Greece's Cookie Consent Framework: Two Laws, One Authority
Greece applies two main pieces of legislation to cookies and online tracking. The GDPR, implemented domestically through Law 4624/2019, governs the processing of personal data. Law 3471/2006, which transposes the ePrivacy Directive (2002/58/EC as amended by 2009/136/EC), deals specifically with privacy in electronic communications - including the storage of cookies on user devices.
The Hellenic Data Protection Authority (HDPA), known in Greek as the Archi Prostasias Dedomenon Prosopikou (APDP), oversees enforcement of both laws. The HDPA is a constitutionally established independent authority, which gives it a degree of institutional weight that few other EU data protection authorities enjoy.
Law 3471/2006 was amended by Law 4070/2012 to align with the revised ePrivacy Directive. Under Article 5(3) of that framework, storing or accessing information on a user's device requires prior informed consent - unless the cookie is strictly necessary for delivering a service the user has requested.
HDPA Guidelines 1/2020: The Cookie Rulebook
In February 2020, the HDPA published Guidelines 1/2020 on the use of cookies and trackers. These guidelines came after a sweeping audit of popular Greek websites, which found widespread non-compliance with both the GDPR and ePrivacy requirements.
The guidelines set out several specific requirements that go beyond the text of Law 3471/2006 itself. They represent the HDPA's interpretation of what valid cookie consent looks like in practice, and any website serving Greek users should treat them as binding.
Key rules from Guidelines 1/2020:
Prior opt-in consent is required for all cookies that are not strictly necessary, including analytics trackers such as
_gaand advertising cookies like_fbp.The accept and reject options must be accessible with the same number of clicks and from the same layer of the banner.
Buttons for accepting and declining cookies should use the same size, colour, and font weight - no visual tricks to nudge users toward acceptance.
Pre-ticked boxes, continued browsing, and scrolling do not constitute valid consent.
Cookie walls that block access unless cookies are accepted are not permitted.
If a user rejects non-essential cookies, the website must not repeatedly prompt them to change their mind through persistent pop-ups.
Consent Validity and Withdrawal
The HDPA requires that consent be freely given, specific, informed, and unambiguous - mirroring the GDPR standard in Article 7 GDPR. Consent must be as easy to withdraw as it is to give.
Websites must provide a mechanism for users to change or revoke their cookie preferences at any time. A common approach is a persistent settings icon or footer link that reopens the cookie banner.
The HDPA also recognises that consent may be obtained through browser or application settings, though this is rarely sufficient on its own given the granularity required for category-level choices.
Which Cookies Need Consent in Greece?
The distinction between strictly necessary cookies and everything else determines whether consent is required. The table below summarises the main cookie categories and their consent status under Greek law.
| Cookie Category | Examples | Consent Required? |
|---|---|---|
| Strictly necessary | PHPSESSID, csrf_token, load balancer cookies | No |
| Preferences/Functionality | pll_language, theme preferences | Yes |
| Analytics/Statistics | _ga, _gid, Matomo cookies | Yes |
| Marketing/Advertising | _fbp, _gcl_au, retargeting pixels | Yes |
The HDPA explicitly confirmed that third-party analytics cookies, including Google Analytics, require prior consent. There is no soft exemption for anonymised or aggregated analytics under the Greek interpretation.
Enforcement Record: Fines and Audits
The HDPA has issued fines totalling over 36 million euros since the GDPR came into force. While the largest single fine - 20 million euros - targeted a data breach rather than cookies specifically, the authority's cookie-focused audit programme signals that consent violations are on its radar.
Notable enforcement actions include a 2,995,140 euro fine against Hellenic Post for security failures affecting over four million data subjects, and a 400,000 euro fine against the Ministry of Interior for unsolicited political communications. The HDPA also fined the Ministry of Rural Development 25,000 euros for failing to appoint a Data Protection Officer.
The cookie audit that preceded Guidelines 1/2020 examined dozens of high-traffic Greek websites. The HDPA did not impose fines during that initial round but issued formal recommendations. Websites that fail to comply with those recommendations now face the full range of GDPR sanctions.
The HDPA can impose fines of up to 20 million euros or 4% of global annual turnover for serious violations.
How Greek Requirements Compare to Neighbouring EU States
Greece's cookie rules align closely with the stricter end of the EU spectrum. The equal-prominence requirement for accept and reject buttons mirrors the approach taken by France's CNIL. The ban on cookie walls echoes guidance from the Dutch Autoriteit Persoonsgegevens.
Compared to Italy's Garante, which published detailed cookie guidelines in 2021, the HDPA's rules are less prescriptive about the technical implementation of consent storage but equally firm on the principle of prior opt-in. Neighbouring Cyprus and Bulgaria have been less active in cookie-specific enforcement, making Greece the more demanding jurisdiction in the eastern Mediterranean.
Compliance Checklist for Websites Targeting Greece
If your website receives visitors from Greece, the following steps will help you meet HDPA expectations.
Run a cookie scan to identify every cookie and tracker your site sets, including those from third-party scripts.
Classify each cookie by purpose: strictly necessary, functional, analytics, or marketing.
Block all non-essential cookies from firing before the user gives consent. This applies to
_ga,_fbp, and any other tracking script.Display a cookie banner with accept and reject buttons of equal size, colour, and prominence on the same layer.
Provide granular, category-level consent options so users can choose which types of cookies to allow.
Store proof of consent - including the timestamp, version of your cookie policy, and the choices made - as evidence of compliance.
Allow users to withdraw consent at any time through a persistent link or icon.
Respect the user's choice: if they reject analytics cookies, do not load Google Analytics or similar tools.
Review your cookie banner text in Greek or provide a clear English alternative, ensuring the information is genuinely comprehensible.
Re-scan your site regularly, as new plugins or third-party updates can introduce cookies without your knowledge.
Age of Consent for Digital Services
Under Article 21 of Law 4624/2019, Greece sets the age of digital consent at 15. Minors under 15 require parental or guardian consent before their personal data can be processed for information society services. If your website targets younger users in Greece, your consent mechanism must account for this threshold.
Frequently Asked Questions
Does Greece require cookie consent for Google Analytics?
Yes. The HDPA's Guidelines 1/2020 explicitly state that third-party analytics trackers, including Google Analytics, require prior opt-in consent before being placed on a user's device.
Are cookie walls allowed under Greek data protection law?
No. The HDPA considers cookie walls - where access to content is blocked unless cookies are accepted - to be an invalid form of consent because the user's choice is not freely given.
What fines can the HDPA impose for cookie consent violations?
The HDPA can impose administrative fines of up to 20 million euros or 4% of global annual turnover, whichever is higher, in line with the GDPR's maximum penalty framework.
Do accept and reject buttons need to look the same in Greece?
The HDPA recommends that accept and reject buttons use the same size, colour, and font to avoid nudging users toward acceptance. Both options must also be accessible with the same number of clicks.
What is the age of digital consent in Greece?
Greece sets the age of digital consent at 15 under Article 21 of Law 4624/2019. Children under 15 need parental consent for their data to be processed by information society services.
Which Greek law governs cookie consent?
Law 3471/2006, as amended by Law 4070/2012, is the primary legislation governing cookies in Greece. It transposes the EU ePrivacy Directive and works alongside the GDPR (implemented by Law 4624/2019).
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
