With France and Austria deciding on data protection issues in relation to Google Analytics, many more countries have followed suit in relevant changes to so-called web browser cookies. In order to limit the amount and quality of data retrieved by providers from users, mainly without them realising the true scope of this data and the use of such data by providers, legislators are passing stricter rules on data collection.

Below is an overview of new legislation adopted to combat the extensive collection and usage of user data:


  • The current legislative environment provides a more relaxed opt-out model of user consent regarding the use of cookies. In particular, the Bulgarian Electronic Commerce Act does not expressly stipulate a general obligation to ask for user permission when installing cookies. In fact, the Electronic Commerce Act only requires that:
    • the user is informed upon their visit to the Internet web page that cookies will be installed on the user's device; and
    • the user has the option to restrict the use of cookies from the settings of their browser.
    However, this opt-out model does not apply to cookies that process personal data, as such cookies fall under the scope of GDPR and shall thus only be processed on an appropriate legal basis, such as clear affirmative consent by the user.


  • The Act on Electronic Communications (the “AEC”, most recently updated in 2017) is the tool that (among others) implements the EU Cookie Act (Directive 2009/136/EZ). The AEC requires that in case electronic communication networks are used for data storage or to access data in the user's terminal equipment, the user must give their consent after being properly notified in accordance with the GDPR.

    Exemptions are:
    • technical data storage or access that is necessary for the purpose of communications transfer; or
    • the provision of information society services at the request of a user.
  • The Croatian National Cyber Security Authority ( “CERT”) periodically issues publications on cybersecurity threats that might be connected to cookies (e.g., no cookie consent as an indicator that the web site is fake, cookies as proof of a user's digital trail, specific malware cookies, etc.).


  • Since the implementation of GDPR, there have been no draft amendments or other proposals concerning the process of regulating these aspects.
  • Basically, Law no. 506/2004 stipulates that access to information stored in terminal equipment by telecommunication service providers is only permitted if
    • the user has consented (even implicitly by setting the web browser application or other similar technologies to accept such information); or
    • on the basis of clear and comprehensive information given in accordance with the GDPR.
  • On 23 February 2022, the Slovak National Security Authority (the “Slovak NSA”) issued a warning of cyberattacks on elements of critical infrastructure.
  • The Romanian Data Protection Authority has not published any guidance / communicated any official information on the validity of Google Analytics that considers the recent position taken by other European Data Protection Regulators.


  • Pursuant to the current version of the Serbian Law on Electronic Communications, cookies are governed by the “opt-out principle”, as use of electronic communications networks and services to store or gain access to user data stored in the terminal equipment of subscribers or users is allowed on the condition that the subscriber or user concerned is provided with clear and comprehensive information about the purpose of data collection and processing and has been given an opportunity to refuse such processing.
  • Based on publicly available information, a new law has passed the public debate phase, which suggests that it may be forwarded to the Serbian parliament for adoption in the near term.


  • Slovakia has introduced a new Act on Electronic Communications, which sets out new rules regarding cookies and marketing.
  • Until now, providers were obliged to ask users for permission to use cookies. Following the legislative change, the requirements for the permission have been increased, with the exception of cookies that are essential to the operation of the website.
  • Providers must acquire verifiable consent that follows the requirements for consent set out by the GDPR.
  • The method of acquiring such consent is up to the providers; it will be interesting to see how providers will implement this new obligation.
  • Monetary sanctions for failing to acquire such consent can reach up to 10% of the provider's annual turnover.


  • On 11 January 2022, the Turkish Personal Data Protection Board (the “Board”) published draft guidelines (the “Guidelines”) in order to provide an advisory and guiding document for data controllers that process personal data through cookies. In the Guidelines, the Board mainly elaborates on the following matters:
    • The definition of and types of cookies;
    • The relationship between the Turkish Data Protection Law and Electronic Communications Law;
    • Guidance on when explicit consent is necessary regarding the use of cookies; and
    • Several cookie implementation examples (both correct and incorrect ways of usage).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.