Online privacy under the Data Protection Law

The Data Protection Law does not include specific regulations for cookies or location data. However, location data and online identifiers (which include cookies) are considered identifying factors for data subjects. As such, the general data protection provisions outlined in the Data Protection Law also apply to online privacy.

Apart from the general data protection principles applied mutatis mutandis, the Data Protection Law contains few specific provisions regarding online privacy. These include:

Right to rectification and erasure (Article 15(2)(dh))

The data subject has the right to request the erasure of personal data relating to them from the controller. The controller is required to erase the personal data as soon as possible, and in any case, no later than 30 days from the receipt of the request, if the data was collected in the context of online provision of goods or services.

The right to be forgotten (Article 16)

When the controller has made personal data public and is required to erase it, they must take reasonable steps, including technical measures, to notify other controllers processing those data that the data subject has requested the removal of any link, copy, or reproduction of the personal data, considering the applicable technology and implementation costs. Additionally, at the data subject’s request, operators of internet search engines must remove outdated information from search results based on the data subject’s name if that information, although no longer current, significantly harms the data subject’s reputation.

In order to provide some clarifications on the notion of cookies and their use, the Commissioner has defined the cookies in an online dictionary as some data stored on the computer, which contain specific information. This rudimentary definition is further complemented by a short explanation which states that cookies allow any server to know what pages have been visited recently, just by reading them.

The Commissioner has also released an opinion (which is somewhat outdated and non-binding for data controllers) regarding the protection of personal data on the websites of both public and private entities. In this opinion, the Commissioner highlights the obligations of data controllers under the Data Protection Law, as well as the rights of data subjects, which must also be observed in the context of online personal data collection:

• The right to be fully informed and to give their approval if a website (or an application) processes their data;
• The right to keep their online communications secret (including email, the computer’s IP or modem No.);
• The right to be notified if their personal data are compromised (data has been lost or stolen, or if their online privacy is likely to be negatively affected);
• The right to request that their personal data to be excluded from data processing for direct marketing if they have not given their consent.

Additionally, in this opinion, the Commissioner stresses the importance of public and private controllers drafting and publishing privacy policies on their websites, including, among other things:

• The identity of the controller;
• The information collected from the users, specifying the category of personal data;
• Specific policies regarding cookies and other technologies that allow data controllers to gather information on the users that use the website and to notify the latter about their use. 

Online privacy under the Electronic Communications Law 

The Electronic Communications Law defines “location data” as any data processed in an electronic communications network, indicating the geographical position of the terminal equipment of a user of the electronic communications network.

Location data may only be processed when they are made anonymous or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service. 

The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service. 

Users or subscribers shall be given the possibility to withdraw their consent for the processing of location data other than traffic data at any time. Users or subscribers must continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication. 

Processing of location data must be restricted to persons acting under the authority of the provider of the public communications network or publicly available communications service or of the third party providing the value added service, and must be restricted to what is necessary for the purposes of providing the value added service (Article 163 of the Electronic Communications Law).

Not applicable.

The Electronic Communications and Information Society Services Law establishes the right of all Citizens to enjoy protection against abuse or violations of their rights through the Internet or other electronics means, such as:

• The right to confidentiality of communications and to privacy and non-disclosure of their data
• The right to security of their information by improvement of quality, reliability and integrity of the information systems
• The right to security on the Internet, specifically for minors
• The right not to receive spam
• The right to the protection and safeguarding of their consumer rights and as users of networks or electronic communications services

In view of the above, entities are generally prohibited from storing any kind of personal data without prior consent of the user. This does not prevent technical storage or access for the sole purpose of carrying out the transmission of a communication over an e-communication network or if strictly necessary in order for the provider of an information society service to provide a service expressly requested by the subscriber or user.

Traffic data

The processing of traffic data is allowed when required for billing and payment purposes, but processing is only permitted until the end of the period during which the bill may lawfully be challenged or payment pursued. Traffic data must be eliminated or made anonymous when no longer needed for the transmission of the communication.

The storage of specific information and access to that information is only allowed on the condition that the subscriber or user has provided his or her prior consent. The consent must be based on accurate, clear and comprehensive information, namely about the type of data processed, the purposes and duration of the processing and the availability of data to third parties in order to provide value added services.

Electronic communications operators may store traffic data only to the extent required and for the time necessary to market electronic communications services or provide value added services. Prior express consent is required and such consent may be withdrawn at any time.

Processing should be limited to those employees in charge of:

• Billing or traffic management
• Customer inquiries
• Fraud detection
• Marketing of electronic communications
• Services accessible to the public
• The provision of value added services

Notwithstanding the above, electronic communication operators should keep in an autonomous file all traffic and localization data exclusively for the purpose of:

• Investigation
• Detection, or
• Prosecution of criminal offenses on Information and Communication Technologies (ICT)

Location data

Location Data processing is only allowed if the data is made anonymous or to the extent and for the duration necessary for the provision of value added services, provided prior express consent is obtained. In this case, prior complete and accurate information must be provided on the type of data being processed, as well as the purposes and duration of processing and any possibility of disclosure to third parties for the provision of value added services.

Electronic communication operators must ensure that data subjects have the opportunity to withdraw consent, or temporarily refuse the processing of such data for each connection to the network or for each transmission of a communication, at any time. The withdrawal mechanism must be provided through simple means, free of charge to the user. Processing should be limited to those employees in charge of electronic communications services accessible to the public.

Although there are no detailed regulations on online privacy, the general rules on privacy provided by the Civil and Commercial Code are applicable in this context. Nuisances from unrequested communications may be actionable. Unauthorized collection of personal data will be subject to the general rules applicable to such data.

There is no regulation on cookies and location data. However, it is advisable to obtain user consent, such as through appropriate disclaimers.

National Ordinance Person Registration

Contains no specific clauses. 

GDPR 

Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or if they have a legitimate interest. 

Location data, the GDPR will apply if the data collector collects the location data from the device and if it can be used to identify a person. 

If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address etc. are not known.

There are no laws or regulations in Australia specifically relating to online privacy, beyond the application of the Privacy Act, the Spam Act and State and Territory privacy laws relating to online / e-privacy, and other specific laws regarding the collection of location and traffic data. Specifically, the are no specific legal requirements regarding the use of cookies (or any similar technologies). If the cookies or other similar technologies collect personal information of a user the organization must comply with the Privacy Act in respect of collection, use, disclosure and storage of such personal information. App developers must also ensure that the collection of customers' personal information complies with the Privacy Act and the Information Commissioner has released detailed guidance on this.

EU regulation

Online privacy is specifically regulated by the TKG.

Traffic data

Traffic Data held by communications services providers (CSPs) must be erased or anonymized when it is no longer necessary for the purpose of the transmission of a communication. However, Traffic Data can be retained for purposes of invoicing the services. In such a case, if the invoice has been paid and no appeal has been lodged with the CSP within three months the Traffic Data must be erased or anonymized.

Location data

Location Data may only be processed for emergency services and with consent of the user. Even in case of consent, the user must be able to prohibit the processing by simple means, for free of charge and for a certain time period.

Cookie compliance

The relevant section of the TKG stipulates that a user must give informed consent for the storage of personal data, which includes a cookie. The user has to be aware of the fact that consent for the storage or processing of personal data is given, as well as the details of the data to be stored or processed, and has to agree actively. Therefore obtaining consent via some form of pop-up or click through agreement seems advisable. Consent by way of browser settings, or a pre-selected checkbox etc. is probably not sufficient in this respect.

If for technical reasons the short term storage of content data is necessary, such data must be deleted immediately thereafter.

---

Austria regulation

Online privacy is still specifically regulated by the TKG, and the GDPR implementation acts have introduced only minor amendments thereto. There are no regulations regarding online privacy in the DSG itself.

Media privilege

In an effort to balance freedom of speech and freedom of information, publishers as well as owners and employees of media outlets are granted privileges regarding the processing of data for journalistic purposes (Section 9 DSG). Various limitations of data subject rights and controller obligations under the GDPR have been implemented, notably:

• privileged data controllers are not obliged to disclose information subject to editorial secrecy;
• processing of data subject to Art. 9 and Art. 10 GDPR is generally permitted for journalistic purposes;
• transparency principle (Art. 5(1)(a) GDPR) is applicable only to the extent the freedom of speech and freedom of information are not disproportionally affected;
• Arts. 13, 14 and 21(1) GDPR are not applicable, and application of Art. 15 is (i) not applicable to information that has not yet been subject to a publication and (ii) otherwise subject to additional limitations;
• Applicability of Arts. 16 to 18 GDPR is limited;
• A data breach notification pursuant to Art. 33 GDPR is necessary only in case of high risk for rights and freedoms of data subjects, and information to data subjects pursuant to Art. 34 GDPR is mandatory only if it does not affect editorial secrecy;
• Chapter V GDPR is not applicable;
• Art. 56 and Chapter VII GDPR are not applicable.

Some of the abovementioned limitations also apply to processing of data for journalistic purposes which is not conducted by publishers, owners and employees of media outlets or media services. 

Furthermore, broad exceptions from the applicability of the GDPR are stipulated if data is processed for scientific, artistic or literary purposes.

There are no rules directly regulating use of cookies in Azerbaijani legislation. However, if cookies contain any personal data, the Azerbaijani data protection rules will apply as to the use of such cookies. 

If a data subject cannot be identified just based on location data, it would unlikely be deemed as personal data, falling outside the scope of personal data protection related requirements.

Outside of the current provisions of DPA and legislation governing law enforcement access to one’s computing devices and encrypted data (e.g. the Interception of Communications Act, Computer Misuse Act, National Crime Intelligence Agency Act etc.), online privacy is largely unregulated and there are no specific laws aimed at the use of cookies or the collection of location data. 

Under the Electronic Communications and Transactions Act (‘ECTA’), however, Section 20 provides for online intermediary a procedure for ‘dealing with unlawful, defamatory, etc. information’. An intermediary is defined under Section 2 ECTA as, in the context of an electronic communication, a person including a host on behalf of another person who sends, receives or stores either temporary or permanently that electronic communication or provides related services with respect to that electronic communication. Section 20(1) states that where an intermediary has actual knowledge that information in an electronic communication gives rise to civil or criminal liability, then as soon as possible the intermediary should remove the information from any information processing system within the intermediary’s control and cease to provide or offer services in respect of that information and notify the police of the any relevant facts and of the identity of the person from whom the intermediary was supplying services in respect of the information, if the identity of that person is known to the intermediary. Similarly, Section 20(2) states that if an intermediary is aware of facts or circumstances from which the likelihood of civil or criminal liability in respect of the information in an electronic communication ought reasonably to have been known should, as soon as practicable, follow any relevant procedure set out in any code of conduct that may be applicable to the intermediary under the Act or notify the police and relevant Minister responsible for electronic communications. The Minister may then direct the intermediary to remove the electronic communication from any information processing system within the control of the intermediary and cease to provide services to the person to whom the intermediary was supplying services in respect of that electronic communication. It can be argued that these provisions give intermediaries (e.g. telecommunications providers) facilitating communications between end users’ communications broad powers to potentially cease services or effectively censor electronic communications they deem objectionable on the grounds that civil or criminal liability could likely arise without any liability arising provided the action is made in good faith.

There is no specific online privacy regulation in Bahrain.

There is no regulation on cookies and location data. However, it is advisable to obtain user consent, such as through appropriate disclaimers.

There are no specific laws in respect of these matters.

Belarus law does not specifically regulate online privacy. General requirements on personal data protection apply.

Certain specific online privacy requirements can be established under the legislation. For example, personal data of a person, who is a domain name administrator, can be disclosed in online WHOIS service of Belarusian domain zone only with consent of such person. However, consent is not required if the domain name was registered in the name of an individual entrepreneur.

Cookies

Article 5 (3) of the E-Privacy Directive was initially implemented into Belgian Law by means of an amendment to article 129 of the Belgian Electronic Communication Act. By the Act of 21 December 2021 transposing the European Electronic Communications Code and amending various provisions on electronic communications, article 129 was abolished and a similar provision was inserted in the Belgian Data Protection Act by means of a new article 10/2. This amendment explicitly confirms the competence of the Belgian Data Protection Authority regarding cookies.

The use and storage of cookies and similar technologies requires:

• the provision of clear and comprehensive information; and
• consent of the website user.

Consent is not required for cookies that are:

• used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
• strictly necessary for the provision of a service requested by the user.

The DPA has provided useful additional guidance related to topics such as cookie walls, social media plugins and the validity of consent through browser settings. Recently it published a so called ‘Cookie Checklist’ as a guidance tool for companies to ensure the compliant use of cookies. Furthermore, the DPA has taken several enforcement decisions with regard to cookies.¹

Download DLA Piper's Guide on Cookies.

Location data

As location data are personal data, the processing of these data must comply with the general rules stipulated by the GDPR and the Data Protection Act (including, depending on the context, article 10/2). Neither the Data Protection Act nor the DPA Act include any other specific provisions on location data. 

In addition, article 123 of the Belgian Electronic Communication Act stipulates that mobile network operators may process location data of a subscriber or an end user only to the extent that the location data has been anonymised, or if the processing is carried out in the framework of the provision of a service regarding traffic or location data.

The processing of location data in the framework of a service regarding traffic or location data is subject to strict conditions set forth in article 123.

Traffic data

As traffic data constitute personal data, the processing of traffic data must comply with the general rules stipulated by the GDPR and the Data Protection Act (including, depending on the context, article 10/2) . Neither the Data Protection Act nor the DPA Act include any other specific provisions on traffic data. 

However, in accordance with article 122 of the Belgian Electronic Communication Act, mobile network operators are required to delete or anonymise traffic data of their users and subscribers as soon as such data is no longer necessary for the transmission of the communication (subject to compliance with cooperation obligations with certain authorities). 

Subject to compliance with specific information obligations and subject to specific restrictions, operators may process certain traffic data for the purposes of: 

• invoicing and interconnection payments;
• marketing of the operator’s own electronic communication services or services with traffic or location data (subject to the subscriber’s or end user’s prior consent); and
• fraud detection.

Not applicable.

PIPA makes special provision based on parental consent for certain uses of personal information about a child under the age of 14. Subject to this, there are no specific restrictions addressing online privacy of confidential information beyond those generally applicable to the use of personal and confidential information.

There are no specific laws addressing online privacy. Digital platforms remain unregulated in Bolivia.

Personal Data Protection Act BES

Contains no specific clauses. 

GDPR 

Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or if they have a legitimate interest. 

Location data, the GDPR will apply if the data collector collects the location data from the device and if it can be used to identify a person. 

If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address etc. are not known.

The general data protection rules, as introduced by the DP Law, are relevant for online privacy as well, as there are no specific regulations that explicitly govern online privacy. This includes obligation to act in accordance with the basic principles of personal data protection set out in the DP Law as well as acting on the basis of the data subject's informative consent.

There is currently no specific online privacy legislation and no provision in the DPA and the ECTA regarding such.

The Brazilian Internet Act has several provisions concerning the storage, use, disclosure, and other processing of data collected on the Internet. The established rights of privacy, intimacy, and consumer rights apply equally to electronic media, such as mobile devices and the Internet. Violations of these rights may also be subject to civil enforcement.

Furthermore, as explained in prior sections, identifiable data are also encompassed under the scope of protection of the LGPD. Thus, if cookies and location data are associated with a natural person, their collection should also observe the same obligations provided by the Brazilian data protection law. However, the obligation does not apply to anonymized data, which is not considered personal data under the LGPD unless the process of anonymization has been reversed or can be reversed using reasonable efforts.

That said, a proper legal basis is needed when using cookies and similar technologies that involve the processing of a user’s personal data from (e.g., the information is linked or linkable to a particular user, IP address, a device, or other particular identifier). Under this scenario, two available legal bases could be used, depending on the analysis of the concrete case: the data subject’s consent or the controller’s legitimate interest (in the case of essential cookies, for example).

On October, 2022, the ANPD published Cookie Guidelines establishing recommendations for cookie policy disclosures, such as to inform the categories of relevant cookies, their purposes, retention periods and whether the data collected through cookies is shared. Such disclosures must be provided to the data subject in a simplified and understandable format and manner. Further, the guidelines require collection of affirmative opt-in consent, for example through cookie banners, and provide the data subject with the possibility to reject the cookies at that time and revoke consent at any time later on.  

There are no specific restrictions on online privacy in the DPA. However, the provisions of the DPA apply where a private body is a website operator that collects personal data.

No legal requirement to have privacy policies.

Directive 2002/58 (E-Privacy Directive) is transposed into the Bulgarian Electronic Commerce Act. In 2011 the intention of the legislator was to introduce the amendments of Art. 5(3) under Directive 2009/136. However, the final adopted text still replicates the old wording before Directive 2009/136. The amendment itself was widely interpreted as implementing the text of Directive 2009/136 without, however, introducing the updated text.

Currently, instead of requiring the user's consent, the relevant text in the Electronic Commerce Act states that users should be provided with clear and comprehensive information in accordance with Art.13 of the GDPR and they must be given the opportunity to refuse the storage or access to such information (i.e. opt-out regime).

The Law does not provide any specific rules governing cookies and location data.

However, pursuant to Article 10 of the data controller must implement all appropriate technical and organisational measures to preserve the security and confidentiality of the data, including protecting the data against accidental or unlawful destruction, accidental loss, alteration, distribution or access by unauthorised persons.

There are no specific online privacy requirements in Burundi.

As mentioned under the Collection and Processing and Transfer sections, the current regulations generally recognize the right to privacy and the obligation to protect data from unauthorized access. Those regulations do not specifically distinguish online privacy from privacy in general.

The law does not lay down specific rules for cookies and location data.

As the law on data protection is very recent, it is likely that cookies and location data will be provided for in the reference framework that will be established by the Personal Data Protection Authority or be the subject of a regulatory text of the Ministry of Posts and Telecommunications in the coming days.

Online privacy is governed by Canadian Privacy Statutes (discussed above). In ‎general, Canadian privacy regulatory authorities have been active in addressing online ‎privacy concerns.‎

For example, in the context of social media, the OPC has released numerous Reports ‎of Findings addressing issues including:‎

• Default privacy settings
• Social plug-ins
• Identity authentication practices, including data scraping and voiceprint
• The collection, use and disclosure of personal information on social networking sites, including for marketing purposes‎
• The OPC has also released decisions and guidance on privacy in the context of ‎Mobile Apps

In addition, the OPC has released findings and guidelines related to the use of cookies ‎and online behavioral advertising, including findings indicating that information stored by ‎temporary and persistent cookies is considered to be personal information and ‎therefore subject to PIPEDA. The OPC has adopted the same position with respect to ‎information collected in connection with online behavioral advertising.‎

In ‘Privacy and Online Behavioral Advertising’, the OPC stated that it may be permissible to use opt-out consent in the context of online behavioral advertising if the following conditions are met:‎

• Individuals are made aware of the purposes for the online behavioral advertising, at ‎or before the time of collection, in a manner that is clear and understandable
• Individuals are informed of the various parties involved in the online behavioral ‎advertising at or before the time of collection
• Individuals are able to opt-out of the practice and the opt-out takes effect ‎immediately and is persistent
• The information collected is non-sensitive in nature (ie, not health or financial ‎information), and
• The information is destroyed or made de-identifiable as soon as possible

The OPC has indicated that online behavioral advertising must not be a condition of ‎service and, as a best practice, should not be used on websites directed at children.‎

Canadian privacy regulatory authorities also consider location data, whether tied to a static location or a mobile device, to be personal information. As such, any collection, use or disclosure of location data requires, among other things, appropriate notice, and consent. Most of the privacy regulatory authority decisions related to location data have arisen with respect to the use of GPS in the employment context.

The Canadian privacy regulatory authorities provide the following test that must be met ‎for the collection of GPS data (and other types of monitoring and surveillance activities):‎

• Is the data demonstrably necessary to meet a specific need?‎
• Will the data likely be effective in meeting that need?‎
• Is the loss of privacy proportional to the benefit gained? ‎
• Are there less privacy-intrusive alternatives to achieve the same objective?‎

Bill 64 introduced several changes to the Quebec Private Sector Act which significantly impact online privacy. Since September 22, 2023, organizations collecting personal information by offering a product or service with privacy parameters must ensure that the highest privacy settings are enabled by default, meaning that when visitors access a website all cookies with the exception of necessary cookies, must be turned off by default. Additionally, organizations collecting personal information from persons using tracking, localization or profiling technology (including cookies, trackers, and similar technologies) have the obligation to inform the person in advance of the use of such technologies, and to inform the person of the method for activating such functions: the use of such technologies therefore requires opt-in consent. 'Profiling' is broadly defined as the collection and use of personal information in order to evaluate certain characteristics of a person such as workplace performance, economic or financial situation, health, personal preferences or interest, or behavior.

Artificial Intelligence

The OPC has also issued guidance on the appropriate use of generative AI systems and has stated that generative AI systems should be developed with the general principles of legality, appropriate purposes, necessity and proportionality, openness and accountability, and:

• In a manner that allows individuals to meaningfully exercise their rights to access their personal information, while
• limiting collection, use and disclosure to only what is needed to fulfill the identified purpose, and 
• implementing appropriate safeguards

In addition, the OPC has stated that developers of generative AI models should take steps to ensure that outputs should be as accurate as possible.

In Quebec, Bill 64 introduced requirements about automated processing of personal information. An organization that uses personal information to render a decision based exclusively on the automated processing of that information must inform the individual of that activity (at or before the time the organization informs the individual of the decision). The organization must also, at the individual’s request, inform the individual of:

• the personal information used to render the decision
• the reasons and the principal factors and parameters that led to the decision, and
• the individual’s right to have the personal information used to render the decision corrected

The organization must also give the individual the opportunity to submit observations to a member of the organization who is in a position to review the decision.

Law 132/V/2001 lays down the legal framework for data protection in the telecommunications sector. Special rules include the following:

• any personal data obtained through phone calls performed by public operators or telecommunication public service providers must be erased or made anonymous after the phone call has ended

• traffic data can only be processed for billing, customer information or support, fraud prevention and the selling of telecommunication services.

There are no specific restrictions addressing online privacy beyond those generally applicable to the processing of personal data under the DPA.  Personal data explicitly includes online identifiers.

There is no specific restriction on the use of cookies under the Act. However, the ANSICE requires that the Data Subject is informed of the use of cookies and to collect his consent.

There are no specific laws governing online privacy or cookies.

The general compliance obligations applicable to processing of personal information under the PIPL apply to the online (and offline) environments. In addition, the PIPL imposes additional compliance obligations on organisations that fall into one of the following categories:

• "Important internet platform providers";
• Data controllers processing data of a "large volume of users"; or
• "Complex businesses".

It is still unclear which organisations would fall within these categories, but these organisations must comply with additional measures when processing personal information, namely:

1. Set up personal information protection compliance mechanisms;
2. Set up external independent data protection organisations to supervise data protection mechanisms;
3. Establish platform regulations;
4. Establish and publish processing obligations and processing rules that regulate products and service providers in an open and fair manner;
5. Stop the provision of products or service providers if they violate the law or regulations as regards processing of personal information; and
6. Publish from time to time social responsibility reports as regards processing of personal information.

In terms of automated–decision making and profiling:

• Analytics or evaluation based on computer programme around behavior, interests, hobbies, credit information, health or decision making activities, must be transparent, open and fair, and should not apply any differential treatment between individuals; and
• Any push information or business marketing should not be directed to an individual's character and should provide individuals with a convenient way to opt out.

The Network Data Regulation sheds further light on the data protection obligations of “large scale” personal information handlers and online platform operators.

 “Large Scale” Personal Information Handlers 

The Network Data Regulation requires a network data handler who processes personal information of more than 10 million data subjects to:

• appoint a network data security officer (who shall be a member of senior management) and establish a network data security management department; and 
• if the security of network data may be affected by a network data handler’s M&A, corporate reorganization, dissolution, bankruptcy or other similar events, the handler must take measures to ensure data security, and report information regarding the data recipients and related matters to the relevant industry regulator and / or data authority at provincial level or above.

Online Platform Operators

The Network Data Regulation emphasizes existing obligations on online platform operators (that is, operators of websites, mobile apps, etc.) to monitor and supervise data processing activities carried out by the users or third parties via their platforms. For example:

• platform operators must formulate rules and put in place effective contracts with third parties residing on the platform to clarify data protection obligations and responsibilities; and
• app store operators must conduct security assessments of the applications distributed via their stores, and remove non-compliant applications if the compliance gaps cannot be effectively remediated.

Notably, the Network Data Regulation now extends the definition of online platform operators to manufacturers of smart terminal devices with pre-installed applications (such as mobile phone and smart home product manufacturers), and requires them to comply with online platform operators’ obligations in addition to hardware manufacturers’ obligations.

The Network Data Regulation also introduces a definition of “large scale network platforms” as online platforms which have more than 50 million registered users or more than 10 million monthly active users, offer complex types of services, and may have significant impact on national security, economy and people’s livelihood. The Regulation further provides that large scale network platform operators are subject to additional obligations such as publishing an annual social responsibility report discussing how personal information protection matters are handled, and implementing measures to prevent unfair competition conducted via the platforms, etc.

Apart from the PIPL and the Network Data Regulation, the CSL, Consumer Protection Law and E–Commerce Law offer protection to consumer / user personal information. As well as personal information protection, under these rules data controllers should strengthen management of information provided by users, prohibit the transmission of unlawful information and take necessary measures to remove any infringing content, then report to supervisory authorities. Sufficient notice and adequate consent should be obtained from data subjects prior to the collection and use of personal information. Further obligations are imposed on mobile apps providers including but not limited to conducting real–name identification, undertaking information content review.

In recent years, the regulators have also issued a range of guidelines targeting mobile app providers. These guidelines introduce specific data protection and privacy obligations aiming to regulate the data collection practices and processing activities of mobile app providers. There has also been a crackdown against (suspected) non–compliant mobile apps. Organisations are advised to review their app compliance as a matter of priority.

Data subject rights (under the PIPL and other laws within the personal information framework), include rights to access and obtain information about their data held and processed, to correct their data, to request deletion of data in the event of a data breach, to object to automated decision–making, to transfer their data to third party data controller and to de–register their account etc. Most importantly is the right to withdraw consent to personal information processing. The draft National Standard of Data security technology — Requirements for Personal Information Transfer Based on Request of Personal Information Subject, published for public consultation on April 4, 2024, sets out comprehensive requirements and procedures for data controllers to respond to data portability requests from data subjects. The Network Data Regulation also sets out the conditions to be met for data subjects to exercise data portability rights with network data handlers.

There are currently no specific requirements regarding cookies within existing laws or regulations in the PRC. However, the use of cookies and / or similar tracking technologies, to the extent they constitute processing of personal information, should be notified to data subjects as part of a privacy policy and adequate consent should be obtained from data subjects for such use.

There is no specific regulation regarding online processing of personal data. Thus, online privacy and data processing is governed by Law 1581.

Personal data must not be available online unless there are adequate security measures to ensure that access by any unauthorized user is restricted.

Collection and use of data collected through cookies or similar online tracking tools is prohibited unless the Data Subject has provided consent. Such consent may be obtained by a pop-up informing the user about the company's privacy policy and ways for the Data Subject's to review, manage or disable cookies.

The Law does not provide any specific rules for governing cookies and location data.

However, pursuant to Article 40 and sq. of the data law mentioned above, data controller must implement all appropriate technical and organizational measures to preserve the security and confidentiality of the data, including protecting the data against accidental or unlawful destruction, accidental loss, alteration, distribution or access by unauthorised persons.

There has been little to no regulation in this area. However, the general rules of data protection issued by the Constitutional Court, with respect to the collection and processing of personal information, apply.

EU regulation

All rules on data protection are applicable to the electronic communication and online privacy as well. AZOP is in charge of control of all online data processing.

Online privacy and cookies are regulated by the Electronic Communications Act ('Official Gazette of the Republic of Croatia', nos. 73/2008, 90/2011, 133/2012, 80/2013, 71/2014 and 72/2017) which has implemented Directive 2002/58/EZ on personal data processing and privacy protection in electronic communications sector.

Usage of electronic communication network for data storage or access to already stored data in terminal data subject equipment is allowed only with a data subject's consent after he / she was clearly and completely informed on the purpose of the data processing (opt-in option).

---

Croatia regulation

The Act does not contain any special online privacy requirements other than those prescribed by the GDPR.

There is nothing established about online privacy, or cookies, or location data.

National Ordinance Personal Data Protection

Contains no specific clauses. 

GDPR 

Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or if they have a legitimate interest. 

Location data, the GDPR will apply if the data collector collects the location data from the device and if it can be used to identify a person. 

If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address etc. are not known. 

Part 14 of the Electronic Communications and Postal Services Law deals with the collection of location and traffic data and use of cookies (and similar technologies) by publically available electronic communication service providers.

Traffic Data

Traffic Data concerning subscribers and users, which are submitted to processing so as to establish communications and which are stored by persons, shall be erased or made anonymous at the end of a call, except:

• for the purpose of subscriber billing and interconnection payments, and 
• if the subscriber or user consent that the data may be processed from a person for the purpose of commercial promotion of the services of electronic communications of the latter or for the provision of added value services. Users or subscribers have the possibility to withdraw their consent for the processing of Traffic Data at any time.

The prohibition of storage of communications and the related traffic data by persons other than the users or without their consent is not intended to prohibit any automatic, intermediate and transient storage of this information. Users or subscribers shall be given the possibility to withdraw their consent for the processing of Traffic Data at any time.

Location Data

Location Data may only be processed when made anonymous, or with the explicit consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service.

The service provider must inform the users or subscribers, prior to obtaining their consent, of the following:

• type of Location Data which will be processed 
• the purpose and duration of the processing, and 
• whether the data will be transmitted to a third party for the purpose of providing the value added service.

Users or subscribers shall be given the possibility to withdraw their consent for the processing of Location Data at any time.

Cookie Compliance

The storage and use of cookies and similar technologies is permitted only if the subscriber or user concerned has been provided with clear and comprehensive information, inter alia, about the purposes of the processing, and has given his consent in accordance with the Processing of Personal Data Law.

The above shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

Online privacy is also supervised by the Office. Handling personal data is subject to the similar rules as mentioned above and specific issues are governed by Act No. 127/2005 Coll. on Electronic Communications (‘AEC’).

Consent to collection and processing of personal data may be expressed  by electronic means, especially by filling in an electronic form.

Public electronic communication service providers are obliged to ensure the security of the personal data they process which includes technical security and creation of internal organisational regulations.

In cases of a personal data breach a public electronic communication service provider is obliged to notify the Office "without necessary delay", and in the event that the breach of protection could very significantly affect the privacy of a certain individual, such person must be notified as well.

Apart from a few exceptions, traffic data held by a public electronic communication service provider must be erased or anonymised when it is no longer necessary for the transmission of a communication.

As regards cookies, the Czech law is since 1 January 2022 using the ‘opt-in’ principle (by amending the Section 89(3) of the Czech Electronic Communications Act), now finally being in line with other EU countries, as opt-in was introduced by Directive 2009/136/EC.

Relevant supervising and enforcing authorities in this area are primarily the Office and to some extent also the Czech Telecommunication Office.

Not applicable.

EU regulation

Traffic data

Traffic data qualifies as personal data. Providers of telecommunication services may collect and use the following traffic data to the following extent:

• the number or other identification of the lines in question or of the terminal;
• authorization codes, additionally the card number when customer cards are used;
• location data when mobile handsets are used;
• the beginning and end of the connection, indicated by date and time and, where relevant to the charges, the volume of data transmitted;
• the telecommunications service used by the user;
• the termination points of fixed connections, the beginning and end of their use, indicated by date and time and, where relevant to the charges, the volume of data transmitted; and
• any other traffic data required for setup and maintenance of the telecommunications connection and for billing purposes.

Stored traffic data may be used after the termination of a connection only where required to set up a further connection, for billing purposes or where the user has requested a connection overview.

The service provider may collect and use the customer data and traffic data of subscribers and users to detect, locate, and eliminate faults and malfunctions in telecommunications systems. This applies also to faults that can lead to a limitation of availability of information and communications systems or that can lead to an unauthorized access of telecommunications and data processing systems of the users.

Otherwise, traffic data must be erased by the service provider without undue delay following termination of the connection.

Service providers must inform the users immediately, if any faults of data procession systems of the users become known. Furthermore, the service provider must inform the users about measures for detecting and rectifying faults.

---

Denmark regulation

Directive 2009/136/EC (the ePrivacy Directive) was among other things also implemented in the Danish Act on Electronic Communications Services and Networks which came into force on May 25, 2011 in accordance with the implementation deadline in the Directive. In accordance with this act, the Danish Parliament adopted the Danish Executive Order on Electronic Communications Services and Networks which came into force on May 25, 2018 (the ‘Cookie Order’).

The Cookie Order should be read in the light of GDPR, where the rules regulate collection of data in a broader sense, not considering whether such information may be used to identify a natural person.

Under the “Cookie Order” the use of cookies requires a consent. The consent must be freely given and specific. However, this does not imply that consent must be obtained each time a cookie is used but a user must be given an option. Furthermore, the consent must be informed which implies that a user must receive information about the consequences of consenting. To meet the information requirement, one must: 

• Provide the information in a clear and explicit language, that is easy to understand or a similar imagery that is easy to understand, e.g. pictograms;
• Explain the purpose of using cookies;
• Tell the users who is behind the cookies used – this may be the website owner or a third party;
• Inform the user how to give consent or reject the use of cookies;
• Explain how the user can withdraw his or her consent;
• State the duration of the cookies (expiry date).

Finally, the consent must be a clear indication of the user’s wishes, which entails meeting the following requirements: 

• The user must be able to consent or refuse to consent to the use of cookies;
• The user must be able to withdraw a previously given consent;
• The user should easily be able to find further information about the use of cookies on the website;
• The consent must be linked to the purpose for which the data collection is to be used.

Previously, the use of a homepage after having received relevant information could (to some extent) be considered to be a valid consent in Denmark. This is no longer the case and now a more explicit consent is required (e.g. the clicking of an “accept” button).

The Dominican Republic has not enacted specific legislation governing online privacy or the use of ‘cookies’, although the provisions of the DPL concerning data protection would apply.

Additionally, the unauthorized use of ‘cookies’ could implicate computer misuse laws prohibiting unauthorized access to computers and information therein, particularly those contained in Law No. 53-07 on high-tech crimes and felonies.

There is no specific regulation regarding processing of personal data online, therefore, this kind of processing shall be ruled by the Personal Data Protection Organic Law. 

Personal data must not be available online unless there are adequate security measures to ensure that access by any unauthorized user is restricted. 

The use of cookies in web pages is forbidden unless the data subject has given an authorization for usage which may be obtained by a pop-up informing the user about the privacy policy and the way to disable cookies. All the other tracking systems need proper authorization from the data subject. 

Unauthorized collection of personal data will be subject to the general rules applicable to such data.

The Law does not provide any specific rules for governing cookies and location data. However, pursuant to Article (2) of the Egyptian Anti-Cybercrimes Law No. 175 of 2018, the service providers are under a duty to maintain the privacy of the data stored and not to disclose it to anyone without a reasoned order from a relevant judicial authority. Such duty includes the personal data for any of the users of the service provided by such service provider. A service provider who violates this duty shall be penalized with imprisonment for a period not less than one (1) year and/or a fine not less than EGP 5,000 (five thousand Egyptian pounds) and not exceeding EGP 20,000 (twenty thousand Egyptian pounds).

Furthermore, Article (25) of the Anti-Cybercrimes Law imposes penalties of imprisonment for a period not less than six (6) months and/or a fine not less than EGP 50,000 (fifty thousand Egyptian pounds) and not exceeding EGP 100,000 (one hundred thousand Egyptian pounds). This penalty is imposed regardless of whether the published information is correct or incorrect, on whoever violates the right to privacy, grants any personal data to a system or a website or sends densified e-mails without the data subject’s consent in order to promote goods or services or to publish information, news, pictures or the like, through the information network or by any means of information technology.

No specific regulation is in place regarding online privacy in El Salvador.

Not regulated by the law.

EU regulation

Traffic data and location data

Traffic data retention requirements apply only to communications undertakings. Providers of telephone or mobile telephone services and telephone network and mobile telephone network services, as well as providers of Internet access, electronic mail and Internet telephony services are required to preserve for a period of one year network traffic data, location data and associated data thereof which is necessary to identify the subscriber or user in relation to the communications services provided.

Cookies

Due to the opt-out system, consent to cookies is not needed. The law does not refer specifically to browser settings or other applications to be adopted in order to exercise the right to refuse. 

---

Estonia regulation

The PDPA specifies, that if GDPR article 6(1)(a) is used with regard to providing information society services directly to a child, then the processing of the child’s personal data is permitted if the child is at least 13 years old. If the child is younger, then processing is permissible only if and in the extent to which the child’s legal representative has agreed to.

There are several provisions in Ethiopian law to regulate online privacy. For example, the Computer Crime Proclamation No. 958/2016 criminalizes the unauthorized access to, and illegal interception and damage of, computer data. 

The Proclamation further prohibits the use of computer systems to disseminate advertisements absent addressee consent.

The new Media Proclamation obliges online Media to protect the data of users and obtain explicit consent from users when circumstances requiring users’ data to be made available to third parties.

None.

No applicable laws.

The Act on Electronic Communication Services 917/2014 (Laki sähköisen viestinnän palveluista) regulates online privacy matters such as the use of cookies and location data.

Cookies

A service provider is allowed to save cookies and other data in a user’s terminal device, as well as use such data, only with the consent of the user. The service provider must also give the user clear and complete information on the purposes of use of cookies.

However, the above restrictions do not apply to use of cookies only for the purpose of enabling the transmission of messages in communications networks or which is necessary for the service provider to provide a service that the subscriber or user has specifically requested.

In April 2021, Helsinki Administrative Court ruled in its decision that the competent supervisory authority in cookie consent issues is Transport and Communications Agency Traficom, not the Office of the Data Protection Ombudsman. However, the Office of Data Protection Ombudsman remains competent supervisory authority in other cookie matters.

Traficom published in September 2021 a guideline “Instructions for service providers” updating its instructions on cookie implementation on consent collection. For consent to meet the requirements set in the GDPR, users must have the opportunity to choose whether to accept or reject the terms offered. Consent can be given in a variety of ways, as long as it clearly indicates that the data subject accepts the proposal for the processing of their personal data. Valid consent cannot be given through silence, pre-ticked boxes or inactivity. Refusing and withdrawing consent must be as easy as giving consent. The controller must also be able to demonstrate the consent afterwards.

Location data

The location data associated with a natural person can be processed for the purpose of offering and using added value services, if;

• the user or subscriber, whose data is in question, has given his / her consent;
• if the consent is otherwise clear from the context; or
• is otherwise provided by law.

In general, location data may only be processed to the extent necessary for the purpose of processing and it may not limit the privacy any more than absolutely necessary.

The added value service provider shall ensure that:

• the user or subscriber located has easy and constant access to specific and accurate information on his / her location data processed, purpose and duration of its use and if the location data will be disclosed to a third party for the purpose of providing the services:
• the above mentioned information is available and accessible to the user or subscriber prior him / her giving his/her consent;
• the user or subscriber has the possibility to easily and at no separate charge cancel the consent and ban the processing of his / her location data (if technically feasible).

The user or subscriber is entitled to receive the location data and other traffic data showing the location of his/her terminal device from the added value service provider or the communications provider at any time.

EU regulation

Cookies

The EU Cookie Directive has been implemented by Article 82 of the Law, which states that any subscriber or user of electronic communications services must be fully and clearly informed by the data controller or its representative of:

• the purpose of any cookie (i.e. any means of accessing or storing information on the subscriber’s / user’s device, e.g. when visiting a website, reading an email, installing or using software or an app); and
• the means of refusing cookies.

This provision further states that the placement of cookies requires valid consent from the subscriber or user (which can be expressed via browser settings if the user can choose the cookies he / she accepts and for which purpose), unless:

• the sole purpose of the cookie is to allow or facilitate electronic communications; or
• the cookie is strictly necessary to provide online communication services specifically requested by the user.

Location and traffic data

The Postal and Electronic Communications Code deals with the collection and processing of location and traffic data by electronic communication service providers (CSPs).

All traffic data held by a CSP must be erased or anonymised. However, traffic data may be retained, for example:

• for the purpose of finding, observing and prosecuting criminal offences;
• for the purpose of billing and payment of electronic communications services; or
• for the CSP’s marketing of its own communication services, provided the user has given consent thereto.

Subject to exceptions (observing and prosecuting criminal offences; billing and payment of electronic communications services), location data may be used in very limited circumstances, for example:

• during the communication, for the proper routing of such communication; and
• where the subscriber has given informed consent, in which case the location data may be processed and stored after the communication has ended. Consent can be revoked free of charge at any time.

---

France regulation

Cookies

The French Data Protection Supervisory Authority (CNIL) replaced its 2013 guidelines regarding cookies and trackers, which were no longer compliant with the GDPR, by revised guidelines. Following the adoption of a version of its guidelines on cookies and other trackers on July 4, 2019, which have been partially annulled by a decision from the French highest administrative Court, the Conseil d’Etat, on 19 June 2020, the CNIL has adopted revised guidelines as well as recommendations on the practical procedures for collecting consent concerning cookies and other trackers. The CNIL’s revised guidelines, adopted by way of deliberation No. 2020-091 of September 17th, 2020, are based on Article 82 of the Law, implementing Article 5 (3) of EU directive “ePrivacy”, into French law.

While the revised guidelines provide the CNIL’s guidance on how to read the relevant provisions of the French Data Protection Act, which governs the use of cookies and other trackers in France, the recommendations adopted by deliberation No. 2020-92 of September 17th, 2020, provide practical guidance and examples to help professionals navigate the rules applicable to cookies and other trackers and comply with the requirements of Article 82 of the French Data Protection Act. These recommendations constitute “soft law” and are not binding but provide strong references for organizations to anticipate how the CNIL may conduct its compliance investigations.

Regarding consent, the CNIL has specified that consent must be:

• unambigous: to align with the guidelines on consent issued by the Article 29 Working Party, the CNIL repeals its previous position according to which scrolling down, browsing or swiping through a website or app was considered as an acceptable expression of consent to cookies and allowed for cookies to be placed. Therefore, for the CNIL, continuing to navigate on a website or using an application is no more acceptable to evidence a consent to cookies. The absence of action from the user (i.e., no choice from the user) can no longer be construed as a valid consent but should rather be construed as refusal. This operates a shift from “soft opt-in” to active consent. The revised guidelines also outlines that pre-ticked boxes do not meet the GDPR standard of consent;
• freely given: the data subject must be able to exercise freely his / her choice. The CNIL has revised (albeit subtlety) its previous positioning regarding “cookie walls” (the practice of subjecting prior access to a website or application to the acceptance of cookies) – where the CNIL considered that consent could never be freely given when collected using cookie walls, the revised guidelines now specify that cookie walls are likely to hinder freely given consent. In addition, the CNIL has specified in its case law, that failure to provide a mean to refuse cookies “as easily” as it is to accept them (e.g., by way of dedicated buttons on a cookie banner) results in consent being not freely given, since users will lean toward accepting cookies rather than performing multiple clicks to refuse;
• specific: consent must be tailored to each purpose. Therefore acceptance of the general terms and conditions as a whole (“bundled” consent) does not constitute valid consent;
• informed: information to data subjects must be easily understandable by any of them. Information must be given in plain language. The use of complex technical or legal terms does not meet the requirement of prior information. Such information must at least include (i) the identity of the data controller(s) implementing the trackers (ii) a thorough list of the purpose(s) of the reading or writing operations (iii) the means available to consent or object to the use of cookies (iv) the consequences of accepting or refusing the use of cookies and (v) the right to withdraw consent;
• evidenced: all organizations that use cookies must implement appropriate mechanisms that allow them to demonstrate, at all times, that they have validly obtained consent from users. the revised guidelines specifically provide that users choices, be it consent or refusal, must be (i) clearly presented to users, notably as regards the available means to exercise such choice, (ii) collected and clearly evidenced (the recommendations give examples of how to ensure such evidence through the use of a consent management platform, screen capture, etc.) and (iii) recorded by data controllers, for an appropriate duration during which they would not ask the users again for their consent. Such duration may vary depending on the nature of the site or application concerned. According to the Recommendations, a good practice in that respect is 6 months – at the expiry of that term, controllers could ask users again to consent (or refuse) to the use of cookies and trackers; and
• revocable: organizations are encouraged to put in place user-friendly solutions to allow users to withdraw their consent as easily as they gave it. The CNIL highlights the fact that means to refuse cookies and trackers must be “as easy” as means available to accept use thereof. As a result, users must not be subjected to complex procedures for refusing cookies and trackers and withdraw their consent, which they must be able to do at any time. To that end, the CNIL provides practical examples and good practices in the Recommendations, from the use of a “reject all” button to the availability of a visible “cookies” icon enabling users to parameter their choices and withdraw their consent. 

The revised guidelines do not provide a general rule regarding the data retention of cookies and the information collected via such cookies. The CNIL simply recommends that the user’s consent (or refusal) is renewed every 6 months. However, the CNIL has maintained, as guidance, the following data retention terms for certain analytics cookies that do not require users’ consent:

• the lifetime of these cookies should be limited to a period that allows a relevant comparison of audiences over time, as it is the case with a period of 13 months, and is not automatically extended for new visits;
• the information collected via these cookies is kept for a maximum period of 25 months; and
• the above-mentioned lifetimes and retention periods are periodically reviewed to ensure that they are limited to what is strictly necessary.

The CNIL regularly undertakes massive online investigations (whether spontaneously or following user complaints) in order to check compliance with its guidelines. Further to said investigations, several waves of formal notices have been sent to organizations from different sectors (major platforms of the digital economy, e-commerce companies, car rental companies, public service authorities, bank companies, etc.).

The CNIL has also fined companies for non-compliance regarding the use of cookies. Heavy sanctions have been applied to GAFAM companies in particular, with administrative fines up to 90 million Euros for failures to comply with Article 82 of the Law. It is interesting to note that, in its decisions regarding cookies, the CNIL imposes its competence even in the presence of a Lead Authority appointed by the company sanctioned, on the ground that the French Supervisory Authority remains the competent authority to control compliance of the e-Privacy Directive requirements, which are specific rules prevailing on the general rules resulting from the GDPR where thus the “One Stop Shop” process does not apply. In March 2023, the CNIL announced that user tracking by mobile phones was a priority topic for its investigations in 2023. It indicated that it carried out several investigations on applications that access identifiers generated by mobile operating systems in the absence of user consent.

In March 2023, the CNIL announced that user tracking by mobile phones was a priority topic for its investigations in 2023. The CNIL indicated that it carried out several investigations on applications that access identifiers generated by mobile operating systems in the absence of user consent. Following these investigations, the CNIL adopted specific guidelines in September 2024 to help professionals design privacy-friendly mobile applications. The CNIL has announced that from spring 2025 it will carry out new investigation campaigns on mobile applications to make sure these guidelines are complied with. 

In July 2024, the CNIL analyzed the consequences of the end of third-party cookies and the development of alternative techniques for ad targeting purposes, including Google’s Privacy Sandbox. The CNIL has reminded the importance of obtaining user consent in this context (e.g. through App Tracking Transparency on Apple devices). 

Open data and reuse of publicly available data

In June 2024, the CNIL published several recommendations on open data and on the reuse of publicly available data (e.g. on how to identify the applicable legal basis, on how to inform data subjects, on how to ensure compliance with the minimization principle). The CNIL also published specific recommendations applicable to specific use cases involving the reuse of publicly available data (e.g. to create professional directories or to compile / enrich files for direct marketing purposes).

Artificial intelligence and data protection

The CNIL has recently published several AI compliance tools, such as “how-to sheets” for the creation of databases (involving personal data) in order to train artificial intelligence (AI) systems and a Q&A on the use of generative AI systems.

The Law does not provide any specific rules for governing cookies and location data.

However, pursuant to Article 113 and sq. of the data law mentioned above, data controller must implement all appropriate technical and organizational measures to preserve the security and confidentiality of the data, including protecting the data against accidental or unlawful destruction, accidental loss, alteration, distribution or access by unauthorized persons.

There are no specific regulations governing cookies compliance, traffic data, location data, or similar matters. Consequently, any activities involving such elements that fall within the material and territorial scope of the Data Protection Law (as above outlined) must be carried out in strict adherence to the provisions and requirements set forth by the Law.

The General Data Protection Regulation (GDPR) supersedes national data protection law unless there is an opening clause constituted under GDPR. Due to Article 95 GDPR this is the case for national data protection law that was created to implement the Directive on privacy and electronic communication (Directive 2002/58/EC; "ePrivacy Directive").

German national data protection regulations for providers of telecommunication services and for providers of certain electronic information and communication services (e.g. website operators) can be found in the TDDDG, which stands alongside the GDPR and the BDSG.

Cookie compliance

The legal requirements for the use of cookies were long unclear in Germany. It was disputed whether there was any consent requirement for cookies at all, as the respective provisions of the ePrivacy Directive had not been transposed into German law until December 2021 (which was also the opinion of the German data protection authorities at that time). Cookie consent was then required as of 28 May 2020, when the German Federal Court of Justice (Bundesgerichtshof – "BGH") ruled that (former) Section 15 (3) TMG (which technically only provides for an opt-out requirement regarding the use of cookies) was to be construed as a requirement for cookie consent in the meaning of the ePrivacy Directive.

With Section 25 TDDDG, Germany finally transposed Article 5 (3) of the ePrivacy Directive into national law in December 2021, making cookie consent a legal obligation while explicitly including the definition of consent in terms of the GDPR. 

In accordance with the ePrivacy Directive, under German law consent is not required where the sole purpose of cookies (or to be more precise, of the storage of information or access to information already stored in the users terminal equipment) is carrying out the transmission of a communication over a public telecommunications network or providing a digital service explicitly requested by a user (Section 25 (2) TDDDG).

In addition to that, the German data protection authorities have long been of the opinion that the processing of personal data enabled by the cookies used for analysis and tracking tools regularly requires consent, in particular if the tools allow third parties to collect data from website users as (joint) controllers. It remains to be seen whether this position will be upheld by the BGH or another superior German court.

Traffic data

Lawful processing of traffic data is governed by Section 9 et. seqq. TDDDG and may only take place to the extent it is necessary for the purposes constituted therein or if other legal provisions require a processing. Those who provide or participate in the provision of telecommunication services have to take the technical precautions and actions necessary to protect personal data in accordance with Section 165 TKG; in this context the state of the art must be observed. In addition, the service providers are required to protect the secrecy of telecommunications, which extends to both the content of telecommunications and its detailed circumstances, in particular the fact whether someone is or was involved in a telecommunications process.

Providers of telecommunication services in terms of Section 3 (2) sentence 1 TDDDG may process traffic data for the establishment and maintaining of a telecommunications connection, remuneration inquiry and billing, fraud prevention as well as detection and remedy of disruptions regarding telecommunications systems and tracing of malicious or nuisance calls. Processing of traffic data for marketing purposes, need-based design of telecommunication services and provision of value-added services requires consent in accordance with GDPR.

Generally, traffic data shall be deleted by the service provider without undue delay after termination of each telecommunications connection or as soon as the data are no longer necessary in relation to the purpose for which they are otherwise being processed. However, data may and must be stored in case statutory retention periods under the TDDDG, TKG or other law apply.

If there is a particular and significant risk of a security incident, providers of publicly available telecommunication services shall notify the users about any possible protective or remedial measures that can be taken by users and, where appropriate, about the threat itself (Section 168 (6) TKG), in addition to their general notification obligations with respect to security incidents towards the German Federal Network Agency (Bundesnetzagentur – "BNetzA") and the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – "BSI").

Location data

Publicly available telecommunication services may only process location data for the purpose of providing value-added services in case the data are rendered anonymous or processing is based on consent in terms of the GDPR (Section 13 (1) TDDDG).

Consent can be withdrawn at any time and where consent was given to the processing of location data, it must be possible, by simple means and free of charge, to temporarily prohibit the processing of such data for each connection to the network or for each transmission of a message.

The processing of location data in other contexts than telecommunication services (like for example GPS tracking) is subject to the GDPR and the BDSG.

The Data Protection Commission shall not grant an application for registration as a data controller where the appropriate safeguards for the protection of the privacy of the data subject have not been provided by the data controller.

The Cybersecurity Act, 2020 (Act 1038) Act 1038 makes provision for certain authorized persons (as specified below) to apply to the High Court for a production order to collect subscriber information¹ or for an interception warrant to collect or record traffic data² or content data³ stored in real time.

An investigative officer⁴ who makes an application for a production order to collect subscriber information must demonstrate to the satisfaction of the Court that there are reasonable grounds to believe that the subscriber information associated with a specified communication and related to or connected with a person under investigation is reasonably required for the purpose of a specific criminal investigation.

A senior investigative officer⁵ who makes an application to the Court for an interception warrant to collect or record traffic data stored or in real-time must demonstrate to the satisfaction of the court that there are reasonable grounds to believe that the traffic data is required for the purposes of a specific criminal investigation.

A designated officer who makes an application to the Court for an interception warrant to collect or record content data shall demonstrate to the satisfaction of the Court that there are reasonable grounds to authorise the interception of content data and associated traffic data, related to or connected with a person or premises under investigation for one of the following purposes:

• in the interests of national security;
• the prevention or detection of a serious offence;
• in the interests of the economic well-being of the citizenry, so far as those interests are also relevant to the interests of national security; or
• to give effect to a mutual legal assistance request.

Applications made in this regard must indicate the measures to be taken to ensure that the data will be procured:

• whilst maintaining the privacy of other users, customers and third parties; and
• without the disclosure of the subscriber information, traffic data or data of any party not part of the investigation.

The Communications (Personal Data and Privacy) Regulations 2006 (the Regulations) deal with the collection of location and traffic data by public electronic communications providers ('CPs') and the use of cookies (and similar technologies).

Traffic Data

Traffic Data held by a CP must be erased or anonymised when it is no longer necessary for the purpose of the transmission of a communication. However, Traffic Data can be retained if:

• it is being used to provide a value added service; and
• consent has been given for the retention of the Traffic Data.

Traffic Data can only be processed by a CP for:

• the management of billing or traffic;
• dealing with customer enquiries;
• the prevention of fraud;
• the marketing of electronic communications services; or
• the provision of a value added service.

Location Data

Location Data may only be processed for the provision of value added services with consent and where the identity of the user is anonymised. CPs are also required to take measures and put a policy in place to ensure the security of the personal data they process.

Cookie Compliance

The use and storage of cookies and similar technologies requires:

• clear and comprehensive information; and
• consent of the website user.

The GRA’s position is positive action e.g. via the use of tick box will be required by the user for the installation of cookies and that pre enabled boxes do not amount to consent. Usual data protection principals of the Gibraltar GDPR also apply.  

Note consent is not required for cookies that are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network or where this is strictly necessary for the provision of a service requested by the user.

Enforcement of a breach of the Regulations is dealt with by the Information Commissioner and if found guilty a fine and or imprisonment may be imposed. However an individual may also bring an action for damages in the Supreme Court.

EU regulation

Articles 4 and 6 of Law 3471/2006 regulates the collection of location and traffic data by communications service providers (CSPs) and the use of cookies and similar technologies.

Traffic data

Traffic data of subscribers or users held by a CSP must be erased or anonymized after the termination of a communication, unless they are retained for one the following reasons:

• The billing of subscribers and the payment of interconnections, provided that the subscribers are informed of the categories of traffic data that are being processed and the duration of processing, which must not exceed 12 months from the date of the communication (unless the bill is doubtable or unpaid). 
• Marketing of electronic communications services or value-added services, to the extent that traffic data processing is absolutely necessary and following the subscriber’s or the user’s prior express consent thereto, after his / her notification regarding the categories of traffic data that are being processed and the duration of the processing. Such consent may be freely recalled. The provision of electronic communication services by the CSP must not depend on the subscriber’s consent to the processing of his / her traffic data for other purposes (e.g. marketing purposes).

Location data

Location data may only be processed for the provision of value-added services, only if such data are anonymized or with the subscriber’s / user’s express consent, to the extent and for the duration for which such processing is absolutely necessary. The CSP must previously notify the user or the subscriber of the categories of location data that are being processed, the purposes and the duration of the processing as well as of the third parties to which the data will be transmitted for value-added services provision. The subscriber’s / user’s consent may be freely recalled and a temporary possibility to refuse processing shall be provided to the subscriber by the CSP free of charge and with simple means, every time he is connected to the network or in each transmission of communication.

Location data processing is allowed exceptionally without the subscriber’s / user’s prior consent to authorities dealing with emergencies, such as prosecution authorities, first aid or fire-brigade authorities, when the location of the caller is necessary for serving such emergency purposes.

---

Greece regulation

Cookies compliance

Pursuant to Article 4 (5) of Law 3471/2006, the use and storage of cookies and similar technologies is allowed when the subscriber / user has provided his express consent. The subscriber’s consent may be provided through the necessary browser adjustments or through the use of other applications, including by means of cookie pop-up or banners and shall meet GDPR consent requirements.

Use of cookies for purposes relating exclusively to the transmission of a communication through an electronic communications network or the provision of an information society service for which the subscriber or the user has specifically requested, are exempted from aforementioned requirement.

Online privacy is not regulated.

The 2011 amendments to the Privacy and Electronic Communications Regulations 2003 by the UK in relation to cookies did not find their way into Guernsey law and there are no immediate plans for this to be done.  However, certain aspects of online privacy nevertheless remain governed by the e-Privacy Ordinance (defined under Electronic Marketing above).

As a matter of good practice:

• the use of cookies should be identified to web users
• cookies should be accompanied with a description of what the cookies are doing and why they are being used
• consent should be obtained (at least initially) from the web user where the website intends to store a cookie on their device.

Consent in this context must be freely given, specific, informed and an unambiguous positive action (although it does not need to be explicit).

Traffic data held by a service provider must be erased or anonymised when it is no longer necessary for the purpose of a transmission or communication and only used for permitted purposes.  It must also be accompanied by information as to the nature of the processing.  Exceptions include if the information is being retained in order to provide a value added service to the data subject or if it is held with their consent.

Traffic data should only be processed by a service provider for (a) the management of billing or traffic, (b) customer enquiries, (c) the prevention or detection of fraud, (d) the marketing of electronic communications services, or (e) the provision of a value added service.

Location data may only be processed in circumstances where the organisation processing such data is a public communications provider, a provider of a value added service, or a person acting on the authority of such provider and only where the user / subscriber cannot be identified from that data (i.e. because they are anonymous) or for the provision of a value added service with consent.

Given the fundamental changes to the data protection regime since the e-Privacy Ordinance was introduced in 2004 and the ongoing negotiations in Europe in relation to the so-called 'e-Privacy Regulation' ("Regulation"), further amendments to the e-Privacy Ordinance are, perhaps, inevitable.  The States of Guernsey continues to monitor the progress of the draft Regulation in the meantime.

The Law on Cybersecurity and Personal Data Protection does not provide any specific rules governing online privacy. 

However, the law prohibits and punishes with a prison sentence of one (1) to five (5) years and a fine of 30,000,000 to 200,000,000 Guinean francs for carrying out or attempting to carry out direct prospecting by any means of communication using, in any form whatsoever, the personal data of a natural person who has not expressed his/her prior written consent. 

In particular, it provides that any person has the right to object, on request and free of charge, to the processing of personal data concerning him or her and intended for prospecting purposes.

No specific regulation on that matter.

There is no law or regulation that specifically regulates online privacy.

The principles as stated in the Ordinance also apply in the online environment. For example, under the Ordinance, data users have the obligation to inform data subjects of the purposes for collecting their personal data, even if personal data is collected through the Internet. If a website uses cookies to collect personal data from its visitors, this should be made known to them. Data users should also inform the visitors whether and how non‑acceptance of the cookies will affect the functionality of the website.

With the coming into effect of the Amendment Ordinance, the anti‑doxxing law is now in force in Hong Kong. It is an offence to disclose any personal data without the data subject's consent with an intent to cause harm to the data subject or any family member of the data subject.

The EC Act deals with the collection of location and traffic data by public electronic communications services providers ('CSPs') and use of cookies (and similar technologies).

Traffic Data

With certain special exceptions set out in the EC Act (eg, invoicing, collecting subscriber fees, law enforcement, national security and defense), traffic data relating to subscribers and users processed and stored by CSPs while providing such services must be erased or made anonymous when it is no longer needed.

CSPs may use certain traffic data as referred to in the EC Act for the provision of value added services or for marketing purposes subject to the subscriber’s or user’s prior consent, to the extent necessary for the provision of such services or for marketing purposes. CSPs shall provide the possibility for users or subscribers to withdraw their consent at any time.

Location Data

CSPs shall be authorized to process location data only upon the prior consent of the subscribers or users to whom the data are related, and only to the extent and for the duration as it is necessary for the provision of value added services.

Users and subscribers shall have the right to withdraw their consent at any time.

CSPs shall be required to comply with any request for location information in connection with specific subscribers or users, if made by the investigating authority, the public prosecutor, the court or the national security service pursuant to the authorization conferred in specific other legislation, to the extent required to discharge their respective duties.

Cookie Compliance

Pursuant to the EC Act, on the electronic communication terminal equipment of a subscriber or user, information may be stored, or accessed, only upon the user’s or subscriber’s prior consent granted in possession of clear and comprehensive information, which information inter alia includes the purpose of processing.

The European Data Protection Board issued a guidance in respect of the interpretation of ‘consent’ and how this consent should be obtained in practice. This guidance shall apply to the implementation of cookies as well. General practice is that consent should be obtained by means of a cookie banner. It needs to be ensured that no cookies are set / placed prior to the declaration of consent.

Electronic Communication Data

The Electronic Communications Act No. 70/2022 provides that any processing of electronic communication data is prohibited, including storage, listening, recording or interception, unless it takes place with the informed consent of the user or as authorized by law.

Use of any kind of systems and equipment, including software that collects and/or stores information about the user's activities or interactions in his end equipment, provides access to information stored in his end equipment or monitors his activities is prohibited except with the informed consent of the user or as authorized by law. Despite this, the use of such equipment is permitted to gain access to information and / or to technical storage for legitimate purposes and with the knowledge of the user.

Cookies are considered to fall under the definition of equipment. If the use of cookies leads to the use of IP addresses or other personal data, the processing of such data must comply with the Data Protection Act. The processing is therefore not permissible without a legal basis. 

The processing of electronic communication data may only be carried out by individuals who are under the control of telecommunications companies and in charge of invoicing or managing electronic communications traffic, user inquiries, reporting misconduct, marketing electronic communications services or value-added services, and the processing shall be limited to what is necessary for the benefit of such activities.

Electronic communication data stored and processed by a telecommunication company must be erased or anonymized when it is no longer needed for transmission of an electronic communication. However, telecommunications companies must keep a minimum record of data on users’ telecommunications for six months in the interest of criminal investigations and public safety.

Location Data

Location data and IP addresses are considered personal data under the Data Protection Act.

Information on the location of equipment in public electronic communications networks or electronic communications services may only be processed if it cannot be linked to individual users or with their informed consent. This does not apply to entities that provide emergency services and are officially recognized as such.

There is no regulation of cookies, behavioural advertising, or location data. However, this may include personal data and it is advisable to obtain user consent, such as by using appropriate disclaimers.

The IT Act contains both civil and a criminal penalties and offences for a variety of computer crimes. Under the IT Act, if any person introduces or causes to be introduced, any computer contaminant (like viruses etc.), into any computer, computer system or computer network, they may be liable to pay damages to the affected person(s). Under the IT Act, ‘computer contaminant’ is defined as any set of computer instructions that are designed:

• to modify, destroy, record, or transmit data or programs residing within a computer, computer system or computer network, or
• by any means to usurp the normal operation of the computer, computer system or computer network.

Further, under the IT Act, any person, who fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person, may be subject to a prison term of up to three years and a fine up to INR 100,000 or approximately €1,098 (as at January 6, 2025).

There are currently no laws and regulations concerning cookies and location data.

Insofar the data generated through cookies or other tracking technologies, do not contain personal data, the use of thereof is generally permitted. Conversely, if any such cookies or tracking technologies do collect / generate personal data, then the use thereof shall be subject to the prevailing laws and regulations on personal data protection.

There is no specific online privacy law in Iran.

EU regulation

Cookies

Consent is needed for the use of cookies unless the cookie is strictly necessary for the provision of a service to that subscriber or user. A user must be provided with ‘clear and comprehensive information’ about the cookie (including, in particular, its purposes). This information must be prominently displayed and easily accessible. The methods adopted for giving information and obtaining consent should be as ‘user friendly’ as possible. The DPC has provided regulatory guidance on cookies and other tracking technologies which can be accessed here.

Location Data

One cannot process location data unless either:

• such data has been made anonymous; or
• user consent has been obtained.

A provider of electronic communication networks or services or associated facilities (i.e. a telco) must inform its users of:

• the type of location data (other than traffic data) that will be processed;
• the purpose and duration of the processing; and
• whether the data will be transmitted to a third party to provide a value added service. Users can withdraw their consent
  to the processing of location data.

---

Ireland regulation

Cookies

The use of cookies (and similar technologies) is regulated by the GDPR as well as the ePrivacy Regulations.

The ePrivacy Regulations provide that a person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user, unless (1) the subscriber or user has given his or her consent to that use, and (2) the subscriber or user has been provided with clear and comprehensive information which (a) is both prominently displayed and easily accessible, and (b) includes, without limitation, the purposes of the processing of the information.

The DPC’s guidance has confirmed that all cookies and tracking technology tools require consent, apart from two exceptions:

• Communications exemption – a cookie whose sole purpose is to carry out the transmission of a communication over a network; and
• Strictly necessary exemption – this applies to a service delivered over the internet (e.g. websites or apps) which have been explicitly requested by the user and the use of cookies is restricted to what is strictly necessary to provide that service.

The DPC commenced enforcement action on compliance with its regulatory guidance for controllers in October 2020.

Location data

The ePrivacy Regulations deal with the collection and use of location and traffic data by electronic communications network and service providers. Location data other than traffic data relating to users or subscribers of undertakings can only be processed if (1) such data are made anonymous, or (2) the consent of the users or subscribers has been obtained to the extent and for the duration necessary for the provision of a value added service.

The PPL does not specifically address online privacy, cookies and / or location data, all of which are governed by the general restrictions detailed above, including the requirements imposed on processing databases and direct marketing and the consent, purpose and proportionality restrictions.

The PPL governs information "about a person", as such depending upon the circumstances at hand, any nonidentifiable and anonymous information (which cannot be reidentified) may reasonably be interpreted as falling outside the confines of the PPL limitations.

The Privacy Code regulates the collection and processing of traffic data and location data by the provider of a public communications network or publicly available electronic communications service and the use of cookies.

According to Section 123 of the Privacy Code, traffic data shall be erased or made anonymous when they are no longer necessary for the purpose of transmitting the electronic communication. However traffic data can be retained for a period not longer than 6 months for billing and interconnection payments purposes or, with the prior consent of the contracting party or user (which may be withdrawn at any time), for marketing electronic communications services or for the provision of value added services.

According to Section 126 of the Privacy Code, location data may only be processed if made anonymous or if the subscriber or user has been properly informed and (s)he has given her / his prior consent (which can be withdrawn at any time).

According to Section 122 of the Privacy Code (which reflects recital 66 of the E-Cookies Directive 2009/136/EC and the amended Section 5, par. 3 of the Directive 2002/58/EC – as amended by Directive 2009/136/EC) the storing of information in the contracting party’s or user’s computer is only allowed if said contracting party or user has been properly informed and (s)he has given her / his consent.

In July 2021, the Garante released a new set of guidelines for the use of cookies and other tracking tools which introduce a number of new provisions (“New Cookie Guidelines”). Companies had to comply to the new rules, starting from January 9, 2022. Among other things, the New Cookie Guidelines provide that:

• as a general rule, scrolling or swiping a page is not considered a valid mechanism to collect the user’s consent, unless it can be proved that scrolling or swiping of the user is the result of an unequivocal choice;
• the request of consent to cookies may not be resubmitted to the user, unless (i) the conditions for processing of personal data significantly change, (ii) it is not possible for the operator of the site to record the previous choice of the user due to a decision of the latter (e.g. deletion of cookies) and (iii) at least 6 months have expired since the previous request;
• the user must be able to continue browsing without being tracked by cookies and he / she must be able to withdraw his / her consent at any time.

With specific reference to the configuration of the cookie banner, the Garante provides that the same shall contain the following elements:

• a command (e.g. an “X” at the top right corner of the cookie banner) which allows the user to close the banner while keeping the default settings and therefore not to give consent to the storing of cookies or the use of other profiling techniques or a command indicating that users continue the navigation of the site without accepting cookie;
• a command to accept all cookies or other tracking tools;
• a short notice on the website’s use of technical cookies and any profiling cookies or other tracking tools, with the relevant purposes;
• a link to the extended cookie policy which indicates any other recipients of personal data, the data retention period and the rights of users; and
• a link to a dedicated area where users can choose, in a granular way, the cookies to be installed with regards to their functionalities, third parties and categories.

Furthermore, the New Cookie Guidelines clarify that a cookie information notice shall be provided:

• in an accessible and simple language;
• which is easily accessible, without discriminations, also to those individuals with disabilities which require them to use assistive technologies and particular configurations;
• also in a multi-layer and multi-channel modality;
• which can be inserted with the website homepage or general privacy information notice, insofar as the website installs technical cookies only; and
• which categorizes cookies and other tracking tools so as to enable distinguishing between technical cookies, analytics cookies and profiling cookies, using a clear, concise and transparent language and layout, insofar as the website installs other categories of cookies than the technical ones.

On April 2024, the EDPB issued an Opinion on pay or ok models, focusing on the principle of freely given consent in the context of the pay or ok models. In such Opinion, the EDPB underscores the importance of ensuring that data subjects have a real choice when consenting to the processing of their personal data. In this regard, data controllers are encouraged to provide a free alternative version of their service that does not involve processing personal data for behavioral advertising. Although not mandatory, offering such an alternative strengthens the argument that consent is indeed freely given.

There is no law in Japan that specifically addresses cookies, but it is generally considered that cookies fall under the definition of the Personally Referable Information and thus the transfer of such data would be regulated by the APPI in certain circumstances. In addition, if the information obtained through cookies may identify a certain individual in conjunction with other easily-referenced information (e.g. member registration) and it is utilized (e.g. for marketing purposes), such Purpose of Use of information obtained through the use of cookies must be disclosed under the APPI.

Jersey has no specific law regulating online privacy; however, the DPJL and DPAJL generally apply.

The legislations in Jordan are silent in this regard.

Under the Law on Online Platforms and Online Advertising, the owner and (or) legal representative of the relevant online platform should do the following in order to protect personal data on the online platform:

• familiarize users with the privacy policy of the online platform before completing their registration;
• ensure the integrity, safety and confidentiality of personal data;
• prevent the dissemination of personal data without the consent of the user or his / her legal representative;
• immediately notify the user in case of violation of the confidentiality of his / her personal data;
• perform other duties provided for by the Law on Personal Data and Its Protection.

Kenyan law does not regulate online privacy. The Regulations have not prescribed any requirements or guidelines in regulating online privacy.

There is no specific legislation with regards to on-line privacy (including cookies and location data). However, the LPPD considers location data and online identifiers as personal data (Article 3 (1) (1)). Accordingly, the processing data which fall within the definition of the LPPD, must be done in accordance with the provisions and principles of the LPPD. 

Moreover, with reference to the location data, Law on Electronic Communications No.04/L-109 (“LEC”) stipulates that when location data are being processed, such data may be processed only if they are made anonymous or the users have given their consent for processing. In this line, Article 23 of LPPD provides the following: “taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Law" (Article 89 LEC).

No specific provisions.

The Law on Electrical and Postal Communication establishes that all databases of telecommunication operators must be confidential and that telecom operators are obliged to keep communication data confidential.

As provided, the collection of data must receive the consent of the relevant Information Owner.

On the other hand, based on the main laws and regulations above, it is difficult to anticipate the category of data cookies and location data according to the ambiguous definitions of general data, sensitive data, and personal data.

EU regulation

Specific issues of online privacy are regulated in the Electronic Communications Law and the Law on Information Society Services.

The Law on Information Society Services states that the storage of information received, including cookies or similar technologies, is permitted, provided that the consent of the person has been received after he or she has received clear and comprehensive information regarding the purpose of intended storage and data processing. Therefore, with regard to cookies Latvian law supports an opt in approach.

As to location data, the Electronic Communications Law permits the processing of location data only to ensure the provision of electronic communications services or if the express prior consent is obtained. The person whose location data is being processed has the right to revoke his or her consent or to suspend it at any time, notifying the relevant electronic communications merchant of this revocation or requested suspension.

The processing of location data for other purposes without the consent of a user or subscriber is permitted only if it is not possible to identify the person utilizing such location data or if the processing of location data is necessary for emergency services.

---

Latvia regulation

The Personal Data Processing Law does not provide any derogations or additional requirements to the GDPR regarding online privacy.

The Law does not identify classes or types of personal data, while making no specific mention to cookies/cookie identifiers or location data. Qualification of online identifiers as personal data shall be assessed by local courts.

There are no sections of the DP Act which regulate privacy in relation to cookies and location data. These issues may be dealt with in future regulations, which the DP Act permits the Minister to make on the recommendations of the Commission.

There are no specific provisions under Liberian laws relating to on-line privacy. However, data collectors are required to exercise the maximum protection of consumer’s protection and shall not disclose any information about a consumer to a third party except where (i) the institution is required by law to disclosed such information, or (ii) the disclosure is made with the expressed consent of the consumer. Data collectors are required to ensure the integrity and adequacy of their IT and Security system.

There is no specific online privacy legislation.

EU regulation

Traffic Data

Traffic Data held by a public electronic communications services provider must be erased or anonymized when it is no longer necessary for the purpose of the transmission of a communication. However, Traffic Data can be retained if:

• It is being used to provide a value added service;
• consent has been given for the retention of the Traffic Data;
• It is required for investigation of a grave crime.

Traffic Data can only be processed by a CSP for:

• The management of business needs, such as billing or traffic;
• Dealing with customer enquiries;
• The prevention of fraud;
• The provision of a value added service.

Cookies

The use of cookies is permitted only if approved by the user (under Lithuanian law, an opt-in principle applies). However, consent is not required for cookies used for website technical structure and for cookies used for showing website content. Consent is not required for session ID cookies and for so called 'shopping basket' cookies (these exceptions do not apply if such cookies are used for collecting statistical information on use of the website).

Clear and exhaustive information on use of cookies, including information about the purpose of cookie related data processing, must be provided. This information should be provided in the privacy policy of the website. Consent to the terms of the website’s privacy policy or terms of use containing the information on use of cookies is considered insufficient. Consent though web browser settings may be considered adequate only if the browser settings allow choosing what cookies may be used and for what purposes. However, considering the nature of currently used web browsers consent through web browser settings is not considered appropriate under Lithuanian law.

Location data

Processing of location data triggers personal data processing laws. The data controller must have a legitimate basis for such personal data processing (eg, the data subject has given his consent; a contract to which the data subject is party is being concluded or performed; it is a legal obligation of the data controller under laws to process personal data; processing is necessary in order to protect vital interests of the data subject; etc.).

---

Lithuania regulation

The Data Protection Law does not provide any derogations or additional requirements to the GDPR regarding online privacy.

EU regulation

Traffic Data

For the purposes of the investigation, detection and prosecution of criminal offences, and solely with a view to enabling information to be made available, in so far as may be necessary, to the judicial authorities, any service provider or operator processing traffic data must retain such data for a period of six months. This obligation includes data related to the missed phone calls wherever these data are generated, stored or recorded. Beyond this period, the service provider or operator must erase such data unless made anonymous.

Traffic data may be processed for the purposes of marketing electronic communications services or providing value added services, to the extent and for the duration necessary for such supply or marketing of such services, provided that the provider of an electronic communications service or the operator has informed the subscriber or user concerned in advance of the types of traffic data processed and of the purpose and duration of the processing, and provided that the subscriber or user has given his or her consent, notwithstanding his or her right to object to such processing at any time.

Location Data other than Traffic Data

Service providers or operators have also the obligation to retain location data other than traffic data for a period of six months for the purposes of the investigation, detection and prosecution of criminal offences. This obligation includes data related to missed phone calls wherever these data are generated, stored or recorded. Beyond this period, the service provider or operator must erase such data unless made anonymous.

Service providers or operators may process location data other than traffic data relating to subscribers and users only if such data have been made anonymous or the subscriber or user concerned has given his or her consent, to the extent and for the duration necessary for the supply of a value added service.

Service providers and, where appropriate, operators shall inform subscribers or users in advance of the types of location data other than traffic data processed, of the purposes and duration of the processing and whether the data will be transmitted to third parties for the purpose of providing the value added service. Subscribers or users shall be given the possibility to withdraw their consent to the processing of location data other than traffic data at any time.

Where subscriber or user consent has been obtained for the processing of location data other than traffic data, the subscriber or user must continue to have the possibility, using a simple means free of charge, to temporarily refuse the processing of such data for each connection to the network or for each transmission of a communication.

Cookies

Prior informed consent of a subscriber or user is required. The method of providing information and the right to refuse should be as user friendly as possible and, where it is technically possible and effective, the users consent may be expressed by appropriate browser or application settings.

---

Luxembourg regulation

The CNPD published official guidelines on cookies in October 2021.

The Law also applies in the online environment.

For example, a Macau company that collects personal data from Macau residents through its website (e.g. through cookies) must fulfil all obligations under the Law imposed on data processors. In particular, the Macau company must inform data subjects of the personal data processing purpose and notify the OPDP about the personal data processing.

The Data Protection Law does not yet address location data, cookies, local storage objects or other similar data-gathering tools.

There are no provisions in the PDPA that specifically address the issue of online privacy (including cookies and location data). However, any electronic processing of personal data in Malaysia will be subject to the PDPA and the Commissioner may issue further guidance on this issue in the future.

Cookie Compliance

Subsidiary Legislation 586.01, entitled ‘Processing of Personal Data (Electronic Communications Sector) Regulations' amended the regulations implementing Article 2(5) of Directive 2009/136/EC into Maltese Law. 

The Commissioner has recently published a “Guidance Note on Cookies Consent Requirements” which can be read here. 

Traffic Data

Under the Processing of Personal Data (Electronic Communications Sector) Regulations, traffic data relating to subscribers and users processed by an undertaking which provides publicly available electronic communications services or which provides a public communications network, must be erased or made anonymous when no longer required for the purpose of transmitting a communication.

Traffic data required for the purpose of subscriber billing or interconnection payments may be retained, provided however, that data retention is permissible only up to the period that a bill may lawfully be challenged or payment pursued.

Traffic data may be processed where the aim is to market or publicize the provision of a value-added service, however, the processing of such data shall only be permissible to the extent and for the duration necessary to render such services.

Processing of traffic data is also permissible by an undertaking providing publicly available electronic communication for the following purposes:

• Managing billing or traffic management
• Customer inquiries
• Fraud detection
• Rendering of value-added services

The Act does not introduce any new rules in this regard.

Location Data

Where location data (other than traffic data) relating to users or subscribers of public communications networks or of publicly available electronic communications services can be processed, such data may only be processed when it is made anonymous or with the consent of the users or subscribers, to the extent and for the duration necessary for the provision a value-added service.

Prior to obtaining user or subscriber consent, the undertaking providing the service shall inform them of the following:

• The type of location data which shall be processed
• The purpose and duration of processing
• Whether the processed data shall be transmitted to a third party for the purpose of providing the value-added service

A user or subscriber may withdraw consent for the processing of such location data (other than traffic data) at any time.

The Act does not change the previous position and does not derogate from the GDPR or further regulate in this regard.

The Act applies to online privacy, though it does not contain specific provisions in relation to online privacy.

The Regulations and Guidelines that address the use of cookies, web beacons and other analogous technologies, require that when a data controller uses online tracking mechanisms that permit the automatic collection of personal data, it provides prominent notice of the use of such technologies; the fact that personal data is being collected the type of personal data collected and the purpose of the collection and the options to disable such technologies.

An IP address alone may be considered personal data, however, there has not been a resolution or decision issued by the competent authority on this point.

At the date of this review, Moldovan law does not specifically regulate online privacy. 

There are no specific requirements on data location, except for the requirement of the prior authorization of the cross-border transfer of data.

Prior to the use of traffic data, location data and cookies the CCIN must be notified. The use of traffic data, location data and cookies will have to comply with the provisions of the DPL.

In its Deliberation No. 2019-083 of May 15, 2019, the CCIN has specified the main principles applicable to the methods of depositing cookies and other tracers on the terminals of network users.

In this recommendation the CCIN insists on the requirement to insert a banner appearing as soon as an Internet user arrives on the visited site. It is also requested that no cookie other than those necessary for the operation be deposited in the user's terminal without its consent.

The banner must not be solely for information purposes but must allow the approval or deactivation of the deposit of cookies directly on the site by a positive action of the user.

According to the CCIN, the employer cannot access the contents of private messages sent or received from the professional e-mail system without the employee presence and agreement.

However, in order for messages to be considered private, it is necessary for employees to identify them as such for example by specifying in the message's subject key words such as "private", or "personal".

Currently, there are no laws or regulations in Mongolia regulating online privacy, including cookies and location data. Although the Data Protection Law does not address online privacy including cookies and location data, the Ministry of Digital Development, Innovation and Communications, within the authority entitled to it under the Data Protection Law and other relevant laws, may adopt regulations concerning the storage, use, disclosure and other processing of data collected on the internet.

There is no specific law or regulation explicitly governing online privacy, including cookies. Accordingly, the general data protection rules, as introduced by the DP Law, are applicable to online privacy, to the extent personal data is processed.

On the other hand, the EC Law, as defined in Breach notification, introduces relevant rules that are mandatory for the operators under this law. For example, a public electronic communication services' user is particularly entitled to the protection of their electronic communications' secrecy in compliance with the DP Law.

Further, the EC Law imposes explicit rules on traffic data and location data. Under these rules, operators are:

• Required to retain certain traffic data and location data for certain purposes explicitly set out by the law (for example, for the detection and criminal prosecution of criminal offenders), whereas the retention period should last at least six months and would not be longer than two years ('Retention Obligation'), keeping in mind that this obligation does not apply to data which reveals a content of electronic communications.
• Regarding traffic data related to subscribers / users which is not subject to the Retention Obligation, an operator is required to delete this data if it is no longer needed for the communication's transmission or can keep it, but only if it modifies the respective data in a way that it cannot be linked to a particular person. Apart from this, it is also prescribed that:
  
  • If the traffic data's retention purpose is to use it for the calculation of the costs of the relevant services / interconnection, it can be retained for as long as claims regarding the respective costs can legally be requested, but under condition that an user is informed on its processing's purpose and duration; and that
  • If the traffic data's processing purpose is to promote and sell electronic communication services or to provide value added services, such processing is allowed, but only with the data subjects' prior consent (which can be withdrawn at any time).
• Regarding location data which is not subject to the Retention Obligation, an operator is allowed to process it but only with the data subject's consent (which can be withdrawn at any time) or if the respective data is modified in a way that it cannot be linked to a particular person without consent.

Failure to comply with any of the above rules regarding the processing of traffic or location data which is not covered by the above-identified Retention Obligation, is subject to offence liability and fines in range from EUR 4,000 to EUR 20,000 for a legal entity, and in range from EUR 200 to EUR 2,000 for a responsible person in a legal entity.

The general data protection principles under the DP Law apply.

Other than the above general rule, there are no other rules applicable to online privacy.

However, the Cybersecurity Bill intends to establish the duty to ensure the integrity, confidentiality and privacy of the information systems during the communication of data using the internet.

There is no specific law. However, the Law Protecting the Privacy and Security of Citizens (2017), Electronic Transactions Law, E-Commerce Guidelines (2023), Regulation on Mobile Financial Services (2016) and Order for Online Sales Business Registration 2023 deal with privacy of communications and personal data.

There are no specific laws that regulate the manner in which personal data may be stored or transmitted online.

Every person has the right to privacy in terms of data available in electronic means. Such data cannot be used or share such data without the consent of the concerned person. In relation to the cookies and location data, there is no exclusive provision for it. However, if a data subject’s personal information or location data is collected using cookies or otherwise, the concerned entity must adhere to the Privacy Act and further such information must be used for the same purpose as it was collected for.

The Directives for Managing the Use of Social Networks, 2023 (“Social Network Directives”), prohibits users from breaching personal privacy, including editing, publishing, or broadcasting private photographs and videos without permission, except for content of a public nature. Violation of the Social Media Directives may lead to penalties under the Electronic Transactions Act, 2008, including a fine of up to NPR 50,000, imprisonment for up to six months, or both, depending on the severity of the offense.

The Social Media (Use and Regulation) Management Bill, 2024 (“Social Media Bill”) has received approval from the council of ministers and may either be introduced via ordinance or be tabled in the Parliament. Section 16 of the Social Media Bill mandates social media platforms to adopt necessary security measures to safeguard privacy of users’ personal information and ensure that such information is not publicly disclosed or used for any other purpose. Any social media platform acting in contravention to this requirement may be subject to a fine of up to NPR 10,00,000. 

Section 42 of the Social Media Bill prohibits use of social media to breach a person’s privacy, including privacy of life, family, residence, property, documents, data, correspondence, or information. A person committing an offense under this section shall be referred to the concerned authority for further investigation and punishment in accordance with the prevailing law.

Traffic Data

Traffic Data is regulated in Article 11.5 of the Tw. Traffic Data held by a public electronic communications services provider (CSP) must be erased or anonymized when it is no longer necessary for the purpose of the transmission of a communication. However, Traffic Data can be retained if:

• It is being used to provide a value added service; and
• Consent has been given for the retention of the Traffic Data.

Traffic Data can only be processed by a CSP for:

• The management of billing or traffic
• Dealing with customer enquiries
• The prevention of fraud
• The provision of a value added service (subject to consent)
• Market research (subject to consent)

Location Data

(Traffic Data not included) – Location Data is regulated in Article 11.5a of the Tw. Location Data may only be processed:

• If such data is being processed in anonymous form; or
• With informed consent of the individual.

Cookie Compliance

The Netherlands implemented the E-Privacy Directive through the Dutch Telecommunications Act in Article 11.7a. The Authority for Consumers and Markets (ACM) is entrusted with the enforcement of Article 11.7a of the Tw. In addition, in relation to cookie compliance all privacy requirements from the GDPR must be taken into account. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has been appointed by law as the supervisory data protection authority and supervises compliance with the GDPR and the Dutch GDPR Implementation Act.

The main rule is that the website operator needs to obtain prior consent from a user before using cookies (opt-in) and needs to clearly and unambiguously inform the user about these cookies (purpose, type of cookie, etc.). Please note that the website operator is not entitled to refuse users access to its website(s) if no consent is given. The requirement to obtain prior consent from a user does not apply in case of functional cookies (e.g. to enable web shopping carts or language choices) and analytical cookies that have little or no impact on the user's privacy (e.g. for testing the effectiveness of certain banners / pages with the aim to improve the website). In such case, the website operator still needs to inform the website visitors about the cookies. 

The information collected through cookies are considered personal data, unless the party that places the cookies can prove otherwise. 

In case of violation of electronic marketing or online privacy legislation, the ACM can impose fines of up to EUR 900,000 per violation. In some cases, the fine may be even higher and amount to a percentage of the total annual turnover. In case of violation of the GDPR and the Dutch GDPR Implementation Act, the Dutch Data Protection Authority can impose fines up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

Other than compliance with the Act, no additional legislation deals with the collection of location and traffic data by public electronic communications services providers and use of cookies (and similar technologies). The New Zealand Privacy Commissioner has general guidelines on protecting online privacy.

The normative states that when the officer of the data file uses mechanisms in remote or local means of electronic, optical or other technology communication (cookies), which allow to collect personal data automatically and simultaneously, while the data owner makes contact with them. At that time, the owner must be informed about the use of these technologies, that personal data is obtained through them and the way in which they can be disabled. 

The location data is not regulated.

The Law does not provide any specific rules for governing cookies and location data.

However, pursuant to Article 82 of the Data Protection Act 2022, data controller must implement all appropriate technical and organizational measures to preserve the security and confidentiality of the data, including protecting the data against accidental or unlawful destruction, accidental loss, alteration, distribution or access by unauthorized persons.

The Constitutional right to privacy applies to electronic media, including mobile devices and the Internet. Violations of these rights as safeguarded by the constitution may be subject to civil enforcement under the Fundamental Rights Enforcement Procedure Rules, 2009.

According to the Nigeria Data Protection Act, data controllers are obligated to perform a data privacy impact assessment where processing personal data could potentially pose a substantial risk to the rights and freedoms of a data subject, taking into consideration the nature, scope, context and purposes of such processing. Where the probability of high risks is established by the impact assessment, the controller is obligated to consult the Commission before processing.

The Nigeria Data Protection Regulations requires all mediums through which Personal Data is collected or processed to display a simple and conspicuous privacy policy, easily understood by the targeted Data Subject class. The privacy policy must contain the following, in addition to any other relevant information:

• What constitutes Data Subject consent;
• Description of Personal Data to be collected;
• Purpose of Personal Data collection;
• Technical methods used to collect and store personal information (i.e. cookies, web tokens etc.);
• Access (if any) of third parties to Personal Data and purpose of access;
• An overview of data processing principles under the NDPR;
• Available remedies for privacy policy violation;
• Timeframes associated with available remedies; and
• Any limitation clause, provided that no limitation clause shall avail any Data controller who acts in breach of the principles of lawful processing set out in the NDPR.

The DP Law and the Rulebook on the Security of Personal Data Processing (Official Gazette of the Republic of North Macedonia no. 122/20, “Security Rulebook”) apply to online privacy as well.

In line with the Security Rulebook, when using cookies which are not necessary from the service, the data controller should obtain previous consent from the internet user before the cookie is deposited. Data subjects should be informed about the use of cookies and their type, duration, provider, purpose, with which third parties the data is shared, as well as the manner in which cookies can be rejected.

Please note that data controllers and data processors should undertake technical and organizational measures for security of the personal data processing to guarantee the correct identity of the website, as well as the confidentiality of the sent and received information, as prescribed with the Security Rulebook. For example, this would include mandatory use of cryptographic protocol (TLS) for all pages of the website, adoption of a policy for the personal data protection system, etc.

Traffic data

A new law on electronic communications was adopted 1st of January 2025, the Electronic Communications Act (LOV-2024-12-13-76, Nw. Ekomloven).

Traffic data is defined in the Electronic Communications Act section 1-5 as data which is necessary to transfer communication in an electronic communications network or for billing of such transfer services.

Processing of traffic data held by a Communications Services Provider ('CSP') (Nw: Tilbyder) may,  according to the Regulation relating to Electronic Communications Networks and Electronic Communications Services (FOR-2024-12-20-3410, Nw: Ekomforskriften),  only be performed by individuals tasked with invoicing, traffic management, customer enquiries, marketing of electronic communications networks or the prevention or detection of fraud.

Traffic Data held by a CSP must be erased or anonymized when it is no longer necessary for the purpose of the transmission of a communication and related billing or for the purpose of complying with a legal obligation (Electronic Communications Act (LOV-2003-07-04-83) section 3-11 (Nw: Ekomloven). However, Traffic Data can be retained if it is being used to provide a value-added service and consent has been given for the retention of the Traffic Data.

Location data

Location data may only be processed for purpose of the transmission of a communication and related billing or for the purpose of complying with a legal obligation. Other processing requires explicit consent and the users must be given understandable information on which data is processed and how the data is used. The user shall have the opportunity to withdraw their consent. See Norwegian Regulation relating to Electronic Communications Networks and Electronic Communications Services section 3-1.

Cookie compliance

The Electronic Communications Act has been changed in accordance with directive 2009/136/EC regarding the use of cookies. According to section 3-15, the user must give their consent before cookies, or any other form of data is stored in their browser. The users must receive clear and comprehensive information about the use of cookies and the purpose of the storage or access. However, obtaining user consent is not required if the cookie solely has the purpose of transferring communication in an electronic network, or if it is deemed to be strictly necessary for the delivery of a service requested by the user. The consent must fulfill the requirements of the  GDPR (i.e. freely given, specific, informed and unambiguous) according to the Electronic Communications Act section 3-15.

PECA 2016 criminalizes unauthorized access to information systems or data, copying or transmission of data and use of identity information. PECA 2016 further criminalizes “offenses against the dignity of a natural person,” including the transmission of information through an information system which “harms the reputation or privacy of a natural person.”

Pursuant to the above, PTA has promulgated the Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguards) Rules, 2021. The purpose of these rules is to allow greater regulation of online content which may be argued to hamper an individual’s privacy and freedom on online platforms. Under section 3 of PECA 2016, the authority under these rules is PTA, which under these rules has very broad powers to examine, block and remove online content under section 3. 

Under section 5, PTA also has the power to issue written directions to a social media service provider, to take any such actions for the removal or blocking of online content as it deems fit, and also prescribe timelines to the service provider for compliance with such a direction.  If the direction is not complied with within the timeline, PTA may take actions against the service provider including degrading or terminating its services and levying penalties as well. Such a direction by PTA will also take precedence over the community guidelines of an individual service provider.

Additionally, an “e-Safety Bill, 2023” has been drafted by the Ministry of Information Technology and Telecommunication in Pakistan, for the regulation of online content on social network platforms and service providers.

The bill envisages the establishment of an ‘e-Safety Authority’ for enforcing its provisions. This authority shall have various powers to regulate the establishment and registration of and content on social media platforms, to ensure the protection of its users. However, the current discussion draft of the bill contains a broad definition of “data” and provides for the access of data to the e-safety authority in a broad and arbitrary provision which allows the authority or any person authorised by it to have access to any communication device for the purpose of searching the device and obtaining any information or data, if it has reasonable cause to suspect contravention of the provisions of this bill. In this manner, the proposed bill may allow another authority access to data on online platforms.

The existing regulatory framework does not yet address location data, cookies, local storage objects or other similar data-gathering tools.

Art. 30.3. of the Electronic Commerce Law requires suppliers of goods and services ,which use data storage and recovery devices, to clearly and thoroughly inform users and consumers about the use of and purposes regarding the collected data and provide data subjects the ability to object to the use(opt-out)  of their personal data through a simple procedure and free of charge.

Other than the rule mentioned above, the current legal framework does not specifically address location data, cookies, local storage objects or other similar data-gathering tools.

The New Regulation of the PDPL will be introducing some aspects regarding Online Privacy, including localization data as a category of personal data. Likewise, although it does not expressly regulate cookies the PDPL will apply if personal data is collected and processed using these mechanisms.

This requires that the use and deployment of cookies, location data or another personal data that will be collected must comply with data privacy laws. As a general rule, the data subject’s consent must be obtained before cookies and/or location data can be used. Nevertheless, consent won’t be necessary when an exception is in place. For example, regarding cookies, the NDPA considers that consent is not required for necessary cookies (i.e. those required for the functionalities of a webpage); however, consent will be required for marketing cookies (as they are not strictly required for the functionalities of a webpage but respond to a commercial purpose).

With respect to criminal law enforcement, Legislative Decree N° 1182 permits the National Police of Peru to access the location and geolocation of mobile phones or electronic devices of similar nature in cases of flagrante delicto.

It establishes the obligation for public communications services providers and public entities to keep the data from their users derived from telecommunication services during the first 12 months in computer systems an additional period of 24 months in an electronic storage system. Such service providers are bound to provide the location and geolocation data immediately, 24 hours a day, 365 days of the year, under warning of being liable to the responsibilities regarded by law in the event of noncompliance.

The Cybercrime Prevention Act of 2012 (“CPA”) is the first law in the Philippines which specifically criminalizes computer crimes. The law aims to address legal issues concerning online interactions. The CPA does not define, nor does it particularly refer to online privacy, however, it penalizes acts that violate an individual’s rights to online privacy, particularly those interferences against the confidentiality, integrity and availability of computer data and systems.

All data to be collected or seized or disclosed will require a court warrant. The court warrant shall only be issued or granted upon written application and the examination under oath or affirmation of the applicant and the witnesses he may produce showing that there are:

• reasonable grounds to believe that any of the crimes penalized by the CPA has been committed, or is being committed, or is about to be committed; 
• reasonable grounds to believe that evidence that will be obtained is essential to the conviction of any person for, or to the solution of, or to the prevention of, any such crimes; and 
• no other means readily available for obtaining such evidence.

The integrity of traffic data shall be preserved for a minimum period of six months from the date of the transaction.

Courts may issue a warrant for the disclosure of traffic data if such disclosure is necessary and relevant for the purposes of investigation in relation to a valid complaint officially docketed.

No law in this jurisdiction currently deals with the subject of location data.

Philippine law, including the Act, presently do not define the term “cookies” nor regulate their use. The NPC, however, has opined that cookies, when combined with other pieces of information, may allow an individual to be distinguished from others and may, therefore, be considered as Personal Information. To the extent that cookies are considered as Personal information, the Act may be applicable and consent of the data subjects must be secured prior to (or as soon as practicable and reasonable) the collection and processing of Personal Information, subject to certain exceptions.

EU regulation

Regulations under Electronic Communications bill concerning online privacy remain unchanged. The Electronic Communications Act regulates the collection of transmission and location data and the use of cookies (and similar technologies).

Transmission data

The processing of transmission data (understood as data processed for the purpose of transferring messages within telecommunications networks or charging payments for telecommunications services, including location data, which should be understood as any data processed in a telecommunications network or as a part of telecommunications services indicating the geographic location of the terminal equipment of a user of publicly available telecommunications services) for marketing telecommunications services or for providing value-added services is permitted if the user (i.e. subscriber or end user) gives his or her consent.

The provider of electronic communication services shall be obliged to inform the end-user or subscriber in particular of:

• the scope and purpose of the processing of transmission data and other data concerning them;
• the possibilities of influencing the scope of this processing;
• the type of transmission data that will be processed and the duration of such processing for the purposes of marketing electronic communication services or the provision of value-added services.

Location data

In order to use data about location (understood as location data beyond the data necessary for message transmission or billing), a provider of publicly available telecommunications services has to:

• Obtain the consent of the user to process data about location concerning this user, which may be withdrawn for a given period or in relation to a given call; or
• Anonymize this data.

A provider of electronic communication services is obliged to inform the user, prior to receiving its consent, about the type of data about location which is to be processed, about the purpose and time limits of the processing, and whether this data is to be passed on to another entity in order to provide a value-added service.

Processing data about location may only be performed by entities that:

• Are authorized by a provider of electronic communication services;
• Provide a value-added service.

Data about location may be processed only for purposes necessary to provide value-added services and other purposes indicated in the Act.

Cookies

According to the art. 399 of the Electronic Communications Act the use and storage of cookies and similar technologies is only allowed on the condition that:

• The subscriber or the end user is directly informed in advance in an unambiguous, simple and understandable manner about:
  • The purpose of storing and the manner of gaining access to this information;
  • The possibility to define the condition of the storing or the gaining of access to this information by using settings of the software installed on his or her telecommunications terminal equipment or service configuration;
• The subscriber or end user, having obtained the information referred to above, gives his / her consent; and
• The stored information or the gaining of access to this information does not cause changes in the configuration of the subscriber's or end user's telecommunications terminal equipment or in the software installed on this equipment (the end user may grant consent by using the settings of the software installed in the final telecommunications device that he / she uses or by the service configuration).

The consent of the subscriber or end user is not required if storage or gaining access to cookies is necessary for:

• Transmitting a message using a public telecommunications network;
• Delivering a service rendered electronically, as required by the subscriber or the end user.

Entities providing telecommunications services or services by electronic means may install software on the subscriber’s or end user’s terminal equipment intended for using these services or use this software, provided that the subscriber or end user:

• Is directly informed, before the installation of the software, in an unambiguous, simple and understandable manner, about the purpose of installing this software and about the manner in which the service provider uses this software;
• Is directly informed, in an unambiguous, simple and understandable manner, about the manner in which the software may be removed from the end user’s or subscriber’s terminal equipment;
• Gives its consent to the installation and use of the software prior to its installation.

According to the art. 400 of the Electronic Communications Act, the consent of the subscriber or the end user must comply with the GDPR requirements as regards the format.

Enforcement and sanctions

A company that processes transmission data contrary to the Telecommunications Act or fails to meet obligations to obtain consent to process data about location or to store and to gain access to cookies may be subject to a fine of up to 3% of the company’s revenues for the previous calendar year. The fine is imposed by the President of the OEC. In addition, the President of the OEC may impose a fine on a person holding a managerial position in the company (such as a member of the management board) of up to 300% of his or her monthly remuneration.

---

Poland regulation

Failing to meet the obligations to obtain consent to direct marketing by means of telecommunications devices and automated calling systems may be subject to a fine of up to 3% of the revenues of the fined company for the previous calendar year or up to PLN 1,000,000. When imposing the sanction, the higher amount is applied. The fine is imposed by the President of the Office of Electronic Communication (hereinafter referred to as the President of the OEC). In addition, the President of the OEC may impose a fine on a person holding a managerial position in the company (such as a member of the management board) of up to 300% of his or her monthly remuneration.

The Data Protection Law specifically regulates online privacy processing data in relation to children. Owners and operators of websites must observe the followings requirements.

In relation to online privacy, data controllers must ensure they have in place a privacy notice to notify data subjects that they are processing personal data. A privacy notice must generally include the following information:

• Details of the data controller including its legal name, registered address and contact information
• Details regarding third-party processors if any and in which case, the privacy notice should, inter alia, provide a description of why the data processors are processing information on behalf of the data controller
• The data controller's purposes for processing personal data including the permitted reasons for doing so
• A comprehensive and accurate description of the processing activities
• The levels of disclosure for the permitted reasons for processing personal data or a general description
• Any other information that is necessary for fulfilling conditions of personal data processing for e.g., general information on how personal data is kept secure and a data subject's rights and how they may be exercised

In relation to websites relating to children, a data controller should:

• Place a notification on the website regarding how children’s data is used and its disclosure policies
• Obtain express approval from the parents or guardian of the child before processing any personal data
• Provide the child’s parent or guardian—upon request and after verifying the identity of the child’s parent or guardian—a description of the personal data that is being processed, stating the purpose of the processing, and a copy of the child’s data that is being collected and processed
• Delete, erase, or suspend the processing of any personal data that was collected from the child or about the child, if the child’s parent or guardian requests this, and
• Refrain from making any child's participation in a game or prize offer, or any other activity conditional on the child's submission of personal data which goes beyond what is required for the purposes of participation in the game or prize offer

The DPL or DPR do not contain specific provisions relating to online privacy, however, the broad provisions detailed above are likely to apply. In addition, as Qatar criminal law applies in the QFC, the privacy principles laid out therein may apply (see Qatar).

Regulated by separate law.

The processing of traffic data, location data and the implementation of cookies is regulated under Law no. 506/2004.

Traffic data

Traffic data relating to subscribers and users processed and stored by the provider of a public electronic communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication, but no later than three years from the date of such a communication.

However, traffic data may be retained for the purpose of marketing the services offered to data subjects, or in view of the provision of value-added services, solely throughout the marketing period and provided that data subjects have previously consented to the processing of traffic data. Data subjects may withdraw such consent at any time. The provider of publicly available electronic communication services must inform data subjects in respect of the processed categories of traffic data, and the duration of processing, prior to obtaining their consent.

The processing of traffic data for billing purposes or the establishment of payment obligations for interconnection is permitted solely for a period of three years following the due date of the respective payment obligation. The provider of publicly available electronic communication services must inform data subjects in respect of the processed categories of traffic data and the duration of processing.

The processing of traffic data for the establishment of contractual obligations of the communication services subscribers, with payment in advance, is permitted solely for a period of three years following the date of the communication. 

The processing of traffic data as mentioned above may be done only by persons acting under the authority of providers of public electronic communications networks or of publicly available electronic communications services for:

• Management of billing and traffic
• Dealing with enquiries of data subjects
• Prevention of fraud, or
• The provision of communication services or value added services,

and it is permitted only if it is necessary to fulfil such purpose.

Location data, other than traffic data

The processing of location data, other than traffic data is permitted when:

• Data is rendered anonymous
• Data subjects have explicitly and consented prior to such processing for the duration necessary for the performance of value added services, or
• The purpose of the value-added service is the unidirectional and nondifferentiated transmission of information towards users.

The  provider of publicly available electronic communications services must inform the users or subscribers, prior to obtaining their consent, in respect of the type of location data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service. Users or subscribers shall be given the possibility to withdraw their consent at any time. Where consent of the users or subscribers has been obtained for the processing of location data other than traffic data, the  provider of publicly available electronic communications services must grant users the possibility, using a simple  and free of charge means, of withdrawing consent or of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication.

Cookies

The storing of cookies on user terminals is permitted, subject to the following cumulative conditions:

• Subscribers or users have expressly consented thereto (Law no. 506/2004 also provides that consent may be given by way of browser settings or other similar technologies)
• The information requirements provided by Data Protection Law have been complied with in a clear and user-friendly manner, to include references regarding the purpose of processing of the information stored by users.

Should the service provider allow the storing of third-party cookies within a user's computer terminal, the user  will have to be informed about the purpose of such processing and the manner in which browser settings may be adjusted in order to refuse third-party cookies.

Consent is not required where cookies are:

• Used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or
• Strictly necessary for the provision of an information service expressly requested by the subscriber or the user.

Failure to comply with the requirements of Law no. 506/2004 is classified as a minor offence and is sanctionable with fines ranging from approx. EUR 1,000  to EUR 21,000 . In the case of companies whose turnover exceeds approximately EUR 1.05  million, the amount of fines may reach up to 2% of the respective company's turnover.

Upon request of the courts of law, of the criminal prosecution authorities or of the authorities competent in the area of national defence and security with the prior approval of the judge, providers of publicly available electronic communication services and providers of public electronic communications networks  shall make available, as soon as possible, but no later than 48 hours, traffic data, data regarding user terminals, as well as geolocation data.

Russian data law does not generally specifically regulate online privacy. That said, however, Russian personal data rules are broadly written so that they would apply to online privacy, and it would appear that online privacy was a concern of the legislators when the rules are drafted. One specific area of application of the rules to online privacy involves the specific rules for personal data subject for dissemination.

Personal data allowed by the personal data subject for dissemination

A certain subset of personal data involves that data for which a data subject has given consent for dissemination. While not specifically limited to online dissemination, these rules were made with online activity in mind – particularly social media and other platforms from which information is shared. Consent in this regard must be executed separately from other consents of the subject of personal data to the processing of his / her personal data and requires specificity about the types of personal data which may be disseminated. The data operator must provide the data subject with the opportunity to determine the list of personal data for each category of personal data specified in the consent.  The consent must be explicit; silence or inaction of the personal data subject can under no circumstances be considered as implied consent.

The data subject may establish prohibitions on the transfer or disclosure (except for granting access) of the personal data by the data operator, as well as prohibitions or conditions on public processing (except for obtaining access) of thee. The data operator must publish information on these prohibitions and conditions on processing within three working days from the date of obtaining the relevant consent of the data subject.

The data subject may revoke consent at any time. The transfer, dissemination, provision, or granting access to personal data authorized by the personal data subject for dissemination shall be stopped  within three working days from the request of the data subject.

In case of public disclosure of personal data directly by the data subject, the personal data, although disclosed, is still protected under law. So, where a data subject makes the personal data public (for example on social media), further dissemination or processing of this personal data still must be performed under a valid legal basis (usually consent).

In cases of public disclosure of personal data was done unlawfully or under force majeure circumstances, that personal data is also still protected under law and the further dissemination or other processing of such personal data lies on each person who carried out the dissemination or other processing.

Cookies

There is a well-established approach that cookies may constitute personal data if the information contained fits the definition of personal data (pertaining to or able to be used to identify a data subject) and in such cases, there must be a consent for its processing. As most cookies do carry personal data, necessity for consent is, in practice, presumed.

Other

In addition to cookies, other types of information associated with online activity may also constitute protected personal data. If information on number, length of visits of particular web-sites, IP address and other information relates directly or indirectly to a specific or defined physical person then that would constitute protected personal data. Information regarding online activity may also be governed by legal protections in additional personal data laws, for example, those involving secrecy of communications.

The Data Protection Law provides that the DC, DP or third-party processing personal data must respect the privacy of the data subject (article 5). It does not provide any other specific requirement regarding cookies and location data.

There is no specific legislation in the KSA that specifically regulates the use of cookies.

The law on Personal Data and the Senegalese Electronic Transactions Law  does not contain provisions on online privacy or cookies.

There are no specific regulations explicitly governing online privacy (including cookies). Accordingly, the general data protection rules, as introduced by the DP Law are, to the extent applicable, relevant for online privacy as well.

On the other hand, it should be noted that the EC Law, as defined in the section on Breach Notification above, introduces rules on the processing of traffic data and location data, under which business entities performing electronic communication activities are allowed to do the following:

• Process traffic data only as long as such data is necessary for a communication’s transmission and thus, when such necessity ceases to exist, they are obliged to delete the data or to process and keep them in a way that the persons to which the data relates are made unrecognizable, unless in a few explicitly prescribed cases when such obligation does not exist (e.g. if they use the respective data for advertising and services selling purposes on the basis of a data subject's prior consent, to the extent and during the time necessary for the respective purpose).
• Generally process location data only if the persons to which the data relates are made unrecognizable or if they have such persons’ prior consent for the purpose of providing them with value added services in the scope and for the time during which the processing is needed for the respective purpose's realization.

Violations are subject to the fines set forth in Breach notification.

The Act does not contain specific provisions in relation to online privacy.

Currently, there are no specific requirements relating to online privacy (including cookies and location) under the Act. Nevertheless, an organization that wishes to engage in any online activity that involves the collection, use or disclosure of personal data will still need to comply with the general data protection obligations under the Act. For example, if an organization intends to use cookies to collect personal data, it must obtain consent before use of any such cookies. For details of the consent required, please see Collection & Processing. The Commission has published nonbinding guidelines providing practical tips on pertinent topics such as securing electronic personal data, building websites, the capture of IP addresses and the use of cookies.

National Ordinance Personal Data Protection

Contains no specific clauses. 

GDPR 

Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or if they have a legitimate interest. 

Location data, the GDPR will apply if the data collector collects the location data from the device and if it can be used to identify a person. 

If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address etc. are not known.

EU regulation

As regards the protection of privacy and protection of personal data processed in the electronic communications sector, the provisions of the Act (Act No. 452/2021 Coll. On Electronic Communications, as amended) shall apply. The Act implemented e.g. Directive 2002/58/EC (as amended by Directive 2009/136/EC).

Under the Act, the undertaking company that provides a publicly available network or service or a provider of a publicly available service is obliged to ensure the technical and organizational confidentiality of messages and associated Traffic Data that are transmitted through its public network and publicly available services. In particular, it is prohibited to record, intercept, store messages or other types of interception or monitoring of messages and their associated data by persons other than the users or without the consent of the users concerned, unless regulated otherwise. This does not prevent the technical storage of data that are necessary for the transmission of messages, without prejudice to the principle of confidentiality.

Further to this, the undertaking company shall not be liable for the protection of transmitted messages if there is a possibility of their direct listening or unprotected acquisition at the place of transmission or at the place of reception.

However, this ban does not apply to temporary recording and storing of messages, as well as related Traffic Data if it is required:

• for the provision of value added services ordered by a subscriber or user;
• to prove a request to establish, change or withdraw the service; or
• to prove the existence or validity of other legal acts, which the subscriber, user or undertaking company has made.

Article 5 (3) of Directive No. 2002/58/EC of the European parliament and of the Council on concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) was implemented into Section 109 of the Act. Under Section 109 (8) of the Act: “every person that stores or gains access to information stored in the terminal equipment of a user shall be authorised for that only if the user concerned has given his / her demonstrable consent. The obligation to obtain consent does not apply to law enforcement authorities and other state authorities. This shall not prevent any technical storage of data or access hereof for the sole purpose of the conveyance or facilitation of the conveyance of a communication by means of a network or if strictly necessary for the provider of an information society service to provide information society services if explicitly requested by the user.”

Processing of cookies requires a demonstrable consent of the user. According to the opinion of the Office of Electronic Communication and Postal Services as the demonstrable consent according to the Act is considered such consent which met the conditions stipulated in Section 5 lit. a) of the Slovak Data Protection Act. In order for the consent to be freely given, access to services and features must not be conditional by the user's consent to the processing or storage of information through cookies. Access to the content, services or features on the website cannot be bound or conditioned by the granting such consent. Conditional use of the website by providing the user's consent with processing or storing information through cookies is a violation of Section 109 (8) of the Act.

---

Slovak Republic regulation

Traffic Data

Traffic Data are data related to the user and to the specific transmission of information in the network and arising during this transmission, which are processed for the purposes of transmission of messages in the network or for invoicing purposes. The Traffic Data related to subscribers or users may not be stored and the undertaking company is required, after the end of a communication transmission, without delay, to destroy or make anonymous such Traffic Data, except as provided otherwise by the Act.

If it is necessary for the invoicing of the subscribers and network interconnection payments, the undertaking company is required to store the Traffic Data until the expiration of the period during which the invoice may be legally challenged or the claim for the payment may be asserted. The undertaking company is required to provide the Traffic Data to the Office for Electronic Communications and Postal Services or the court in the case of a dispute between undertaking companies or between an undertaking company and a subscriber. In the event of a complaint, alternative dispute resolution, out-of-court dispute resolution or legal proceedings, in particular disputes relating to network connection or invoicing, the undertaking company must retain Traffic Data until the expiry of the period for all legal remedies. The scope of the stored Traffic Data must be limited to the minimum necessary.

The undertaking company is further authorized to process Traffic Data and Location Data (as described below) to the necessary extent even without the user's consent for the purposes:

• network operations, services or networks and services;
• accounting for the provided service, invoicing and proof of entitlement to payment for the provided service in debt collection;
• dealing with questions, complaints and claims of users;
• prevention and detection of security incidents and illegal actions; or
• providing cooperation to authorized state authorities.

The provider of a publicly available service may process the Traffic Data of the subscriber or user for the purposes of marketing services or for the purpose of providing value added services only with his / her prior consent and only to the extent and during the time necessary for marketing services and providing value added services. The undertaking company is obliged to inform the subscriber or user before obtaining his / her consent about the type of Traffic Data, the purpose of processing Traffic Data and the time of processing of this data. The subscriber or user may at any time revoke their consent to the processing of Traffic Data for marketing purposes or to provide value added services.

Location Data

Location Data are data processed in the network or through the service that indicates the geographic location of the end device of the user of the publicly available service. The undertaking company may process the Location Data other than the Traffic Data which relates to the subscriber or the user of a public network or public service only if the data are made anonymous or the processing is done with consent of the user or subscriber of a public network or publicly available service, and in the scope and time necessary for the provision of the value added service or if the Act provides so. The undertaking company must, prior to obtaining consent, inform the subscriber or user of the Location Data other than Traffic Data which will be processed, on the type of Location Data to be processed, on the purpose and duration of the processing, and whether the data will be provided to a third party for the purpose of the provision of the value added service.

The subscriber or user may revoke its consent for the processing of Location Data at any time. If the subscriber or user has agreed to the processing of Location Data other than Traffic Data for the provision of a value added service, the undertaking company is obliged to allow him / her to temporarily refuse the processing of such Location Data in a simple way and free of charge every time he / she connects to the network or every time he / she transmits a message. The processing of Location Data, as described in previous sentences, shall be limited to persons acting on behalf of an undertaking company providing public networks or publicly available services, or to persons of a third party providing a value-added service and must be limited to the necessary purposes of providing a value added service.

Traffic data

Traffic Data must be erased or made anonymous as soon as it is no longer needed for the purpose of the transmission of a communication, except in cases where a longer period of retention is statutory allowed. Nevertheless, an operator may, until complete payment for service is made but no later than by expiry of the limitation period, retain and process traffic data required for the purposes of calculation and of payment relating to interconnection.

Location data

Location Data may only be processed for the purposes of providing the value-added service and when it is made anonymous, or with the prior consent of the user or subscriber, who may withdraw this consent at any time. Prior to issuing consent, a user or subscriber must be informed on (i) the possibility of refusing consent, (ii) the type of data to be processed, (iii) the purpose and duration of processing, and (iv) the possibility of the transmission of location data to a third party for the purpose of providing the value-added service.

Cookie compliance

The Electronic Communications Act (ZEKom-2) provides rules on the usage of cookies and similar technology for data storage.

Pursuant to ZEKom-2 the retention of information or the gaining of access to information stored in a subscriber’s or user’s terminal equipment (cookies) is only permitted if the subscriber or user gave their informed consent after having been given clear and comprehensive information about the information manager and the purpose of the processing of this information. However, an exception is provided in case of carrying out the transmission of a communication over an electronic communications network, or if this is strictly necessary for provision of service of information society explicitly requested by the subscriber or user.

There are no sections of POPIA that expressly regulate privacy in relation to cookies and location data. These issues may be dealt with in subsequent regulations or codes of conduct to be issued by the Information Regulator.

Cookie, logs, IP information, etc. may also be regulated by the PIPA as personal information, if combined with other information may enable the identification of a specific individual person easily.

The protection of location information is governed by the LIA.

Under the LIA, any person who intends to collect, use, or provide location information of a person or mobile object shall obtain the prior consent of the person or the owner of the object, unless:

• there is a request for emergency relief or the issuance of a warning by an emergency rescue and relief agency;
• there is a request by the police for the rescue of the person whose life or physical safety is in immediate danger; or
• there exist special provisions in any Act.

Any person (entity) who intends to provide services based on location information (“Location-based Service Provider”) shall report to the Korea Communications Commission (“KCC”). Further, any person (entity) who intends to collect location information and provide the collected location information to Location-based Service Providers (“Location Information Provider”) shall obtain a license from the KCC.

If a Location Information Provider intends to collect personal location information, it must specify the following information in its service agreement, and obtain the consent of the subjects of personal location information:

• Name, address, phone number and other contact information of the Location Information Provider;
• Rights held by the subjects of personal location information and their legal agents and methods of exercising the rights;
• Details of the services the Location Information Provider intends to provide to Location-based Service Providers;
• Grounds for and period of retaining data confirming the collection of location information; and
• Methods of collecting location information.

If a Location-based Service Provider intends to provide location-based services by utilizing personal location information provided by a Location Information Provider, it must specify the following information in its service agreement, and obtain the consent of the subjects of personal location information:

• Name, address, phone number and other contact information of the Location-based Service Provider;
• Rights held by the subjects of personal location information and their legal agents and methods of exercising the rights;
• Details of the location-based services;
• Grounds for and period of retaining data confirming the use and provision of location information; and
• Matters concerning notifying the personal location information subject of the provision of location information to a third party as below.

If a Location-based Service Provider intends to provide location information to a third party, in addition to the above, it must notify the subjects of personal location information of the third party who will receive the location information and the purpose of this provision.

Cookies are regulated in Spain, in addition to the Spanish Data Protection Act, by the Spanish Act on the Information Society Services and e-Commerce (“LSSI”), as amended in March 2012. In July 2023, the AEPD released new Guidance Notes on the use of cookies (granting a sunrise period until 11th January 2024 for the data controllers and data processors to implement the new criteria). Although the Guidance Notes are not legally binding they give useful indications on the best market practice and on the criteria that the AEPD would follow when enforcing the law.

The Guidance Notes require data controllers to inform cookies’ recipients – including legal entities – of the existence and use of cookies, their scope and how to deactivate them. The regulator stresses the need for cookies’ sponsors to make sure (and be able to demonstrate later on) that the user has noticed the invitation to install and use the cookies and has voluntarily and unmistakably decided to accept it. Certain types of cookies (e.g. session cookies) are exempt from these restrictions.

At present there are no requirements specifically applicable to aspects of online privacy such as cookies and location data. However, controllers and processors would be required to adhere to the general obligations set out in the PDPA, and data subjects would still be eligible to the rights and protections afforded to their personal data under the PDPA, when personal data is processed for online purposes.

Pursuant to the Electronic Communications Act (implementing inter alia the e-Privacy Directive), data may be stored in or retrieved from a subscriber's or a user’s terminal equipment only if the subscriber or user has been provided with information about the purpose of the processing and consents to it, i.e. the user must give its prior ‘opt-in’ consent before a cookie is placed on the user’s computer. In its judgment of 1 October 2019, the Court of Justice of the European Union (the "CJEU") decided on cookie consent requirements and stated that cookie consent must be given by a statement or clear affirmative action (consent cannot be validly obtained through pre-ticked checkboxes).

Consent is however not required for storage or access that is:

• necessary for the transmission of an electronic message over an electronic communications network; or
• necessary for the provision of a service explicitly requested by the user or subscriber.

In the event of a wilful or negligent breach of the now relevant provision in the Electronic Communications Act are criminalised. As such, a fine may be imposed provided that the offence is not sanctioned by the Swedish Criminal Code (1962:700). However, if the breach is deemed to be minor, no fine shall be imposed. To our knowledge there has not yet been any cases where a website operator has been fined for a breach of the cookie provision in the Electronic Communications Act.

Sweden has set the digital age of consent as 13 in relation to consent to processing of personal data in the context of offering information society services.

The processing of personal data in the context of online services is subject to the general rules pertaining to the processing of personal data under the FADP. In addition, certain aspects of online privacy are covered by other regulations, such as the use of cookies which is also subject to the Swiss Telecommunications Act (TCA).

Under the TCA, the use of cookies is considered to be processing of data on external equipment, e.g., another person’s computer. Such processing is only permitted if users are informed about the processing and its purpose as well as about the means to refuse the processing, e.g., by configuring their web browser to reject cookies.

In addition, the general rules under the FADP apply where cookies collect data related to persons who are identified or identifiable, i.e., personal data. In particular, the controller must provide the data subjects with certain information when collecting personal data (for more details on the information obligation see here). In practice, this is often fulfilled by including a section on cookies in the website's privacy policy or implementing a specific cookie policy. In accordance with the principles of privacy by design and privacy by default, the controller shall furthermore only pre-select essential cookies. Non-essential cookies (e.g. analysing cookies) may, depending on the circumstances, only be used with the data subject's consent.

Where the personal data collected through a cookie is:

• Considered sensitive personal data, e.g., data regarding religious, ideological, political views or activities; or
• so comprehensive that it permits an assessment of essential characteristics of the personality of a person (i.e. high-risk profiling)

the stricter rules pertaining to the processing of sensitive personal data and high-risk profiling are applicable. These stricter rules provide, inter alia, that consent (if necessary) must be given expressly. Furthermore, sensitive personal data may not be disclosed to third parties without justification.

Although the PDPA does not specifically regulate online privacy, cookies and location data could be considered as social activities of a natural person by which such person may be directly or indirectly identified, as such the PDPA may apply to online privacy.

Currently, there is no law or regulation in Tajikistan that specifically regulates online privacy.

Any use of cookies and other third-party trackers which can identify a natural person will qualify as disclosure of personal data and be subject to the PDPA. The PDPA requires data controllers and processors to process personal data for the specific purpose for which it has been collected (Please refer to our advice on Collection Processing of Data above on the requirements to be complied with by the data collectors and data processors while using personal data).

This implies that a person cannot use cookies and third-party trackers to process personal data except with the consent from the data subject unless such use is authorised under any written law in Tanzania and the data subject has been informed of such use at the time the data was collected. The data controller must ensure that consent is provided on the basis of information that allows the data subjects to easily identify who the controller is and to understand what they are agreeing to. The controller must also clearly describe the purpose for data processing for which consent is requested.

General rules of the PDPA apply to online privacy.

None.

The DPA has no specific provision regarding online privacy.

There is no specific mention to online privacy under the 2004 law on the Protection of Personal Data.

However, the same safeguards including restrictions and sanctions apply as well to online privacy under Tunisian Law.

Furthermore, it is prohibited to use the processing of personal data for promotional purposes unless the data subject, his heirs or his tutor gives his explicit and specific consent.

There is no legislation in Turkey that specifically regulates privacy in respect of cookies and location data. However, Law No. 5651 on Regulating Broadcasting in the Internet and Fighting against Crimes Committed through Internet Broadcasting enables Internet users to initiate prosecution in case of infringements of their personal rights. Further, various amendments were made to the Law No. 5651 on July 31, 2020. One of these amendments was adding the term “social network provider” and the obligations of the social network providers have been regulated within this scope.

Social network provider is defined as:

"A natural or legal person who enables users to create, view, or share texts, images, voice, location, or other types of data for the purpose of social interaction."

The amendment requires foreign social network providers (companies that are not established in Turkey) which have daily access of 1.000.000 or more from Turkey to appoint a representative in Turkey. Also, the foreign social network providers must keep Turkish users’ (users from Turkey) personal data in Turkey within the scope of the Internet Law.

Failure to meet these requirements may result in administrative fines, limitation of bandwidth, and restriction of commercial activities (online marketing) of the social network provider. Moreover, with the recent amendments made in the Internet Law, social network providers may face an administrative fine up to 3% of their global turnover in cases of non-compliance.

Under the Regulation on Protection of Personal Data in the Electronic Communications Sector and Preservation of Privacy, an Operator cannot process traffic data for purposes other than those required for the purposes of their service. Traffic data shall be processed in accordance with the provisions of the relevant legislation for the purposes of traffic management, interconnection, billing, corruption detection and similar transactions or settlement of disputes. The processed and stored traffic data belonging to the subscriber / user shall be deleted or made anonymous after the completion of the required activity to process and store these data.

Traffic data may be processed if required for marketing electronic communication services or providing value added electronic communication services, provided that either it is anonymized, or relevant subscribers / users give their consent after being informed of the traffic data to be processed and the processing time.

Location data not qualifying as traffic data may be processed if required to provide value added electronic communication services, on the condition that it is anonymized or the relevant subscribers / users give their consent after being informed of the location data to be processed and of the purpose and duration of the processing.

Administrative fines of up to three percent of the net sales of the Operator in the previous calendar year shall be imposed if it fails to fulfill its obligation to process traffic data and location data.

Data Protection Law provisions apply to online privacy as well. There are no other specific regulations that govern online privacy in Turkmenistan. Data operator shall refer to rules and regulations specified in the Data Protection Law.

The DPR does not contain specific provisions relating to online privacy, however, the broad provisions detailed above are likely to apply. Note that “online identifiers” fall within the definition of Personal Data.  In addition, as UAE criminal law applies in the ADGM, the privacy principles laid out therein may apply (see UAE – General).

Where a Controller is offering online services through a platform, the default privacy preferences of the platform must be set such that no more than the minimum Personal Data necessary to deliver or receive the relevant services is obtained or collected, and a Data Subject should be:

• prompted to actively select his privacy preferences on first use; and
• able to easily change such preferences.

(Article 14(4) DPL)

In addition, Controllers are to make available a minimum of two methods (which may include, by way of example, post, telephone, email or an online form) by which a Data Subject can contact the Controller to request to exercise his rights under the DPL. If the Controller maintains a website, at least one method of contact must be made available without charge via the website, without the need to submit data to create an account of any sort.

(Article 40 DPL)

The HDPR does not contain specific provisions relating to online privacy, however, the broad provisions detailed above are likely to apply. In addition, as UAE criminal law applies in the DHCC, the privacy principles laid out therein may apply (see UAE – General).

The PDPL does not expressly cover online privacy, however the PDPL will apply to Processing online. 

Although the UAE Criminal Law does not contain provisions directly relating to the internet, its provisions related to privacy are broadly drafted and therefore could apply to online matters (such as Article 432 as described above). 

Additionally, as described in Collection and Processing, under certain circumstances, online privacy is protected through Articles  2, 3, 4, 6, 7, 8 and 44 of the Cyber Crime Law and the TDRA's Consumer Protection Regulation. Unlawful access via the internet, by electronic devices, of financial information (e.g. Credit Cards and Bank Accounts) without permission is a specific offence under the Cyber Crime Law (Articles 6 and 8).

The TMTM Law further provides control on the protection of consumer’s Data and Information within Article 10 of the law. Article 10(1) of the TMTM Law confirms that data protection law in the UAE shall apply to consumer information and data, its classification and ownership.

There is no specific online privacy regulation in Uganda. However, the Computer Misuse (Amendment) Act 2022 creates additional protection for children’s online privacy, making it a criminal offence to send, share or transmit any information online about or relating to a child without lawful authorization, parental consent, or where the transmission is in the best interest of the child. The penalty for this offence is imprisonment for up to seven years of a fine of up to UGX 15,000,000, or both.

There is no specific legislation regulating online privacy in Ukraine. However, the Data Protection Law applies to the extent online activities involve the processing of personal data.

The PEC Regulations (as amended) deal with the collection of location and traffic data by public electronic communications services providers ("CSPs") and use of cookies (and similar technologies).

Traffic data

Traffic Data held by a CSP must be erased or anonymised when it is no longer necessary for the purpose of the transmission of a communication.

However, Traffic Data can be retained if:

• it is being used to provide a value added service, and
• consent has been given for the retention of the Traffic Data.

Traffic Data can also be processed by a CSP to the extent necessary for:

• the management of billing or traffic
• dealing with customer enquiries
• the prevention of fraud, or
• the provision of a value added service.

Cookie compliance

The use and storage of cookies and similar technologies requires:

• clear and comprehensive information, and
• consent of the website user.

The ICO released comprehensive guidance on the use of cookies and similar technologies in 2019.  In line with the standard for ‘GDPR like’ consent under the PEC Regulations, this guidance significantly raised the bar in terms of the ICO’s expectations for cookie consent collection.  It is now clear that the ICO expects consent to be collected on a clear opt-in basis – implied consent (such as the continued browsing of a website after being shown a cookie banner) is no longer sufficient.  Instead, cookie consent modules that given users granular choices about cookie selection (typically on a ‘by purpose’ basis) are becoming the norm in order to align with the guidance. 

Consent is not required for cookies that are:

• used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or
• strictly necessary for the provision of a service requested by the user.

Enforcement of a breach of the PEC Regulations is dealt with by the ICO. The maximum fine for a breach of the PEC Regulations is GBP 500,000, which can be issued against a company or its directors.

There is no specific federal law that per se regulates the use of cookies, web beacons and other similar tracking mechanisms. However, the state online privacy laws require notice of online tracking and of how to opt out of it.

Under California law, any company that tracks any personally identifiable information about consumers over time and across multiple websites must disclose in its privacy policy whether the company honors any ‘Do-Not-Track’ method or provides users a way to opt out of such tracking. The same law also requires website operators to disclose in their privacy policy whether any third parties may collect any personally identifiable information about consumers on their website and across other third party websites, and prohibits the advertising of certain products, services and materials (including alcohol, tobacco, firearms, certain dietary supplements, ultraviolet tanning, tattoos, obscene matters, etc.). Further, under most of the comprehensive state laws, information collected via cookies, online, mobile and targeted ads, and other online tracking are subject to the requirements of the law.

Further, given the broad definition of personal information under the comprehensive state privacy laws, information collected via cookies and similar technologies is generally subject to the requirements of the law (e.g., notice and consumer rights). For example, under the CCPA a 'sale' includes selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer’s personal information by one business to another business or a third party for monetary or other valuable consideration. ‘Sharing’ under the CCPA is defined as sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged. These broad definitions sweep in certain online advertising activities -- for example, where a business permits the collection and use of information through certain third party cookies and tags on their website, in order to better target the business' ad campaigns on third party websites or in exchange for compensation from a third party ad network.

Universal Opt-Out Signals / Global Privacy Control (GPC)

Amendments to the CCPA, and recent enforcement actions by the California Attorney General, have highlighted the requirement that businesses that process personal information for targeted advertising purposes allow consumers to opt-out of sales and sharing, using an opt-out preferences signal sent by the consumer’s browser or a browser plugin, aso referred to as Global Privacy Control (GPC). Colorado’s comprehensive privacy law introduces the same requirement, with an effective date of July 1, 2024.   

Minors

The Children’s Online Privacy Protection Act and regulations (COPPA) applies to information collected automatically (eg, via cookies) from child-directed websites and online services and other websites, online services and third party ad networks or plug-ins that knowingly collect personal information online from children under 13. COPPA also regulates behavioral advertising to children under 13 as well as the collection of geolocation information, requiring prior verifiable parental consent to engage in such advertising or collection.

California law requires that operators of websites or online services that are directed to minors or that knowingly collect personally identifiable information from minors permit minors that are registered users of their sites to remove any content the minor has posted from the site or online service. The law does not give minors the right to remove information posted by third parties. Minors must be given clear notice on how to exercise their right to removal. Certain state privacy laws (such as the CCPA, CPA or VCDPA) also require that a business obtain explicit consent prior to selling any personal information about an individual the business has actual knowledge is under 16 years old.

Location Data

Generally, specific notice and consent in needed to collect precise (e.g., mobile device) location information. The CCPA defines precise geolocation information as “any data derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of one thousand, eight hundred and fifty (1,850) feet.” Connecticut and Utah law carry similar definitions, albeit with a radius of 1,750 feet.

There are no express provisions for online privacy, but the general data privacy principles fully apply. In this regard, key principles such as prior informed consent, the purposes of collection and use, and the right to information are particularly relevant. These principles state that in order to use cookies, the data subject's prior consent must be obtained and the data subject must be informed about the purposes of collection and use; personal data collected through cookies may only be processed as necessary to fulfill the purposes for which it was collected and must be deleted when the purpose ceases.

Current data protection laws do not provide for regulation of online privacy. However, if personal data is involved and privacy issues are concerned, there are no obstacles for their application with respect to online privacy.

There is no specific legislation about online privacy in Venezuela, but we advise to adhere to the previously explained general principles dictated by the TSJ if there is going to be any processing or collection of Personal Data.

To some extent, by assisting in tracking the information on a specific person, the cookies and location data could be deemed as tools preinstalled on the users’ computers for collecting, storing and using their personal information, which may disclose his / her private life, e.g. hobbies, favourite websites and locations usually visited by him / her.

As such, it is currently understood that all rules on data protection are applicable to cookies as well as location data. For example, cyberspace service providers must seek for users’ prior acceptance before certain technologies (e.g. cookies, positioning service) are activated.

The ECTA provides that a service provider is not liable for any damage incurred by a person if the service provider refers or links users to a web page containing an infringing data message or infringing activity, by using information location tools, including a directory, index, reference, pointer, or hyperlink, and where the service provider:

• does not have actual knowledge that the data message or an activity relating to the data message is infringing the rights of that person;
• is not aware of facts or circumstances from which the infringing activity or the infringing nature of the data message is apparent;
• does not receive a financial benefit directly attributable to the infringing activity; and
• removes, or disables access to, the reference or link to the data message or activity within a reasonable time after being informed that the data message or the activity relating to that data message, infringes the rights of a person.

There is no regulation on cookies and location data. However, it is advisable to obtain user consent, such as through appropriate disclaimers.