directive with specific cookie provisions. AZOP has been actively enforcing cookie requirements, imposing fines on companies for inadequate consent mechanisms including unclear purpose descriptions and processing data before obtaining consent.

Romanian ePrivacy Law
Romania
Flag of RO
Opt-in

Romania has historically been one of the more permissive EU countries on cookies, but ANSPDCP tightened enforcement in 2025-2026 with multiple fines for installing non-essential cookies without consent. Browser settings were previously considered potentially sufficient but this interpretation is no longer viable.

Greek ePrivacy Law
Greece
Flag of GR
Opt-in

Greece implements the ePrivacy Directive through Law 3471/2006. The HDPA issued detailed Recommendation 1/2020 with best and worst practice guidance for cookie management. Scrolling is not valid consent, and information must cover purpose, duration, controller identity, and data recipients for each cookie separately.

Czech ECA
Czech Republic
Flag of CZ
Opt-in

The Czech Republic shifted from implied consent via browser settings to full opt-in consent on January 1, 2022. Section 89(3) now requires GDPR-compliant prior consent before storing cookies. The UOOU began imposing fines on non-compliant websites in 2023.

Luxembourg E-Communications Act
Luxembourg
Flag of LU
Opt-in

Luxembourg implements the ePrivacy Directive through the Act of 30 May 2005. The CNPD requires both I accept all and I refuse all on the first layer of cookie banners. Consent validity is limited to a maximum of 12 months, making Luxembourg one of the few countries with an explicit expiration period.

Bulgarian ECA
Bulgaria
Flag of BG
Opt-in

Bulgaria transposes the ePrivacy Directive through two laws: the Electronic Commerce Act and the Electronic Communications Act. The CPDP has been increasingly active in enforcement, though national cookie penalties remain modest compared to GDPR maximums.

L.112(I)/2004
Cyprus
Flag of CY
Opt-in

Cyprus implements the ePrivacy Directive through Section 14 of L.112(I)/2004. The Commissioner for Personal Data Protection has conducted active cookie inspections since June 2021, with a strict stance that analytics cookies require prior consent. Penalties can reach EUR 200,000.

Latvian LISS
Latvia
Flag of LV
Opt-in

Latvia implements the ePrivacy Directive through the Law on Information Society Services (LISS), requiring express prior consent before placing cookies. A 2021 DVI audit of 29 websites found all 26 major e-merchants in violation of cookie requirements.

Lithuanian LOEC
Lithuania
Flag of LT
Opt-in

Lithuania implements the ePrivacy Directive through the Law on Electronic Communications. Cookie-specific penalties under national law are notably low (EUR 150-1,150), though GDPR fines apply when personal data is involved. The VDAI has published recommendations with samples of correct and incorrect consent practices.

S.L. 586.01
Malta
Flag of MT
Opt-in

Malta implements the ePrivacy Directive through S.L. 586.01, regulating cookie storage and access on user devices. Cookie walls are prohibited, and the fine structure includes both per-violation and per-day-of-continuation penalties, creating strong incentives for prompt compliance.

Slovak ECA
Slovakia
Flag of SK
Opt-in

Slovakia replaced its previous Electronic Communications Act with Act 452/2021, effective February 2022. The Act requires active opt-in consent before cookies may be placed — data collection cannot begin until the user gives active consent meeting GDPR standards.

ZEKom-2
Slovenia
Flag of SI
Opt-in

Slovenia was the last EU member state to adopt GDPR implementing legislation, with ZVOP-2 entering into force on January 26, 2023. ZEKom-2 implements the ePrivacy Directive. The national maximum fine of EUR 40,000 is the lowest in the EU, though GDPR-level fines can now be imposed through ZVOP-2.

Icelandic DPA
Iceland
Flag of IS
Opt-in

Iceland implements the GDPR through Act 90/2018 as part of its EEA obligations. Cookies can only be used with informed consent, except where strictly necessary. Iceland's penalty cap at 2% of turnover (versus the EU's 4%) reflects its EEA rather than EU membership. Daily penalty fines are available for ongoing non-compliance.

ZZPL
Serbia
Flag of RS
Opt-in

Serbia's ZZPL is modeled on GDPR principles but with significantly lower penalties. Websites tracking visitors with cookies must obtain consent via interactive banners. Cookie-specific legislation is being drafted as of early 2025. Serbia is an EU candidate country with GDPR alignment expected during accession.

Albanian DPL
Albania
Flag of AL
Opt-in

Albania enacted one of the most GDPR-aligned laws outside the EU/EEA in December 2024, incorporating both the GDPR and the Law Enforcement Directive. Penalties match GDPR levels at up to 4% of global turnover. Direct electronic marketing requires prior explicit consent with easy opt-out. Albania is an EU candidate country.

Ukraine Law 2297-VI
Ukraine
Flag of UA
Opt-in

Ukraine's Law 2297-VI is the primary data protection law but lacks cookie-specific provisions. Current penalties are extremely low (~EUR 700). A GDPR-aligned replacement draft was adopted as a basis in November 2024, proposing penalties up to 8% of turnover. Ukraine is an EU candidate country.

Estonian ECA
Estonia
Flag of EE
Opt-in

Estonia transposes the ePrivacy Directive through the Electronic Communications Act, requiring prior voluntary consent for supplementary cookies. The AKI categorizes cookies into essential and supplementary types, with comprehensive information requirements including cookie duration and third-party access.

Georgian DPL
Georgia
Flag of GE
Opt-in

Georgia's Law 3144/2023 is a GDPR-aligned data protection law entering force in phases from March 2024. While it lacks specific cookie legislation, websites must obtain consent for non-essential cookies processing personal data. Financial penalties are modest but criminal penalties including imprisonment are available for severe violations.

DPJL
Jersey
Flag of JE
Opt-in

Jersey has a GDPR-equivalent data protection regime with both EU and UK adequacy decisions in force. The DPJL provides full data subject rights, mandatory breach notification, and independent oversight by the JOIC. One of the longest-standing adequacy relationships with the EU.

Guernsey DPL
Guernsey
Flag of GG
Opt-in

Guernsey has a GDPR-equivalent data protection regime with EU adequacy since 2003 — one of the longest-standing adequacy decisions globally. UK adequacy is also granted. The ODPA provides independent enforcement for this UK Crown Dependency.

Gibraltar GDPR
Gibraltar
Flag of GI
Opt-in

Gibraltar applied the EU GDPR domestically post-Brexit, creating a full GDPR-equivalent regime for this British Overseas Territory. The consent age is lowered to 13 (versus GDPR's 16). ePrivacy-equivalent provisions apply to cookies.

Belarus Law 99-Z
Belarus
Flag of BY
Opt-in

Belarus's Law 99-Z is the country's first dedicated data protection law. It requires consent with detailed pre-consent disclosures and uniquely imposes criminal liability for unlawful data handling, with penalties up to 5 years imprisonment. Administrative fines are low but criminal sanctions are severe.

BiH DPA 2025
Bosnia and Herzegovina
Flag of BA
Opt-in

Bosnia and Herzegovina adopted a new GDPR-aligned Data Protection Act in January 2025, with enforcement beginning October 2025. The law aligns with both the GDPR and the Law Enforcement Directive, establishing GDPR-level penalties. The AZLP has been granted significant enforcement powers.

ZZLP
North Macedonia
Flag of MK
Opt-in

North Macedonia's ZZLP fully aligns with the EU GDPR, with GDPR-mirrored penalty tiers of 2% and 4% of annual income. The DZLP has faced enforcement challenges and primarily issues warnings rather than fines. Businesses must provide privacy notices on website arrival. North Macedonia is an EU candidate country.

Isle of Man Applied GDPR
Isle of Man
Flag of IM
Opt-in

The Isle of Man applied the GDPR directly into domestic law, creating a uniquely direct GDPR implementation for a non-EU jurisdiction. Both EU and UK adequacy decisions are granted. The independent Information Commissioner enforces ePrivacy-equivalent cookie provisions.

Moldovan DPL
Moldova
Flag of MD
Opt-in

Moldova enacted a comprehensive GDPR-aligned data protection law in 2024 with a two-year transition period before enforcement begins August 2026. The law transposes the GDPR including explicit consent requirements, purpose limitation, and data minimization. Cookie requirements derive from general consent provisions.

Kosovo DPL
Kosovo
Flag of XK
Opt-in

Kosovo's Law 06/L-082 transposes the EU GDPR, applying to both private and public bodies including diplomatic offices. The AIP is the independent enforcement authority. Maximum penalties are capped at EUR 40,000 per violation, well below GDPR levels. The AIP actively handles complaints and conducts investigations.

Montenegrin PDPA
Montenegro
Flag of ME
Opt-in

Montenegro adopted a new GDPR-aligned Personal Data Protection Act in 2023, replacing the previous PDPL. The AZLP gained administrative enforcement powers and can impose fines directly. However, maximum penalties remain modest at EUR 20,000, significantly below GDPR levels.

Liechtenstein DSG
Liechtenstein
Flag of LI
Opt-in

Liechtenstein implements the GDPR through its Data Protection Act 2018 and the ePrivacy Directive through the Communications Act (KomG). While the DSG is fully GDPR-aligned, the KomG has not been fully updated for the 2009 ePrivacy amendments, creating a potential gap in cookie-specific requirements.

San Marino DPL
San Marino
Flag of SM
Opt-in

San Marino has a data protection framework with an active DPA and is a member of Council of Europe Convention 108+. While not an EU member, its framework provides consent-based data protection with recognized international standards.

Monaco DPL
Monaco
Flag of MC
Opt-in

Monaco updated its data protection law in 2024, replacing the 2011 legislation with a framework providing strong protection similar to the GDPR. The CCIN serves as the independent enforcement authority. Monaco is not an EU member but has its own comprehensive data protection regime.

Faroe Islands DPA
Faroe Islands
Flag of FO
Opt-in

The Faroe Islands have a separate GDPR-aligned data protection framework, distinct from Denmark's domestic GDPR implementation despite being a Danish self-governing territory. An EU adequacy decision has been granted, enabling smooth data transfers with the EU.

Andorra DPL
Andorra
Flag of AD
Opt-in

Andorra's comprehensive data protection law replaces earlier legislation with a GDPR-aligned framework. The APDA is an independent active DPA. Andorra is not an EU or EEA member but maintains close alignment with EU standards. No EU adequacy decision has been granted yet.

Azerbaijan PIL
Azerbaijan
Flag of AZ
Opt-in

Azerbaijan's data protection law establishes a consent-based framework for processing personal information. Notably, the DPA operates under the President's office rather than being independent, which differs from the EU model of independent supervisory authorities.

Armenia PDPL
Armenia
Flag of AM
Opt-in

Armenia's data protection law requires prior express consent for processing personal data. It has a dedicated enforcement agency and is part of broader EU integration efforts through the EU-Armenia association agreement framework.