Luxembourg's Cookie Consent Legal Framework
Luxembourg transposed the EU ePrivacy Directive (2002/58/EC) into national law through the Loi du 30 mai 2005, which was later amended by the law of 28 July 2011 to incorporate the revised cookie consent requirements from Directive 2009/136/EC. Article 4(2) of this law requires website operators to obtain informed consent before placing non-essential cookies on a visitor's device.
The Commission nationale pour la protection des donnees (CNPD) is Luxembourg's supervisory authority responsible for enforcing both this national legislation and the GDPR. On 26 October 2021, the CNPD published detailed cookie guidelines that clarify how these legal requirements apply in practice.
These guidelines sit alongside the GDPR, which governs the processing of personal data collected through cookies. Where a cookie processes personal data, both the Loi du 30 mai 2005 and the GDPR apply simultaneously.
What the CNPD Cookie Guidelines Require
The 2021 CNPD guidelines draw a clear line between essential cookies and non-essential cookies.
Essential cookies are those strictly necessary to carry out a communication over an electronic network or to provide a service explicitly requested by the user. Session cookies like PHPSESSID and load-balancing cookies fall into this category. These do not require consent.
Non-essential cookies, including analytics trackers such as _ga and _gid, advertising pixels like _fbp, and social media widgets, require prior, informed, freely given, specific, and unambiguous consent before they may be set. This mirrors the standard set by other EU data protection authorities, such as the CNIL in France and the BfDI in Germany.
Cookie Categories Under CNPD Guidance
| Cookie Category | Examples | Consent Required? |
|---|---|---|
| Strictly necessary | PHPSESSID, authentication tokens, CSRF tokens | No |
| Functional / preference | pll_language, theme selectors, region preferences | Yes |
| Analytics / performance | _ga, _gid, _gat | Yes |
| Advertising / tracking | _fbp, _gcl_au, retargeting pixels | Yes |
Cookie Banner Design: The Two-Layer Approach
The CNPD recommends a two-layer information model for cookie banners.
The first layer is the banner itself. It must inform visitors that cookies are used, explain the purposes behind them, identify whether first-party or third-party cookies are involved, and offer clear options to accept or refuse. The CNPD explicitly requires that both an "Accept all" and a "Refuse all" button appear on this first layer, with equal size, emphasis, and colour. Using a prominent accept button alongside a less visible refuse option constitutes a dark pattern, which the CNPD prohibits.
The second layer is a detailed cookie policy accessible from the banner. It must list every cookie in use, its specific purpose, the data controller and any third parties involved, the categories of data collected, and data recipients.
Consent must be renewable. The CNPD sets a maximum validity period of 12 months, after which the banner must reappear and fresh consent must be collected.
CNPD Enforcement: From Warnings to Record Fines
Luxembourg may be small, but the CNPD has issued some of the largest GDPR fines in Europe. The most prominent is the EUR 746 million fine imposed on Amazon in July 2021 for processing personal data for targeted advertising without valid consent. In March 2025, the Luxembourg Administrative Court dismissed Amazon's appeal and upheld the fine in full.
Smaller-scale enforcement continues as well. In January 2025, the CNPD fined a credit institution EUR 175,000 for failing to respond to 47 data subject access requests within the deadlines set by Articles 12(3) and 12(4) of the GDPR. In 2023, the CNPD issued eight corrective measures, including three fines totalling EUR 6,500.
Since October 2025, new legislation allows the CNPD to initiate representative actions on behalf of data subjects without relying on a non-profit organisation or individual mandates. This expands the authority's enforcement toolkit significantly.
How Luxembourg's Rules Compare to Neighbouring Countries
Luxembourg's cookie rules align closely with the broader EU framework, but each neighbouring country adds its own interpretation. The Belgian APD follows a similar two-layer model. The Dutch AP takes a strict line on analytics cookies, treating them as non-essential by default unless properly anonymised.
France's CNIL has been more aggressive with cookie-specific fines, including several multi-million euro penalties against major technology companies. Germany's approach under the TTDSG adds a national layer of legislation on top of the ePrivacy Directive transposition.
| Country | Supervisory Authority | ePrivacy Transposition | Consent Renewal Period |
|---|---|---|---|
| Luxembourg | CNPD | Loi du 30 mai 2005 (amended 2011) | 12 months |
| Belgium | APD/GBA | Loi du 13 juin 2005 | 6 months (recommended) |
| France | CNIL | Loi Informatique et Libertes | 6 months |
| Germany | BfDI / State DPAs | TTDSG (2021) | Not specified |
| Netherlands | AP | Telecommunicatiewet | Not specified |
Compliance Checklist for Luxembourg
Use this checklist to verify your website meets CNPD requirements.
Audit your cookies. Run a cookie scan to identify every cookie and tracker active on your site, including third-party scripts.
Classify each cookie. Assign every cookie to the correct category: strictly necessary, functional, analytics, or advertising.
Block non-essential cookies before consent. No analytics or advertising cookies should fire until the visitor makes a choice. Use Google Consent Mode v2 to handle tag behaviour correctly.
Display equal accept and refuse buttons. Both options must appear on the first layer of the banner with identical styling.
Provide granular category controls. Visitors should be able to accept or refuse cookies by category, not just all or nothing.
Publish a detailed cookie policy. The second information layer must list each cookie, its purpose, duration, and the responsible party.
Store consent records. Maintain a log of when and how each visitor gave or refused consent, as evidence of compliance.
Re-prompt every 12 months. The CNPD considers consent valid for a maximum of 12 months.
Make withdrawal easy. If consent was given with a single click, revoking it must be equally straightforward.
The Relationship Between ePrivacy and GDPR in Luxembourg
Two legal instruments apply to cookies in Luxembourg. Article 5(3) of the ePrivacy Directive, transposed via the Loi du 30 mai 2005, governs access to and storage of information on a user's device. The GDPR governs the subsequent processing of personal data collected through those cookies.
In practice, this means the consent requirement under ePrivacy law is triggered the moment a cookie is placed, regardless of whether it collects personal data. If the cookie does collect personal data, the GDPR's requirements for lawful processing, data minimisation, and transparency also apply. The CNPD enforces both sets of rules.
Frequently Asked Questions
Does Luxembourg require cookie consent for analytics cookies?
Yes. The CNPD classifies analytics cookies such as _ga and _gid as non-essential. Prior consent is required before these cookies may be placed on a visitor's device.
How often must cookie consent be renewed in Luxembourg?
The CNPD sets a maximum consent validity period of 12 months. After that, the cookie banner must reappear and fresh consent must be obtained.
What fines can the CNPD impose for cookie violations?
The CNPD can impose fines under both the Loi du 30 mai 2005 and the GDPR. GDPR fines can reach up to EUR 20 million or 4% of annual global turnover, whichever is higher. The CNPD's EUR 746 million fine against Amazon in 2021 demonstrates the authority's willingness to act at scale.
Is a cookie banner mandatory for websites targeting Luxembourg?
Yes. Any website that places non-essential cookies on devices of visitors located in Luxembourg must display a cookie banner that collects valid consent before those cookies are activated.
Can I use a cookie wall in Luxembourg?
Cookie walls that block access to a website unless the visitor accepts all cookies are problematic under CNPD guidance. Consent must be freely given, meaning access to the service should not be conditional on accepting non-essential cookies.
Do the Luxembourg cookie rules apply to mobile apps?
Yes. The CNPD guidelines apply to both websites and mobile applications. Any app that uses cookies or similar tracking technologies on user devices must follow the same consent and transparency requirements.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
