Cookie Laws Across Europe
Each EU country is required to modify their legislation to bring the original Cookie Directive into effect.
Each member country has done or is doing this at different times and in different ways. The net result of this is that the actual requirements of the law can differ between different countries. The aim of this page is to provide an overview of what has happened where.
We try to make this as complete as possible, but information on activity in some countries is difficult to verify. We welcome contributions that would help us to keep this page up to date.
The Directive was implemented in a new Telecommunications Act, which came into force November 2011.
The requirements for cookies is under section 96.3
There is no clear guidance on compliance at this time.
A new act was passed on 28 June 2012 on electronic communications that implements the requirements of the Directive.
The wording of the Directive was replicated - which indicates a preference for consent to be obtained prior to the setting of cookies. However implied consent is considered allowable.
Browser controls are not acceptable for indicating consent.
The Belgian Data Protection Commission has recommended that crucial elements of the requirements need further clarification.
(a) what tracking technologies require consent, and what may be exempted
(b) what type of information should be provided to users so that their consent can be valid
(c) how should third party tracking be blocked/prevented.
These are expected to be clarified by Royal decree or by the Belgian Telecom Regulator (IBPT)
The law came into force on 29 December 2011. It requires sites to publish information about cookies and give consumers the right to refuse them.
The Consumer Protection Commission is the body responsible for enforcement.
Although Croatia is not a currently a member of the EU, it is adopting EU directives as part of its commitment to joining.
The law in Croatia requires explicit consent.
The law is in effect but there is no current guidance for website owners.
The law came into effect in December 2011.
There are specific requirements about the level of information required to be given to site visitors. Valid consent cannot be signalled through a browser, but implied consent is deemed to be a valid model.
Guidance from the Danish Business Authority can be found here in English.
Estonia has notified the EU that the Estonian Electronic Communications Act implements the requirements of the Privacy Directive, although it has not been amended.
The law contains a 'right to refuse' approach. The Ministry of Economics is responsible for the legislation.
The law is in effect. Valid consent can be signalled through a browser.
The law is in effect. It is enforced by the French data protection authority (CNIL). France requires explicit consent for cookies.
However they have released guidance that first party analytics cookies do not need prior consent under certain conditions - including clear notification to visitors and readily accessible opt-out mechanisms being provided.
French law includes the possibility of criminal sanctions being imposed for non-compliance - which can include up to 5 years in prison for a breach of the cookie law requirements. However it is considered extremely unlikely that such penalties will be used.
Guidance on the French law can be found on the CNIL website
The German government maintain that existing legislation was sufficient to comply with the Directive, so no law has been changed.
Despite this claim, as of September 2012, draft new legislation implementing the Directive has been drawn up by the government, but not yet taken effect.
The current rules in Germany are that there needs to be an opt-in for cookies collecting personal information, but opt-out is sufficient for all other types of cookies.
Germany has a federal system, meaning that there are separate data protection authorities in each state responsible for enforcement.
Some authorities are of the opinion that the Directive takes direct effect in German law.
The law came into effect on 10 April 2012. The Directive was transposed into Law 4070/2012.
There are no requirements for consent to be explicit or prior to the setting of cookies. Browser settings are considered appropriate for indicating consent.
Greece's Data Protection Authority has been given powers to determine the requirements for information and the method of consent.
A new law for Hungary came into effect on 3 July 2011. This is actually more relaxed than previous requirements - the idea of consent being given prior to the setting of cookies was removed from the revised legislation.
The change is in Amended section 155.4 of Act C of 2003 on Electronic Communications.
The law is in force. There is no official guidance on how to comply.
The law is now force. There is a clear Opt-in requirement - which is made clear in guidance from the Italian data protection authority.
Consumer associations and industry views are being sought on the best ways to inform consumers in a standardised way, to aid public understanding.
An FAQ on the Garante (Italian Data Protection Authority) website provides some guidance to Italian websites wishing to comply with the law: FAQ
A consultation was also launched in December 2012: Public Consultation
The law is in force. Consent via the browser is not sufficient.
The law is in force. Consent via the browser is not sufficient.
The law is in force. Consent can be obtained via the browser.
An additional 'burden-of-proof' requirement comes into force on 1 Jan 2013, particularly for tracking cookies used in behavioural advertising.
With this in place OPTA the Dutch regulator will not need to prove that data processing is taking place with tracking cookies - site owners will need to prove that it is not - which will make enforcement easier for the regulator.
It is reported that OPTA is looking into automated methods of enforcement.
In late December 2012, a change in advice allows that first party analytics cookies may be set, under certain circumstances, without prior visitor consent. OPTA will be responsible for determining what those conditions are.
Norway is not part of the EU but is consulting on changing the law in respect of cookies. It is expected to be an opt-out regime and industry is being encouraged to develop self-regulation.
A new law transposing the cookie directive into Polish law was approved by the Polish parliament on Nov 16 2012, and is expected to come into force at the beginning of 2013.
The law requires that information about cookies and other local storage be unambiguous and easily understandable.
Although it allows that visitor consent may be given through adjusting browser settings, it also requires that consent should be obtained prior to any setting or reading of cookies.
It is therefore likely that websites will need to provide their own controls for users to block or allow cookies.
Portuguese Law 46/2012 transposes the EU directive into law in Portugal, which came into effect on 30 August 2012.
The law requires prior consent for cookies - which makes it an opt-in model.
Both the Portuguese Data Protection Authority (CNPD) and the telecoms regulator (ICP-ANACOM) have powers to enforce the law.
Fines can be up to 5 million Euros - much more significant than most other countries.
CNPD is issuing guidelines on how to comply with the new rules on cookies.
Law is not yet in force.
The law is in force. Consent may be obtained from browser settings.
Law is not yet in force. The EU has initiated legal proceedings for failure to take appropriate action.
The regulator is the Spanish Data Protection Authority (AEPD). They issued guidance on compliance on 29 April 2013 – you can find the document here (Spanish only).
It states that cookie notices should be sufficiently visible in the header or footer of the website, and encourages the use of layered information.
Implied consent is allowed, however the guide also states that silence or inaction does not make for valid consent.
There is no news on enforcement as of Summer 2013, however the Spanish data protection authority has historically issued more fines for breaches of other data protection laws, than the rest of the EU put together.
The law came in to force on July 1 2011.
The Post and Telecom Authority, PTS is responsible for the legislation. 
Their guidance is not prescriptive about how websites should obtain consent, but states that they would rather website owners work out the best way to achieve this.
Some useful guidance on the law (in English) can be found here.
The law is in force. See Cookie Law in the UK.