Hungary's Legal Framework for Cookie Consent
Hungary regulates cookies and similar tracking technologies through two overlapping legal instruments. The ePrivacy Directive is transposed into Hungarian law by Act C of 2003 on Electronic Communications (known as the E-Communications Act), while the General Data Protection Regulation applies directly as EU law. The NAIH - Nemzeti Adatvedelmi es Informacioszabadsag Hatosag (National Authority for Data Protection and Freedom of Information) - supervises compliance with both.
Act C of 2003 sets the rules for storing information on, or accessing information from, a user's terminal equipment. The GDPR governs the processing of any personal data collected through those cookies. Where a cookie collects personal data, both laws apply simultaneously.
What Act C of 2003 Requires
Section 155 of Act C of 2003 states that storing or accessing data on a subscriber's device is permitted only after the user has received clear, comprehensive information and has given consent. This consent must be obtained before the cookie is set - Hungarian law explicitly requires it to be "prior" consent.
The information provided must cover three specific points: the name of each cookie (so users can identify which cookies belong to the site operator and which to third parties), the lifetime and scope of data each cookie can access, and the purpose of the cookie along with the function it provides.
There is one exception. Cookies that are strictly necessary for the operation of the website - particularly session cookies - may be set based on the site operator's legitimate interest without obtaining consent.
How the GDPR Applies Alongside Act C
The GDPR consent requirements reinforce and extend what Act C demands. Under Article 4(11) and Article 7 of the GDPR, consent must be freely given, specific, informed, and unambiguous. Pre-ticked checkboxes, implied consent through continued browsing, and bundled consent for multiple purposes all fail to meet this standard.
The NAIH has clarified that separate consent is required for each processing purpose and each marketing channel. A single "Accept All" click can satisfy this only if users also have an equally accessible option to reject all non-essential cookies or to select specific categories.
Where analytics cookies or marketing cookies collect personal data, the GDPR's rules on lawful bases, data minimisation, and storage limitation apply in full.
NAIH Cookie Banner Design Standards
The NAIH has set clear expectations for how cookie banners must function. The authority has criticised designs where the "Reject All" option is harder to access than "Accept All" - a practice it considers a dark pattern.
Specific requirements include:
An "Accept All" and "Reject All" button must appear with equal prominence at the same level of the banner interface
Users must be able to withdraw consent as easily as they gave it
Social media plugins and third-party tracking technologies must be inactive by default, activated only after explicit consent
Multi-layered notices are acceptable - a brief initial notice linked to a detailed cookie policy - but the first layer must still provide meaningful information
Banner text must be clear and concise, not lengthy or confusing
The authority also expects that where data transfer partners are involved, the process for reviewing and selecting those partners must not be overly complicated or buried behind multiple clicks.
NAIH Enforcement: The TV2 Cookie Decision
In 2022, the NAIH launched an official data protection procedure against TV2 Media Csoport Zrt., a major Hungarian media company. The resulting decision imposed a fine of HUF 10,000,000 (approximately EUR 25,000) and marked the first NAIH enforcement action specifically targeting cookie management practices.
The NAIH found several violations. The "Accept All" option required just one click, while "Reject All" required two clicks and the "Object" option required at least three. The banner text was excessively long and confusing. The term "legitimate interest" was used in a misleading way that obscured the actual legal basis for data processing. Transparency was insufficient regarding data sharing with the controller's 754 advertising partners.
This decision signalled a stricter approach. The NAIH explicitly stated that the widespread nature of such cookie consent violations across the industry does not serve as a defence.
Cookie Categories Under Hungarian Law
The distinction between cookie categories determines whether consent is required. The table below summarises how Hungarian law treats each type.
| Cookie Category | Consent Required | Legal Basis | Examples |
|---|---|---|---|
| Strictly necessary | No | Legitimate interest (Act C of 2003) | PHPSESSID, shopping cart, login session |
| Functional | Yes | Consent (GDPR Art. 6(1)(a) + Act C) | pll_language, user preferences |
| Analytics | Yes | Consent (GDPR Art. 6(1)(a) + Act C) | _ga, _gid, page view tracking |
| Marketing / Advertising | Yes | Consent (GDPR Art. 6(1)(a) + Act C) | _fbp, IDE, retargeting pixels |
Only cookies that are strictly necessary for the technical operation of the site qualify for the consent exemption. Cookies used for analytics, personalisation, or advertising - regardless of whether they are first-party or third-party - require prior consent.
Compliance Checklist for Hungarian Websites
If your website targets users in Hungary, the following steps will help you meet NAIH and GDPR requirements.
Audit your cookies - Run a cookie scan to identify every cookie and tracker on your site, including those set by third-party scripts
Classify each cookie - Assign every cookie to the correct category (strictly necessary, functional, analytics, or marketing)
Block non-essential cookies before consent - No analytics, marketing, or functional cookies may fire until the user actively consents
Display a compliant cookie banner - Provide "Accept All" and "Reject All" at the same level with equal visual weight
Provide granular choices - Allow users to accept or reject individual cookie categories
Disclose cookie details - List each cookie's name, purpose, lifetime, and any third parties involved
Make withdrawal easy - Offer a persistent method (such as a floating button or footer link) for users to change their preferences at any time
Keep consent records - Store proof of when and how each user consented, as required by GDPR Article 7(1)
Set social plugins to inactive - Third-party embeds from social platforms must load only after consent
Review regularly - Re-scan your site periodically to catch new cookies introduced by plugin updates or script changes
Hungary Compared to Neighbouring EU Member States
Cookie consent rules across Central Europe share a common GDPR foundation but differ in local enforcement priorities and the strictness of national transpositions.
| Country | Supervisory Authority | ePrivacy Transposition | Notable Enforcement Focus |
|---|---|---|---|
| Hungary | NAIH | Act C of 2003 | Cookie banner dark patterns, misleading consent |
| Austria | DSB | TKG 2021 | Cookie wall restrictions, analytics consent |
| Romania | ANSPDCP | Law 506/2004 | Transparency obligations, data breach fines |
| Slovakia | UOOU | Act 452/2021 | Consent mechanism requirements |
| Czech Republic | UOOU | Act 127/2005 | Cookie consent enforcement expanding |
| Croatia | AZOP | Electronic Communications Act | Growing enforcement activity |
| Slovenia | IP-RS | ZEKom-2 | Cookie guidance issued |
The TV2 decision places Hungary among the more active enforcers of cookie consent rules in the region, alongside France's CNIL and Italy's Garante at the EU level.
Frequently Asked Questions
Does Hungary require cookie consent for all cookies?
No. Strictly necessary cookies, such as session cookies required for basic website functionality, are exempt from the consent requirement under Act C of 2003. All other cookies - including analytics, functional, and marketing cookies - require prior, informed consent.
What is the NAIH and what does it do?
The NAIH (Nemzeti Adatvedelmi es Informacioszabadsag Hatosag) is Hungary's data protection authority. It supervises compliance with the GDPR, Act C of 2003, and other data protection legislation. It can investigate complaints, conduct audits, and impose fines for violations.
Can I use a cookie wall on a Hungarian website?
Cookie walls that block access to content unless the user accepts all cookies are generally considered non-compliant. The GDPR requires consent to be freely given, and denying access to a service unless cookies are accepted undermines that requirement.
How much can the NAIH fine for cookie violations?
The NAIH can impose fines under the GDPR framework, up to EUR 20 million or 4% of global annual turnover for the most serious infringements. The first cookie-specific fine was HUF 10 million (approximately EUR 25,000), but amounts can vary based on severity and scale.
Do I need a cookie banner in Hungarian language?
If your website targets Hungarian users, providing your cookie banner and privacy information in Hungarian is strongly recommended. The NAIH expects clear and comprehensible information, and offering it only in a language your audience does not understand risks a transparency violation.
Is Google Analytics consent required in Hungary?
Yes. Google Analytics sets cookies such as _ga and _gid that track user behaviour. These are classified as analytics cookies and require prior consent under both Act C of 2003 and the GDPR before they can be placed on a visitor's device.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
