To print this article, all you need is to be registered or login on Mondaq.com.
May 2022 – With France and Austria
deciding on data protection issues in relation to Google Analytics,
many more countries have followed suit in relevant changes to
so-called web browser cookies. In order to limit the amount and
quality of data retrieved by providers from users, mainly without
them realising the true scope of this data and the use of such data
by providers, legislators are passing stricter rules on data
collection. Below is an overview of new legislation adopted
to combat the extensive collection and usage of user data.
- The current legislative environment provides a more relaxed
particular, the Bulgarian Electronic Commerce Act does not
expressly stipulate a general obligation to ask for user permission
when installing cookies. In fact, the Electronic Commerce Act only
- the user is informed upon their visit to the Internet web page
that cookies will be installed on the user's device; and
settings of their browser.
However, this opt-out model does not apply to cookies that
process personal data, as such cookies fall under the scope of GDPR
and shall thus only be processed on an appropriate legal basis,
such as clear affirmative consent by the user.
- The Act on Electronic Communications (the
"AEC", most recently updated in 2017) is
the tool that (among others) implements the EU Cookie Act
(Directive 2009/136/EZ). The AEC requires that in case electronic
communication networks are used for data storage or to access data
in the user's terminal equipment, the user must give their
consent after being properly notified in accordance with the
- technical data storage or access that is necessary for the
purpose of communications transfer; or
- the provision of information society services at the request of
- The Croatian National Cyber Security Authority (
"CERT") periodically issues publications
on cybersecurity threats that might be connected to cookies (e.g.,
no cookie consent as an indicator that the web site is fake,
cookies as proof of a user's digital trail, specific malware
- Since the implementation of GDPR, there have been no draft
amendments or other proposals concerning the process of regulating
- Basically, Law no. 506/2004 stipulates that access to
information stored in terminal equipment by telecommunication
service providers is only permitted if
- the user has consented (even implicitly by setting the web
browser application or other similar technologies to accept such
- on the basis of clear and comprehensive information given in
accordance with the GDPR.
- On 23 February 2022, the Slovak National Security Authority
(the "Slovak NSA")
issued a warning of cyberattacks on elements of critical
- The Romanian Data Protection Authority has not published any
guidance / communicated any official information on the validity of
Google Analytics that considers the recent position taken by other
European Data Protection Regulators.
- Pursuant to the current version of the Serbian Law on
Electronic Communications, cookies are governed by the
"opt-out principle", as use of electronic communications
networks and services to store or gain access to user data stored
in the terminal equipment of subscribers or users is allowed on the
condition that the subscriber or user concerned is provided with
clear and comprehensive information about the purpose of data
collection and processing and has been given an opportunity to
refuse such processing.
- Based on publicly available information, a new law has passed
the public debate phase, which suggests that it may be forwarded to
the Serbian parliament for adoption in the near term.
- Slovakia has introduced a new Act on Electronic Communications,
which sets out new rules regarding cookies and marketing.
- Until now, providers were obliged to ask users for permission
for the permission have been increased, with the exception of
cookies that are essential to the operation of the website.
- Providers must acquire verifiable consent that follows the
requirements for consent set out by the GDPR.
- The method of acquiring such consent is up to the providers; it
will be interesting to see how providers will implement this new
- Monetary sanctions for failing to acquire such consent can
reach up to 10% of the provider's annual turnover.
- On 11 January 2022, the Turkish Personal Data Protection Board
(the "Board") published draft guidelines
(the "Guidelines") in order to provide
an advisory and guiding document for data controllers that process
personal data through cookies. In the Guidelines, the Board mainly
elaborates on the following matters:
- The definition of and types of cookies;
- The relationship between the Turkish Data Protection Law and
Electronic Communications Law;
- Guidance on when explicit consent is necessary regarding the
- Several cookie implementation examples (both correct and
incorrect ways of usage).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from European Union