How Estonian Law Regulates Cookies
Estonia applies two overlapping legal frameworks to cookies and similar tracking technologies. The GDPR governs the processing of personal data collected through cookies, while the Estonian Electronic Communications Act (ECA) addresses the act of storing or accessing information on a user's device.
The ECA originally entered into force in 2004 and was amended in February 2011 to transpose parts of the EU ePrivacy Directive. One notable detail is that Estonia has not directly transposed Article 5(3) of the ePrivacy Directive into a standalone cookie provision. Instead, a general data protection clause within the ECA is interpreted in line with the Directive's requirements. The practical effect is the same: non-essential cookies require prior consent.
The Andmekaitse Inspektsioon (AKI) - Estonia's Data Protection Inspectorate - supervises compliance with both laws.
The Andmekaitse Inspektsioon (AKI) and Its Role
The AKI is Estonia's independent supervisory authority under Article 51 of the GDPR. It handles complaints, conducts investigations, and issues fines related to personal data processing and electronic privacy.
Historically, Estonia has been among the EU member states with the lowest GDPR fines. That changed in 2024 when the AKI imposed a record EUR 3 million penalty on Allium UPI OU for a data breach affecting over 750,000 individuals in the Apotheka loyalty programme. While that case concerned inadequate security measures rather than cookies specifically, it signalled a clear shift toward stricter enforcement across all areas of data protection.
Under Estonian law, fines are applied through misdemeanour proceedings. The AKI can also impose non-compliance levies (penalty payments) as an administrative measure if an entity fails to follow a formal precept.
Which Cookies Require Consent in Estonia?
The distinction between essential and non-essential cookies determines whether you need consent.
Strictly necessary cookies - those required solely for transmitting a communication or providing a service the user explicitly requested - may be set without consent. A session cookie like PHPSESSID or a language preference cookie such as pll_language typically falls into this category.
All other cookies need prior, informed consent before being placed on the visitor's device. This includes analytics cookies like _ga and _gid, advertising trackers such as _fbp, and any third-party cookies used for behavioural profiling. The consent standard follows GDPR Article 7: it must be freely given, specific, informed, and unambiguous.
| Cookie Type | Example | Consent Required? |
|---|---|---|
| Session / authentication | PHPSESSID, sessionid | No |
| Language preference | pll_language | No |
| Analytics | _ga, _gid | Yes |
| Advertising / retargeting | _fbp, _gcl_au | Yes |
| Social media embeds | Third-party iframe cookies | Yes |
Consent Banner Requirements Under AKI Guidance
A compliant cookie banner in Estonia must meet several conditions rooted in GDPR consent principles.
The banner must appear before any non-essential cookies fire. Pre-ticked boxes, implied consent through continued browsing, and cookie walls that force acceptance all fail to meet the GDPR standard. The EDPB has repeatedly confirmed that scrolling or continued navigation does not constitute valid consent.
Your banner should clearly explain what categories of cookies are used and for what purposes. Visitors must have the ability to accept or reject each category individually. A single "Accept All" button without an equally prominent "Reject All" option creates an imbalance that regulators across the EU have flagged as non-compliant.
Consent records should be stored and made available if the AKI requests evidence of compliance. The consent model you choose - opt-in being the only valid model in the EU - must be documented clearly.
Estonia, the GDPR, and the Personal Data Protection Act
Estonia's national data protection law is the Isikuandmete kaitse seadus (Personal Data Protection Act, or IKS), which supplements the GDPR. The IKS came into force alongside the GDPR in 2018 and sets out additional procedural rules for the AKI's enforcement powers.
For cookie compliance, the GDPR provisions on consent (Articles 6 and 7), transparency (Articles 12-14), and the rights of data subjects (Articles 15-22) apply directly. The IKS does not create separate cookie-specific rules but reinforces the AKI's authority to investigate and sanction breaches.
If your website targets Estonian users from outside the country, the GDPR's territorial scope under Article 3(2) still applies. Offering goods or services to Estonian residents, or monitoring their behaviour, brings your site within scope regardless of where you are based.
Cross-Border Considerations: The Baltic and Nordic Context
Estonia's approach closely mirrors those of its Baltic neighbours. Latvia and Lithuania each have their own ePrivacy transpositions and national DPAs, but the underlying GDPR requirements are identical. Finland, Estonia's Nordic neighbour across the Gulf, follows a similar opt-in consent model under Traficom's guidance.
Websites serving visitors across the Baltic region should apply the strictest interpretation across all three countries. In practice, a properly configured opt-in banner with granular category controls will satisfy the requirements of all Baltic and Nordic DPAs simultaneously.
For a broader overview of EU-wide rules, the country guides for Germany, France, and the Netherlands provide useful comparisons of how different member states enforce the same underlying framework.
Compliance Checklist for Estonian Websites
Use this checklist to verify your site meets AKI and GDPR cookie requirements.
Run a cookie scan to identify every cookie and tracker on your site
Classify each cookie as strictly necessary, analytics, marketing, or functional
Block all non-essential cookies until the visitor gives explicit consent
Display a cookie banner with clear accept and reject options before any tracking fires
Allow granular, per-category consent choices
Maintain a consent log with timestamps and proof of each visitor's choice
Publish a cookie policy explaining what cookies you use, their purposes, durations, and third-party access
Ensure visitors can withdraw consent as easily as they gave it
If using Google services, implement Google Consent Mode v2 to respect consent signals
Review and update your cookie inventory regularly through scheduled scans
Frequently Asked Questions
Does Estonia require cookie consent for analytics cookies?
Yes. Analytics cookies such as _ga are classified as non-essential under both the GDPR and Estonia's Electronic Communications Act. Prior opt-in consent is required before setting them.
What is the AKI and what does it do?
The Andmekaitse Inspektsioon (AKI) is Estonia's independent data protection authority. It supervises GDPR compliance, handles complaints from individuals, and can impose fines or enforcement orders on organisations that breach data protection rules.
Can I use a cookie wall on my Estonian website?
No. Cookie walls that block access unless visitors accept all cookies do not meet the GDPR's requirement for freely given consent. The EDPB guidelines make clear that consent must be a genuine choice.
How much can the AKI fine for cookie violations?
Under the GDPR, fines can reach up to EUR 20 million or 4% of annual global turnover, whichever is higher. In practice, Estonian fines have historically been modest, though the EUR 3 million penalty issued in 2024 shows the AKI is prepared to act decisively.
Do I need a cookie banner if my site only uses essential cookies?
Strictly necessary cookies do not require consent, so a consent banner is not legally mandatory in that case. You should still inform visitors about these cookies in your privacy or cookie policy.
Does Estonian cookie law apply to websites outside Estonia?
If your website targets Estonian residents by offering goods or services to them, or monitors their behaviour, the GDPR applies regardless of where the site is hosted. You would need to comply with Estonian and EU cookie rules.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
