Bulgaria's Cookie Law Framework: GDPR Meets the Electronic Communications Act
Bulgaria applies two overlapping legal instruments to cookies and similar tracking technologies. The GDPR governs the processing of personal data collected through cookies, while the Electronic Communications Act (ECA) transposes the ePrivacy Directive into Bulgarian national law. Both are enforced by the Commission for Personal Data Protection (CPDP), the country's sole data protection supervisory authority.
The ECA was most recently amended in July 2025. Historically, Bulgaria's E-Commerce Act followed an opt-out model for cookies, requiring only that users be informed and given the chance to refuse. The CPDP has since aligned its guidance with the stricter opt-in standard set by Article 5(3) of the ePrivacy Directive and reinforced by the CJEU's Planet49 ruling.
For website owners, the practical effect is clear: non-essential cookies require prior consent from Bulgarian visitors before they are set.
The CPDP: Bulgaria's Data Protection Authority
The CPDP (Komisiya za zashtita na lichnite danni - КЗЛД Комисия за защита на личните данни) has supervised data protection in Bulgaria since 2002. It handles complaints, conducts investigations, issues guidance, and imposes administrative fines under both the Bulgarian Personal Data Protection Act (PDPA) (ЗЗЛД - Закон за защита на личните данни) and the GDPR.
Most CPDP proceedings begin with complaints from data subjects. The authority's 2024 activity report highlights electronic communications, online betting, fast credit services, and direct marketing as sectors generating the highest volume of complaints. Cookie-related enforcement typically falls under the electronic communications category.
The CPDP can impose fines of up to EUR 20 million or 4% of annual global turnover under Article 83 of the GDPR. For ePrivacy violations handled under the ECA, separate penalty provisions apply, though in practice the CPDP tends to rely on GDPR grounds when personal data is involved.
CPDP Cookie Banner Requirements
The CPDP has published specific recommendations for cookie banners. A compliant banner must meet these criteria:
No pre-selected categories - cookie categories (except strictly necessary) must not appear pre-ticked or visually emphasised to steer users toward acceptance
Genuine choice to refuse - visitors must be able to decline all non-essential cookies without losing access to the website
Individual category selection - users should be able to accept or reject cookies by category (e.g., analytics, marketing, functional)
Equal prominence for accept and reject options - the CPDP considers consent invalid if refusing is harder than accepting
If a website does not offer the option to refuse cookies, the CPDP's position is that consent cannot be regarded as freely given under Article 7 of the GDPR.
Cookie Categories Under Bulgarian Guidance
The CPDP follows the standard cookie categories recognised across EU member states:
| Category | Consent Required? | Examples |
|---|---|---|
| Strictly necessary | No | PHPSESSID, csrf_token, load balancer cookies |
| Functional / Preferences | Yes | pll_language, theme preferences |
| Analytics / Statistics | Yes | _ga, _gid, Matomo cookies |
| Marketing / Advertising | Yes | _fbp, _gcl_au, retargeting pixels |
Only strictly necessary cookies may be set without consent. Everything else requires an affirmative opt-in before the cookie reaches the visitor's browser.
CPDP Enforcement Record and Notable Fines
Bulgaria's most significant data protection fine targeted the National Revenue Agency (NRA) in 2019. The CPDP imposed a penalty of approximately EUR 2,550,000 after a cyberattack exposed personal data belonging to over five million individuals. The violation centred on inadequate technical and organisational measures under Article 32 of the GDPR.
Between May 2018 and late 2021, the CPDP issued 21 fines for GDPR violations, with total penalties reaching EUR 3.2 million. Five of those fines exceeded EUR 10,000.
Most enforcement actions have targeted violations of data processing principles (Article 5 GDPR), insufficient legal basis for processing (Article 6 GDPR), and failures to respond to data subject access requests. Cookie-specific fines from the CPDP remain less common than in western EU member states such as France or Spain, but the trend across Europe points toward increasing scrutiny of tracking technologies.
How Bulgaria Compares to Neighbouring EU States
Bulgaria's cookie rules are broadly consistent with other EU member states, but enforcement intensity varies. Neighbouring Romania and Greece have seen more cookie-specific enforcement actions in recent years. Croatia's AZOP has taken a similar approach to the CPDP, focusing enforcement on broader GDPR violations rather than cookie-specific complaints.
The EDPB's 2023 cookie banner taskforce report found widespread non-compliance across EU websites, and the CPDP participated in this coordinated review. This signals growing alignment between Bulgarian enforcement and the approach taken by more active DPAs like the CNIL and the Italian Garante.
Compliance Checklist for Bulgarian Cookie Consent
Use this checklist to evaluate whether your website meets Bulgarian requirements:
Audit your cookies - run a cookie scan to identify every cookie and tracker on your site, including those set by third-party scripts
Classify each cookie - assign every cookie to the correct category (necessary, functional, analytics, marketing)
Implement a consent banner - display a cookie banner that loads before non-essential cookies fire, with clear accept and reject buttons of equal prominence
Block scripts until consent - ensure analytics tags like
_gaand marketing pixels like_fbpdo not execute until the visitor opts inSupport granular choice - allow visitors to select individual cookie categories rather than forcing an all-or-nothing decision
Provide a cookie policy - publish a clear policy listing each cookie, its purpose, duration, and whether it is first-party or third-party
Enable consent withdrawal - make it as easy to withdraw consent as it was to give it, using a persistent revisit consent option
Keep consent records - store proof of each visitor's consent decision, including timestamp and categories accepted, for compliance auditing
Configure geo-detection - if your site serves multiple regions, apply Bulgaria-specific rules through region-based geo-detection
Review regularly - re-scan your site after adding new tools or plugins, as third-party scripts frequently introduce new cookies
Google Consent Mode and Bulgarian Compliance
If your site uses Google Analytics 4 or Google Ads, Google Consent Mode v2 is relevant. This framework allows Google tags to adjust their behaviour based on a visitor's consent status. When a Bulgarian visitor declines analytics cookies, Consent Mode can switch to cookieless pings that do not store identifiers on the device.
Consent Mode does not replace the need for a proper cookie banner. It is a technical integration that works alongside your consent management setup to ensure Google tags respect the choices made through your banner.
Frequently Asked Questions
Does Bulgaria require cookie consent for all cookies?
No. Strictly necessary cookies, such as session identifiers and authentication tokens, are exempt. All other cookies, including analytics and marketing trackers, require prior opt-in consent from the visitor.
What is the CPDP and what does it enforce?
The CPDP (Commission for Personal Data Protection) is Bulgaria's national supervisory authority. It enforces the GDPR, the Bulgarian Personal Data Protection Act, and cookie-related provisions in the Electronic Communications Act.
Can my website be fined for not having a cookie banner in Bulgaria?
Yes. Setting non-essential cookies without prior consent violates both the ePrivacy Directive (transposed through the ECA) and the GDPR. The CPDP can impose fines of up to EUR 20 million or 4% of global annual turnover.
Is a cookie wall allowed under Bulgarian law?
The CPDP's guidance states that if a website restricts access when cookies are refused, consent cannot be considered freely given. Cookie walls are therefore non-compliant under current Bulgarian interpretation.
How does Bulgaria's cookie law differ from the GDPR?
The GDPR covers personal data processing generally. Bulgaria's Electronic Communications Act specifically addresses the storage of information (including cookies) on a user's device, transposing Article 5(3) of the ePrivacy Directive. Both apply simultaneously when cookies collect personal data.
Do I need a Bulgarian-language cookie banner?
There is no strict legal requirement for Bulgarian-language banners, but providing one is strongly recommended if your audience is primarily Bulgarian. The GDPR requires that consent information be provided in clear, plain language that the data subject can understand.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
