Croatia's Cookie Consent Framework
Croatia's data protection landscape sits at the intersection of two legal instruments: the EU General Data Protection Regulation (GDPR), which applies directly, and the national Electronic Communications Act (Zakon o elektronickim komunikacijama, Official Gazette No. 76/22, 14/24), which transposes the ePrivacy Directive into Croatian law. Both shape how your website must handle cookies when serving visitors from Croatia.
The supervisory authority is AZOP (Agencija za zastitu osobnih podataka), the Croatian Personal Data Protection Agency. AZOP enforces both the GDPR and the cookie-specific provisions of the Electronic Communications Act.
If your site targets Croatian users or processes data of individuals in Croatia, these rules apply to you regardless of where your business is based.
What the Electronic Communications Act Requires
Article 5(3) of the ePrivacy Directive, as transposed by the Croatian Electronic Communications Act, establishes a clear consent-first model. Cookies and similar tracking technologies may only be placed on a user's device after the user has given informed consent.
Two narrow exemptions exist:
Transmission-necessary cookies - cookies strictly required to carry out the transmission of a communication over an electronic network (e.g., load-balancing cookies).
Service-requested cookies - cookies necessary to provide an information society service explicitly requested by the user (e.g.,
PHPSESSIDfor maintaining a shopping basket, orpll_languagefor storing a language preference).
Everything else - analytics cookies like _ga, advertising trackers like _fbp, social media widgets - requires prior consent before activation.
Consent Quality Under Croatian Law
Consent must meet the standard set by Article 7 of the GDPR: freely given, specific, informed, and unambiguous. Pre-ticked checkboxes do not qualify. Continuing to browse the site does not qualify. Cookie walls that block all content unless the user accepts tracking are considered coercive and likely invalid.
Your cookie banner must provide clear information about each cookie category and its purpose, and visitors must be able to accept or reject non-essential categories individually.
Penalties for Non-Compliance
The Electronic Communications Act prescribes fines of up to EUR 132,720 specifically for breaches of cookie consent provisions. This is separate from GDPR fines, which can reach up to EUR 20 million or 4% of global annual turnover.
AZOP has demonstrated a willingness to impose significant penalties. In 2025, the agency issued fines totalling nearly EUR 7 million across several sectors. The largest single penalty was EUR 4,500,000, imposed on a telecommunications operator for unlawful international data transfers and lack of transparency. A bank received a EUR 1,500,000 fine for processing personal data of over 430,000 users without a valid legal basis through its mobile application.
Cookie-specific enforcement is also on the radar. In 2024, AZOP fined two gambling website operators EUR 15,000 and EUR 20,000 respectively for deploying cookie banners that failed to specify distinct processing purposes and obtain granular consent.
How Croatian Rules Compare to Neighbouring EU States
Croatia's requirements are broadly consistent with other EU member states, but enforcement intensity and specific local provisions vary. The table below compares Croatia with its neighbours.
| Country | DPA | ePrivacy Transposition | Cookie-Specific Fines | Notable Enforcement Focus |
|---|---|---|---|---|
| Croatia | AZOP | Electronic Communications Act (76/22) | Up to EUR 132,720 | Cookie banner granularity, transparency |
| Slovenia | IP-RS | Electronic Communications Act | Varies by offence | Cookie consent and direct marketing |
| Hungary | NAIH | Act C of 2003 | Administrative fines | Data processing transparency |
| Austria | DSB | Telecommunications Act 2021 | Up to EUR 37,000 | Analytics cookies, Google Analytics cases |
| Italy | Garante | Cookie Guidelines 2021 | GDPR-level fines | Scroll-as-consent prohibition |
Compliance Checklist for Croatian Cookie Consent
Use this checklist to verify your site meets AZOP and Electronic Communications Act requirements.
Audit your cookies - Run a cookie scan to identify every cookie and tracker your site sets. Categorise each as strictly necessary, functional, analytics, or advertising.
Block non-essential cookies before consent - No analytics or marketing cookies should fire until the visitor has actively opted in. This applies to scripts, pixels, and embedded iframes.
Display a compliant banner - The banner must clearly state what cookie categories exist, what each does, and allow the user to accept or reject each category. Provide equal visual prominence to accept and reject options.
Record and store consent - Keep a log of each visitor's consent choice, including timestamp, categories accepted, and the version of your cookie policy in effect. This is your proof if AZOP investigates.
Make withdrawal easy - Visitors must be able to change or withdraw consent at any time, as easily as they gave it.
Publish a cookie policy - List all cookies by name, purpose, provider, duration, and category. Reference the Electronic Communications Act and GDPR as legal bases. A cookie policy template can help structure this.
Review regularly - New scripts, plugins, or third-party tags may introduce cookies you did not approve. Schedule periodic scans.
AZOP's Enforcement Priorities in 2026
The European Data Protection Board identified transparency as a central enforcement priority for 2026 across all EU member states. AZOP has echoed this focus, with particular attention to privacy notices that are unclear, incomplete, or misleading.
For website operators, this means your cookie policy and banner text must be genuinely informative rather than perfunctory. Vague descriptions like "functional purposes" or "improving user experience" without specifics are increasingly likely to attract scrutiny.
AZOP also continues to examine excessive data collection. If your cookie banner collects consent for categories of cookies that your site does not actually use, that discrepancy could itself be flagged as a transparency failing.
Geo-Detection and Serving the Right Banner
If your website serves visitors from multiple countries, the consent model shown to Croatian visitors should reflect Croatian and EU requirements. A banner configured for a US audience under the CCPA opt-out model would not satisfy the opt-in requirement under Croatian law.
Geo-detection rules allow you to display the appropriate consent model based on the visitor's location. Croatian visitors should see an opt-in banner with granular category controls. Visitors from jurisdictions with different rules can see a banner calibrated to their local requirements.
This approach avoids over-blocking for visitors from less restrictive jurisdictions while keeping Croatian compliance intact.
Google Consent Mode and Croatian Compliance
If your site uses Google Analytics, Google Ads, or Google Tag Manager, Google Consent Mode v2 is relevant. Consent Mode allows Google tags to adjust their behaviour based on whether the visitor has granted or denied consent.
For Croatian visitors, Consent Mode should default to denied for analytics_storage and ad_storage until the visitor provides opt-in consent through your cookie banner. Once consent is given, the consent state updates and tags fire normally.
Frequently Asked Questions
Does Croatia require cookie consent for all cookies?
No. Strictly necessary cookies - those essential for transmitting a communication or providing a service the user explicitly requested - are exempt. All other cookies, including analytics and advertising, require prior informed consent under the Electronic Communications Act.
What is AZOP and what does it do?
AZOP (Agencija za zastitu osobnih podataka) is Croatia's national data protection authority. It supervises compliance with the GDPR and the Electronic Communications Act, investigates complaints, and imposes fines for violations.
How much can AZOP fine for cookie violations?
Under the Electronic Communications Act, fines for cookie-related breaches can reach EUR 132,720. Separately, GDPR fines can go up to EUR 20 million or 4% of global annual turnover, whichever is higher.
Is implied consent valid in Croatia?
No. Croatian law follows the GDPR standard requiring active, unambiguous consent. Continuing to browse a website or ignoring a cookie banner does not constitute valid consent. Pre-ticked boxes are also invalid.
Do I need a cookie banner if my site only uses essential cookies?
Strictly speaking, essential cookies do not require consent. However, displaying a brief notice informing visitors about these cookies is good practice and helps demonstrate transparency if AZOP ever investigates.
Does Croatian cookie law apply to websites outside Croatia?
If your website targets Croatian residents or processes data of individuals in Croatia, both the GDPR and the Electronic Communications Act apply, regardless of where the website operator is established.
Take Control of Your Cookie Compliance
If you are unsure which cookies your site sets or whether your banner meets Croatian requirements, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
