How Cyprus Regulates Cookies
Cyprus transposed the ePrivacy Directive into national law through Part 14 of the Regulation of Electronic Communications and Postal Services Law (Law No. 112(I)/2004, as amended). This legislation came into force on 18 May 2012 and governs how websites may store or access information on a visitor's device.
The law sits alongside the GDPR, which applies directly in Cyprus as an EU member state. Where cookies process personal data - and most tracking cookies do - both instruments apply simultaneously. The Commissioner for the Protection of Personal Data (Epitropos Prostasias Dedomenwn Prosopikou Charaktira) supervises compliance with both frameworks.
Cyprus was among the more active EU data protection authorities between 2018 and 2023, issuing fines in roughly 3% of all cases examined - placing it second only to Slovakia in enforcement frequency across the bloc.
Consent Requirements Under Cypriot Law
Article 5(3) of the ePrivacy Directive, as transposed by Law 112(I)/2004, requires that storing or accessing information on a user's device is only permitted with the informed consent of the subscriber or user. The standard for valid consent follows the GDPR definition set out in Article 4(11) and elaborated in Article 7.
Consent must be:
Freely given - no bundling consent with access to a service
Specific - covering identified purposes, not blanket acceptance
Informed - the user must know what cookies do and who sets them
Unambiguous - demonstrated by a clear affirmative action
Pre-ticked checkboxes, implied consent through continued browsing, and cookie walls that block access until consent is given all fail to meet these conditions.
Exemptions from Consent
Two categories of cookies do not require consent under Cypriot law. The first is cookies used solely for transmitting a communication over an electronic network. The second is cookies strictly necessary for delivering a service the user explicitly requested - session cookies like PHPSESSID or language preference cookies like pll_language fall into this category.
Strictly necessary cookies still need to be disclosed in your cookie policy, even though no consent is required for them.
Cookie Categories and What Needs Consent
The following table summarises which cookie categories require consent under Cypriot law:
| Cookie Category | Example | Consent Required |
|---|---|---|
| Strictly necessary | PHPSESSID, pll_language | No |
| Functional/Preference | Theme settings, font size | Yes |
| Analytics/Statistics | _ga, _gid | Yes |
| Marketing/Advertising | _fbp, _gcl_au | Yes |
Analytics cookies always require consent in Cyprus. There is no soft opt-in or implied consent exception for anonymised analytics, unlike some interpretations seen in other EU jurisdictions.
The Commissioner's Cookie Inspections
The Commissioner began proactive cookie inspections of websites in June 2021. By May 2023, approximately 30 inspections had been completed, focusing primarily on news websites and other public information portals.
The inspection process follows a structured pattern. Website administrators receive a letter outlining the findings and requesting corrections within a set timeframe. Given that these inspections were relatively new, the Commissioner granted organisations sufficient time to bring their sites into compliance before pursuing formal enforcement.
The Commissioner also received individual complaints about websites using cookies without obtaining consent, which prompted the publication of recommendations for website operators across the country.
Enforcement Powers and Penalties
The Commissioner can issue corrective orders, warnings, and administrative fines. Under Article 83 of the GDPR, infringements of the basic principles of processing - including the conditions for consent - attract fines of up to 20 million euros or 4% of global annual turnover, whichever is higher.
Notable enforcement actions in Cyprus include a 45,000 euro fine against the Open University of Cyprus for inadequate security measures following a data breach, and an 8,000 euro fine against a government ministry for unlawful disclosure of personal data. While these cases did not directly concern cookies, they signal that the Commissioner is willing to impose meaningful sanctions.
Cyprus Cookie Compliance Compared to Neighbouring EU States
Cyprus shares many regulatory similarities with its Mediterranean neighbours, but enforcement styles differ. The table below compares cookie consent approaches across nearby EU member states:
| Country | DPA | Cookie-Specific Guidance | Active Cookie Enforcement |
|---|---|---|---|
| Cyprus | Commissioner for Personal Data Protection | Recommendations published (2023) | Yes - 30+ inspections |
| Greece | HDPA | Guidelines issued | Moderate |
| Malta | IDPC | Basic guidance | Limited |
| Italy | Garante | Detailed cookie guidelines (2021) | Yes - significant fines |
If your website serves visitors across multiple EU countries, a single cookie banner compliant with the strictest applicable standard is the most practical approach.
Compliance Checklist for Cyprus
Use this checklist to confirm your website meets Cypriot cookie requirements:
Audit your cookies - Run a cookie scan to identify every cookie and tracker on your site, including those set by third-party scripts like
_gaor_fbp.Categorise correctly - Assign each cookie to the appropriate category. Only session and transmission cookies qualify as strictly necessary.
Block before consent - Non-essential cookies must not fire until the visitor provides affirmative consent. This applies to analytics, marketing, and functional cookies alike.
Display a clear banner - Your cookie banner must name the categories, explain their purpose, and provide equally prominent accept and reject buttons.
Store consent records - Keep a log of when and how each visitor consented. The GDPR requires you to demonstrate valid consent if challenged.
Provide an opt-out mechanism - Visitors must be able to withdraw consent as easily as they gave it, at any time.
Maintain a cookie policy - List all cookies by name, purpose, duration, and whether they are first-party or third-party.
Implement Google Consent Mode v2 - If you use Google services, configure consent signals so tags respect visitor choices.
GDPR and ePrivacy: How the Two Frameworks Interact in Cyprus
The GDPR and the ePrivacy Law operate as complementary instruments. The ePrivacy Law governs the act of placing or reading a cookie on the device. The GDPR governs what happens with the personal data collected through that cookie.
A practical example: when a visitor lands on your site, your analytics script attempts to set _ga. The ePrivacy Law requires consent before that cookie is placed. Once placed, the GDPR requires a lawful basis for processing the browsing data collected, a privacy notice explaining the processing, and data subject rights including access and erasure.
Both laws apply to any website that targets Cypriot residents, regardless of where the website operator is based. If your site is available in Greek, uses a .cy domain, or specifically markets to a Cypriot audience, you fall within scope.
Frequently Asked Questions
Do I need a cookie banner for a website targeting Cyprus?
Yes. If your website uses any non-essential cookies and targets Cypriot visitors, you must display a cookie banner that collects informed, freely given consent before those cookies are set.
Are analytics cookies exempt from consent in Cyprus?
No. Analytics cookies such as _ga and _gid require prior consent under Cypriot law. There is no exemption for anonymised or first-party analytics.
What fines can the Cyprus Commissioner impose for cookie violations?
The Commissioner can impose administrative fines of up to 20 million euros or 4% of global annual turnover under the GDPR for consent-related infringements. Corrective orders and warnings are also available.
Which law governs cookies in Cyprus?
Part 14 of the Regulation of Electronic Communications and Postal Services Law (Law No. 112(I)/2004, as amended) transposes the ePrivacy Directive into Cypriot law and governs cookie consent requirements.
Can I use a cookie wall on a Cypriot website?
No. Cookie walls that block access to content unless the visitor accepts all cookies do not constitute freely given consent under the GDPR and are not permitted.
Does the Cyprus Commissioner actively enforce cookie rules?
Yes. The Commissioner began proactive website inspections in June 2021 and had completed approximately 30 audits by May 2023, focusing on news sites and public information portals.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
