Key Facts
Overview
Russia's Federal Law 152-FZ governs personal data protection, with Roskomnadzor interpreting cookies as personal data when they contain identifying information. The law's strict data localization requirements — mandating that Russian citizens' data be stored on Russian servers — create unique compliance challenges for international websites.
What This Means for Your Website
- Prior opt-in consent is required for cookies containing personal data of Russian visitors
- A consent banner must be displayed on the first visit
- If cookies contain identifying data, data localization requirements may apply (storage on Russian servers)
- Breach notification must reach Roskomnadzor within 24 hours (stricter than GDPR's 72 hours)
- Electronic consent must follow specific format requirements
Key Requirements
Roskomnadzor enforces 152-FZ with significant penalties: up to RUB 6 million for processing without consent, RUB 1-6 million for first data localization offenses, and RUB 6-18 million for repeat localization violations. The 24-hour breach notification requirement and data localization obligations create operational demands beyond typical consent management. Data localization requirements were tightened in July 2025.
How ConsentStack Handles This
ConsentStack presents Russian visitors with a consent banner on first visit and blocks identifying cookies until consent is given. Consent records are maintained with the format requirements needed for Russian compliance.
Penalties
Processing without consent: up to RUB 6 million. Data localization: RUB 1-6M (first), RUB 6-18M (repeat). Breach notification failure: up to RUB 3 million.
Key Requirements
- Prior opt-in consent for non-essential cookies when containing personal data
- Data localization: Russian citizens data must be stored on Russian servers
- 24-hour breach notification to Roskomnadzor
- Consent banners required on first visit
- Written or electronic consent with specific format requirements
Notable Provisions
- Data localization tightened July 2025 — servers in Russia may be required
- 24-hour breach notification (stricter than GDPR 72-hour)
- Roskomnadzor interprets cookies as personal data
- Significant penalties for data localization non-compliance (up to RUB 18M repeat)
Other Europe Regulations
Frequently Asked Questions
Does Russia require cookie consent?
Yes, for cookies containing personal data. Roskomnadzor interprets cookies with identifying information as personal data subject to consent requirements under 152-FZ.
What is Russia's data localization requirement?
Personal data of Russian citizens must be stored on servers located within Russia. This may apply to identifying cookies. Penalties reach RUB 18 million for repeat violations.
How fast must data breaches be reported in Russia?
Within 24 hours to Roskomnadzor — significantly faster than the GDPR's 72-hour requirement.
Stay compliant with 152-FZ
ConsentStack helps you implement Opt-in consent for Russia automatically.