Cookie Laws by Country: An EU & EEA Guide

While the ePrivacy Directive and the GDPR provide a common framework across the European Union, each member state has transposed the ePrivacy Directive into national law with its own nuances. Enforcement intensity, interpretation of exemptions, and the size of fines vary significantly from country to country. This guide covers the key cookie law specifics for twelve major European markets.

Quick Reference Table

Country	Authority	National Law	Enforcement Level	Notable
Germany	State DPAs + BfDI	TTDSG (2021)	High	Decentralized enforcement; PIMS framework
France	CNIL	Loi Informatique et Libertés	Very High	Record fines; detailed cookie guidelines
Italy	Garante	Privacy Code (D.Lgs. 196/2003)	High	Comprehensive 2021 cookie guidelines
Spain	AEPD	LSSI-CE + LOPDGDD	Moderate	History of analytics exemption debate
Netherlands	AP	Telecommunicatiewet	High	Strict cookie wall prohibition
Belgium	APD/GBA	ePrivacy Act (2012)	Moderate	IAB Europe TCF ruling
Austria	DSB	TKG 2021	Moderate-High	Early Google Analytics rulings
Denmark	Datatilsynet	Cookiebekendtgørelsen	Moderate	Increasing enforcement since 2022
Sweden	IMY	LEK (2003:389)	Moderate-High	Major fines in 2023-2024
Ireland	DPC	SI 336/2011	Moderate	Hub for Big Tech; scrutinized for enforcement pace
Poland	UODO	Telecommunications Law	Moderate	Growing enforcement activity
Norway	Datatilsynet	Ekomloven	Moderate	EEA member; follows EDPB guidance closely

Germany

Enforcement authority: Federal Commissioner for Data Protection (BfDI) at the federal level, plus 16 state Data Protection Authorities (Landesdatenschutzbehörden).

National law: The Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG), which came into effect on 1 December 2021, consolidated Germany's cookie rules. Section 25 TTDSG transposes Article 5(3) of the ePrivacy Directive, requiring consent for storing or accessing information on end-user devices unless the storage is strictly necessary.

Key requirements: The TTDSG clarified that consent for cookies must meet the GDPR standard. Germany's Federal Court of Justice (BGH) had already confirmed this in the Planet49 ruling implementation (May 2020), holding that pre-ticked checkboxes are insufficient. The TTDSG also introduced provisions for recognized Personal Information Management Systems (PIMS), which would allow users to manage consent preferences centrally rather than on each website — though implementing regulations for PIMS have been slow to materialize.

Enforcement: Germany's decentralized enforcement structure means that cookie compliance enforcement varies by state. The Berlin, Hamburg, and Baden-Württemberg DPAs have been among the most active. The Conference of Data Protection Authorities (DSK) periodically issues joint positions on cookie consent requirements.

Notable actions: Multiple investigations into cookie banners that used dark patterns, particularly "nudging" designs where the accept button was visually prominent while the reject option was de-emphasized. Fines have generally been lower than in France but enforcement activity has increased steadily since the TTDSG came into force.

France

Enforcement authority: Commission Nationale de l'Informatique et des Libertés (CNIL).

National law: Loi Informatique et Libertés (Law No. 78-17), amended to implement the ePrivacy Directive. The CNIL issued comprehensive cookie guidelines in September 2020 with a compliance grace period ending 31 March 2021.

Key requirements: France is the strictest major EU market for cookie compliance. The CNIL's guidelines require: consent before any non-essential cookie is set; a reject option on the first layer of the banner that is as easy to use as the accept option; no cookie walls (with limited exceptions affirmed by the Conseil d'État); detailed information about each cookie purpose.

Audience measurement exemption: The CNIL provides a limited exemption for audience measurement cookies that meet strict conditions: the tool must be configured to produce only anonymous statistical data, cookies must be limited to the publisher's site, the cookie lifetime must not exceed 13 months, and the data must not be combined with other processing. Tools like Matomo (with specific configuration) and AT Internet have been recognized under this exemption. Google Analytics does not qualify.

Notable fines: France has issued the largest cookie-related fines in Europe. Google LLC was fined €150 million in December 2021 for making cookie rejection harder than acceptance. Facebook was fined €60 million in the same action. Microsoft was fined €60 million in December 2022. TikTok was fined €5 million in December 2022. Criteo was fined €40 million in June 2023. In total, the CNIL has imposed over €400 million in cookie-specific fines.

Italy

Enforcement authority: Garante per la protezione dei dati personali (Garante).

National law: Privacy Code (Decreto Legislativo 196/2003), amended to align with the GDPR. The Garante issued comprehensive cookie guidelines on 10 June 2021, with compliance required by 10 January 2022.

Key requirements: The Garante's 2021 guidelines are among the most detailed in Europe. They require: a first-layer banner with an accept button and a prominently displayed reject button (marked with an "X" or "Continue without accepting"); a second layer accessible from the first banner with granular cookie category controls; scrolling explicitly does not constitute consent; cookie consent must be re-requested after a maximum of 6 months.

Notable: The Garante introduced the concept of requiring a specific "close" button on cookie banners rather than allowing continued browsing to serve as rejection. The guidelines also addressed the issue of cookie analytics, requiring consent for all third-party analytics and allowing a limited exemption only for first-party analytics tools with properly anonymized data.

Spain

Enforcement authority: Agencia Española de Protección de Datos (AEPD).

National law: Ley de Servicios de la Sociedad de la Información (LSSI-CE) and Ley Orgánica de Protección de Datos (LOPDGDD).

Key requirements: Spain initially took a more lenient approach to cookie compliance, with the AEPD's 2013 cookie guide suggesting that certain analytics cookies might be used under a legitimate interest basis. However, the AEPD has progressively aligned with the stricter European consensus following the EDPB's guidance and the Planet49 ruling. Current AEPD guidance requires prior consent for analytics and marketing cookies.

Notable actions: The AEPD fined Vueling Airlines €30,000 in 2020 for a cookie banner that only provided an accept option with no way to reject cookies. CaixaBank was fined €6 million in 2021, partly related to data processing practices connected to cookie-based tracking. More recently, the AEPD has focused on cookie walls and dark patterns in consent interfaces.

Netherlands

Enforcement authority: Autoriteit Persoonsgegevens (AP).

National law: Telecommunicatiewet (Telecommunications Act), Article 11.7a.

Key requirements: The Netherlands has taken one of the strictest positions on cookie walls in Europe. The AP has clearly stated that making access to a website conditional on accepting cookies is not valid consent, because consent is not "freely given" if the alternative is losing access to the service. The AP also requires explicit consent before any tracking cookies are set and has been critical of consent management platforms that use manipulative design.

Notable actions: The AP has investigated numerous websites for cookie compliance failures and has issued guidance specifically targeting dark patterns in cookie banners. The authority also participated in coordinated sweeps of government websites for cookie compliance. In 2024, the AP increased its enforcement activity against smaller organizations, signaling that cookie compliance expectations apply regardless of company size.

Belgium

Enforcement authority: Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA).

National law: Act of 13 June 2005 on electronic communications, amended by the Act of 10 July 2012.

Key requirements: Belgium follows the standard ePrivacy Directive requirements. The Belgian DPA became globally significant in cookie regulation when it ruled on the IAB Europe Transparency and Consent Framework (TCF) in February 2022, finding that the TCF's consent string constituted personal data and that IAB Europe was a joint controller. This ruling, partially upheld by the CJEU in March 2024, has implications for every website using the TCF for cookie consent management.

Notable: The IAB TCF ruling sent shockwaves through the online advertising industry, as the TCF is the most widely used consent framework for programmatic advertising in Europe. While IAB Europe has implemented changes to address the DPA's concerns, the case highlighted the risks of relying on industry-designed consent frameworks that may not fully meet GDPR requirements.

Austria

Enforcement authority: Datenschutzbehörde (DSB).

National law: Telekommunikationsgesetz 2021 (TKG 2021), Section 165.

Key requirements: Austria's cookie rules follow the standard ePrivacy Directive framework. The Austrian DSB gained international attention in January 2022 when it became the first European DPA to rule that the use of Google Analytics violated the GDPR, specifically regarding transfers of personal data to the United States following the Schrems II ruling. While this was primarily a data transfer issue, it had direct implications for cookie compliance, as Google Analytics cookies were found to constitute personal data transferred to a third country without adequate safeguards.

Notable: The Google Analytics ruling triggered a cascade of similar decisions across Europe (France, Italy, and others followed suit) and accelerated the development of privacy-preserving analytics alternatives. The DSB has continued to be active on cookie and tracking technology issues.

Denmark

Enforcement authority: Datatilsynet.

National law: Cookiebekendtgørelsen (Executive Order on Information and Consent Required for the Storage of or Access to Information in End-User Terminal Equipment), implementing the ePrivacy Directive provisions.

Key requirements: Denmark requires consent for all cookies except those strictly necessary for a service explicitly requested by the user. The Datatilsynet has issued guidance confirming that analytics cookies require consent, and that continued browsing does not constitute valid consent. Danish guidance has increasingly aligned with the stricter positions taken by the CNIL and EDPB.

Notable actions: The Datatilsynet has increased its cookie enforcement activity since 2022, investigating both public and private sector websites. In 2023, the authority issued decisions against multiple Danish websites for inadequate cookie consent mechanisms, including cases where the reject option was not sufficiently visible. The Datatilsynet has also addressed the use of Google Analytics and Meta tracking pixels on Danish websites, ordering several organizations to cease using these tools without proper consent and data transfer safeguards.

Sweden

Enforcement authority: Integritetsskyddsmyndigheten (IMY).

National law: Lag om elektronisk kommunikation (LEK, 2003:389).

Key requirements: Sweden has moved from relatively low cookie enforcement to significant action in recent years. The IMY issued its first major cookie-related fines in 2023, targeting four companies (including Tele2, CDON, Dagens Industri, and Coop) for a combined total of over SEK 100 million (approximately €9 million) for using Google Analytics and sharing personal data with Google without valid consent or adequate data transfer safeguards.

Notable: The 2023 enforcement actions signaled a major shift in Sweden's approach. The IMY coordinated with other Nordic DPAs and followed the precedents set by the Austrian DSB and French CNIL on Google Analytics. The fines were among the largest issued by any Nordic DPA and established that Swedish enforcement is now on par with the strictest European authorities.

Ireland

Enforcement authority: Data Protection Commission (DPC).

National law: European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (SI 336/2011).

Key requirements: Ireland follows the standard ePrivacy Directive framework. However, the DPC's role as the lead supervisory authority for many major technology companies headquartered in Ireland (including Meta, Google, Apple, Microsoft, and TikTok) has given it outsized significance in European data protection. The DPC has issued guidance on cookie compliance and conducted audits of both public and private sector websites.

Notable: The DPC has faced criticism from other European DPAs and the European Parliament for the perceived pace of its enforcement against Big Tech. However, the DPC has issued significant GDPR fines, including a €1.2 billion fine against Meta in 2023 for data transfers. On cookies specifically, the DPC conducted website sweeps in 2020 and 2021, issuing compliance recommendations to numerous organizations. Direct cookie-specific fines from the DPC have been relatively modest compared to the CNIL.

Poland

Enforcement authority: Urząd Ochrony Danych Osobowych (UODO).

National law: Telecommunications Law (Prawo telekomunikacyjne), Article 173.

Key requirements: Poland requires consent for cookies in line with the ePrivacy Directive. The UODO has issued guidance confirming that pre-ticked boxes and continued browsing do not constitute valid consent. Polish law includes specific provisions on the information that must be provided to users about cookies, including purposes, identity of the controller, and instructions for managing cookie settings.

Notable: Poland's enforcement activity on cookies has increased, with UODO investigating complaints about non-compliant cookie banners and working with the telecommunications regulator. The UODO has participated in EU-wide coordinated enforcement sweeps and has aligned its guidance with EDPB recommendations.

Norway

Enforcement authority: Datatilsynet (Norwegian Data Protection Authority — distinct from the Danish authority of the same name).

National law: Ekomloven (Electronic Communications Act).

Key requirements: Although Norway is not an EU member state, it is a member of the European Economic Area (EEA) and has incorporated the GDPR and ePrivacy Directive into its national law through the EEA Agreement. The Norwegian Datatilsynet follows EDPB guidance closely and has been active in cookie enforcement.

Notable actions: The Norwegian Datatilsynet issued a €5 million fine to Grindr in December 2021 (later reduced to €6.5 million on appeal) for sharing user data with advertising partners without valid consent. While primarily a consent case related to data sharing rather than cookies specifically, it established important precedents for consent requirements in tracking technologies. The authority has also investigated the use of Google Analytics and other tracking tools on Norwegian websites.

Key Takeaways

Despite the variations in national implementation and enforcement, several principles are consistent across all EU and EEA countries:

• Consent is required before setting any non-essential cookie. No European country accepts a pure opt-out model for cookies.
• Consent must meet the GDPR standard: freely given, specific, informed, unambiguous, and demonstrated by a clear affirmative action.
• Reject must be as easy as accept. While the specific implementation may vary (separate button, X to close, etc.), the principle that refusing cookies must be no harder than accepting them is universal.
• Enforcement is increasing everywhere. Countries that were previously lenient are now issuing fines and formal decisions. There is no "safe" European jurisdiction for non-compliance.
• Coordinated enforcement is growing. DPAs increasingly cooperate through the EDPB and conduct coordinated sweeps, meaning non-compliance in one country is likely to attract attention in others.