At a glance
Because ePrivacy is a Directive (not a Regulation), each EU country implements it in its own national law. The core rules are the same everywhere – consent for non-essential cookies – but the details vary. France and Italy have particularly strict requirements. If you operate across multiple EU markets, design for the strictest standard, so that you can be sure you’re compliant everywhere.
Here are the six markets that matter most for compliance planning.
France (CNIL)
France has one of the most active and prescriptive data protection authorities in the EU – the CNIL. Its 2020 guidelines on cookies are some of the clearest (and strictest) in Europe. Your responsibilities as a website owner (or webmestre, if you prefer):
- “Accept” and “Reject” buttons must be equally prominent – same visual weight, same size, equally visible. CNIL fined Google €150M and Facebook €60M in early 2022 partly because rejection was harder to access than acceptance.
- If accepting is one click, rejecting must also be one click. You cannot bury the reject option inside a “Manage Preferences” flow.
- No hard cookie walls: CNIL has confirmed that making site access conditional on cookie acceptance is generally not freely given consent.
- Users must be re-asked for consent every 13 months. Your consent preferences must expire and be re-sought.
- You must be able to prove consent was given, with date, time, and what was consented to.
CNIL conducts cookie sweeps and has issued significant fines, and not just against global tech giants. French eCommerce sites and smaller organisations have also received enforcement action.
Germany (TDDDG and 16 State DPAs)
Germany has a more complex regulatory landscape than most EU countries, largely because it has 16 state-level data protection authorities alongside a federal commissioner. This creates a patchwork where different states may take different stances.
Germany’s national ePrivacy implementation was updated and renamed as the TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz) in 2023, which extends the scope of the cookie consent requirement beyond traditional cookies. The differences you need to know about as a Webseitenverantwortliche are:
- TDDDG explicitly covers all forms of accessing terminal equipment, including device fingerprinting and similar tracking technologies.
- German courts have been clear that the use of a website does not constitute valid consent – you can’t assume consent.
- Some German DPAs have been exploring Global Privacy Control (GPC) signals – browser-level opt-outs that should be honoured
As you would expect with 16 state authorities, enforcement is decentralised and complex. However, major cases involving cross-border websites are typically handled by the federal authority or via cooperation.
Italy (Garante)
Italy’s Garante per la Protezione dei Dati Personali is one of the more assertive regulators in Europe. Italy has been particularly active on cookie walls and on the categorisation of cookies by analytics tools.
- Cookie walls are generally prohibited. The Garante has issued specific guidance that cookie walls – blocking access unless users accept cookies – are incompatible with freely given consent.
- Italy was an early mover in rejecting “implied consent” mechanisms. People must actively opt in.
- The Garante expects that consent mechanisms genuinely prevent cookies from being set – not just notify users
- Italy was one of the first countries to rule that Google Analytics transferred data to the US without adequate safeguards. The Garante ordered Italian websites using GA to add specific safeguards or stop using it.
Enforcement is very active and very public in Italy. The Garante publishes its decisions and has been willing to fine Italian websites directly.
Spain (AEPD)
The Agencia Española de Protección de Datos (AEPD) has published detailed cookie guidance and takes a methodical approach to enforcement. Administradores de webes need to know:
- The AEPD expects category-level consent, not just all-or-nothing
- AEPD guidance distinguishes between first-party analytics (lower risk) and third-party tracking (higher risk), with corresponding consent requirements
- As in Germany and Italy, the Spanish AEPD has rejected implied consent mechanisms (e.g. “by using our website you accept cookies”.)
- AEPD expects website operators to maintain evidence of which cookies are used and their purposes
AEPD issues a high number of rulings, including many smaller fines, particularly in the eCommerce sector.
Netherlands (AP)
The Autoriteit Persoonsgegevens (AP) has taken a pragmatic but clear approach, with a focus on larger platforms and systemic violations.
- AP enforcement has confirmed that “Accept” and “Reject” options must be equally prominent in decisions against major Dutch publishers
- AP has specifically flagged deceptive design (often called “dark patterns”) as a compliance concern
Enforcement is selective but can be incredibly punitive. AP tends to focus on systemic or high-impact violations rather than individual website audits.
Ireland (DPC)
The Data Protection Commission (DPC) is Ireland’s national authority. Because many global tech companies are headquartered in Ireland (Google, Meta, Apple), the DPC handles some of the most significant enforcement cases in Europe.
- The same core rules as other EU countries – consent required for non-essential cookies
- DPC has focused its cookie enforcement on large platforms rather than small businesses
- Leading supervisory authority for many US tech companies due to Ireland’s role as EU HQ
The DPC has had several high-profile cases with large fines (Meta, LinkedIn, WhatsApp), but is less active on smaller website operators.
The golden rule for European websites
Design for the strictest market. Generally speaking if your banner meets France’s requirements, it will pass in most other EU countries too. Design for France, and you design for the whole EU.
However, don’t make the mistake of thinking national variations can be loopholes. Even in countries with less active enforcement, the underlying legal requirement is the same. A complaint from a French user about a non-compliant banner creates exposure even if your business is registered in Ireland.