setting cookies, was replicated. Implied consent is considered acceptable, while browser controls are not. The Belgian Data Protection Commission has suggested that specific aspects, such as tracking technologies requiring consent, information provision to users for valid consent, and methods for blocking third-party tracking, need further clarification. These are anticipated to be addressed by Royal decree or the Belgian Telecom Regulator (IBPT).
Bulgaria:
The law, effective from December 29, 2011, mandates sites to disclose information about cookies and grants consumers the right to reject them. Enforcement falls under the jurisdiction of the Consumer Protection Commission.
Croatia:
Although not an EU member, Croatia is incorporating EU directives as part of its commitment to joining. The Croatian law demands explicit consent.
Czech Republic:
The law is in effect, but current guidance for website owners is lacking.
Cyprus:
No information is available.
Denmark:
The law became effective in December 2011. Specific requirements dictate the level of information to be provided to site visitors. While valid consent cannot be signaled through a browser, implied consent is considered acceptable. The Danish Business Authority handles enforcement, but the Danish Media trade association is developing a self-regulation program for cookie use.
Guidance from the Danish Business Authority can be found here in English.
Estonia
Estonia has informed the EU that the Estonian Electronic Communications Act aligns with the Privacy Directive's requirements, and although not amended, it incorporates them. The legislation adopts a 'right to refuse' approach, with oversight by the Ministry of Economics.
Finland
The law is currently in force, and valid consent can be indicated through a browser.
France
The law is effective and falls under the enforcement jurisdiction of the French data protection authority (CNIL). France mandates explicit consent for cookies. However, they have issued guidelines stating that first-party analytics cookies may not require prior consent under specific conditions, such as clear notification to visitors and the provision of easily accessible opt-out mechanisms.
French law includes the potential for criminal sanctions for non-compliance, with penalties extending up to 5 years in prison for violating cookie law requirements. Despite this, it is highly improbable that such severe penalties will be applied.
Guidance on the French law can be found on the CNIL website
Germany
The German government contends that the existing legislation is adequate to adhere to the Directive, and therefore, no changes have been made to the law. However, as of September 2012, a draft of new legislation implementing the Directive has been prepared by the government but has not yet been put into effect. Present rules in Germany dictate an opt-in approach for cookies that collect personal information, while opt-out suffices for all other types of cookies. Given Germany's federal system, individual data protection authorities in each state are tasked with enforcement. Some authorities argue that the Directive has direct applicability in German law.
Greece
The law became effective on April 10, 2012, with the Directive transposed into Law 4070/2012. There are no explicit requirements for consent prior to setting cookies, and browser settings are deemed appropriate for indicating consent. Greece's Data Protection Authority has been granted the authority to define information requirements and consent methods.
Hungary
A new law for Hungary took effect on July 3, 2011, which is more lenient than previous requirements, removing the concept of consent before setting cookies from the revised legislation. This change is reflected in Amended section 155.4 of Act C of 2003 on Electronic Communications.
Ireland
The law is currently in force, and there is no official guidance on compliance.
Italy
The law is in effect, featuring a clear opt-in requirement, as emphasized in guidance from the Italian data protection authority. Users are expected to receive prior notification about the use of cookies and provide their consent. Efforts are underway to solicit input from consumer associations and industry perspectives on standardized methods of informing consumers for enhanced public understanding.
An FAQ on the Garante (Italian Data Protection Authority) website provides some guidance to Italian websites wishing to comply with the law: FAQ
A consultation was also launched in December 2012: Public Consultation
Latvia
The law is in force. Consent via the browser is not sufficient.
Lithuania
The law is in force. Consent via the browser is not sufficient.
Luxembourg
The law is in force. Consent can be obtained via the browser.
Malta
No information.
The Netherlands
The EU initially started proceedings but the law is now in force in The Netherlands. The Dutch law requires explicit consent for the use of cookies - one of the strictest interpretations of the EU Directive.
An additional 'burden-of-proof' requirement comes into force on 1 Jan 2013, particularly for tracking cookies used in behavioural advertising.
With this in place OPTA the Dutch regulator will not need to prove that data processing is taking place with tracking cookies - site owners will need to prove that it is not - which will make enforcement easier for the regulator.
It is reported that OPTA is looking into automated methods of enforcement.
In late December 2012, a change in advice allows that first party analytics cookies may be set, under certain circumstances, without prior visitor consent. OPTA will be responsible for determining what those conditions are.
Norway
Norway is not part of the EU but is consulting on changing the law in respect of cookies. It is expected to be an opt-out regime and industry is being encouraged to develop self-regulation.
Poland
A new law transposing the cookie directive into Polish law was approved by the Polish parliament on Nov 16 2012, and is expected to come into force at the beginning of 2013.
The law requires that information about cookies and other local storage be unambiguous and easily understandable.
Although it allows that visitor consent may be given through adjusting browser settings, it also requires that consent should be obtained prior to any setting or reading of cookies.
It is therefore likely that websites will need to provide their own controls for users to block or allow cookies.
Portugal
Portuguese Law 46/2012 transposes the EU directive into law in Portugal, which came into effect on 30 August 2012.
The law requires prior consent for cookies - which makes it an opt-in model.
Both the Portuguese Data Protection Authority (CNPD) and the telecoms regulator (ICP-ANACOM) have powers to enforce the law.
Fines can be up to 5 million Euros - much more significant than most other countries.
CNPD is issuing guidelines on how to comply with the new rules on cookies.
Romania
Law is not yet in force.
Slovakia
The law is in force. Consent may be obtained from browser settings.
Slovenia
Law is not yet in force. The EU has initiated legal proceedings for failure to take appropriate action.
Spain
The regulator is the Spanish Data Protection Authority (AEPD). They issued guidance on compliance on 29 April 2013 – you can find the document here (Spanish only).
It states that cookie
notices should be sufficiently visible in the header or footer of the website, and encourages the use of layered information.
Implied consent is allowed, however the guide also states that silence or inaction does not make for valid consent.
There is no news on enforcement as of Summer 2013, however the Spanish data protection authority has historically issued more fines for breaches of other data protection laws, than the rest of the EU put together.
Sweden
The law came in to force on July 1 2011.
The Post and Telecom Authority, PTS is responsible for the legislation. [1]
Their guidance is not prescriptive about how websites should obtain consent, but states that they would rather website owners work out the best way to achieve this.
Some useful guidance on the law (in English) can be found here.
United Kingdom
The law is in force. See Cookie Law in the UK.
