Malta's Cookie Law: SL 586.01 and the ePrivacy Directive
Malta regulates cookies and similar tracking technologies through the Processing of Personal Data (Electronic Communications Sector) Regulations, known as Subsidiary Legislation 586.01 (SL 586.01). This legislation transposes the EU ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC) into Maltese law.
The rule is straightforward: storing information or gaining access to information already stored on a user's device requires prior consent, unless the cookie is strictly necessary for a service the user has explicitly requested. This mirrors Article 5(3) of the ePrivacy Directive and aligns Malta with the broader EU approach to cookie regulation.
The Information and Data Protection Commissioner (IDPC) is the supervisory authority responsible for enforcing both SL 586.01 and the GDPR in Malta. The IDPC published a dedicated Guidance Note on Cookies Consent Requirements in August 2021, authored by its legal counsel, to clarify what constitutes valid consent for cookies on websites and mobile apps.
What the IDPC Guidance Note Requires
The IDPC's guidance note targets operators that use cookies in online services. It sets out examples of acceptable and unacceptable methods of obtaining consent, drawing directly from GDPR consent standards under Articles 4(11) and 7.
Valid cookie consent in Malta must be:
Freely given - users cannot be forced to accept cookies as a condition of accessing a website
Specific - consent must be granular, covering distinct purposes and cookie categories separately
Informed - clear information about what cookies do, who sets them, and how long they persist must be provided before consent is collected
Unambiguous - consent requires an affirmative action such as clicking an "Accept" button; pre-ticked boxes and implied consent through continued browsing are not valid
Cookie walls that block access to content unless all cookies are accepted are considered problematic under this framework. The IDPC follows the EDPB's position that tying service access to blanket cookie acceptance undermines the "freely given" requirement.
Cookie Categories Under Maltese Law
SL 586.01 does not define cookie categories explicitly, but the IDPC guidance and GDPR principles establish a practical classification that website owners should follow.
| Category | Consent Required? | Examples |
|---|---|---|
| Strictly necessary | No | PHPSESSID, csrf_token, load balancer cookies |
| Functional / preferences | Yes | pll_language, theme preference cookies |
| Analytics / performance | Yes | _ga, _gid, _gat |
| Marketing / advertising | Yes | _fbp, _gcl_au, IDE |
Only strictly necessary cookies may be set without consent. Every other category requires opt-in before the cookie is placed on the user's device. This applies equally to first-party and third-party cookies.
If your site uses Google Analytics or advertising pixels, those cookies fall squarely into categories that demand prior consent under Maltese rules.
How GDPR and SL 586.01 Work Together
Malta applies both the GDPR and SL 586.01 to cookie processing. The two frameworks overlap but serve different functions.
SL 586.01 governs the act of placing or reading a cookie on a user's terminal equipment. It applies regardless of whether the cookie contains personal data. The GDPR applies when cookie data constitutes personal data, which covers most analytics and advertising cookies since identifiers like _ga can single out individual users.
A practical consequence: even if a cookie does not store personal data directly, you still need consent under SL 586.01 to place it (unless it is strictly necessary). If it does process personal data, you also need a lawful basis under Article 6 of the GDPR. For most website operators, consent serves as the lawful basis under both instruments.
IDPC Enforcement and Fines
The IDPC has historically been a smaller supervisory authority, but enforcement activity has increased steadily. In 2024, the IDPC issued more decisions than in the previous year, and for the first time initiated proceedings ex officio rather than solely on the basis of public complaints.
Fines under SL 586.01 can reach up to EUR 23,293.73 per violation, with an additional EUR 2,329.37 for each day the infringement continues. Under the GDPR, the IDPC can impose fines up to EUR 20 million or 4% of annual global turnover, whichever is higher.
The IDPC's largest fine to date was EUR 65,000 against C-Planet for a data breach, issued in 2022. While this figure is modest compared to fines from the Irish DPC or CNIL, the upward trend in enforcement activity signals growing regulatory attention.
The IDPC also participates in the EDPB's Coordinated Enforcement Framework, which in 2026 focuses on cross-border cooperation. This means cookie compliance issues flagged by other EU authorities could lead to scrutiny from the IDPC as well.
Compliance Checklist for Maltese Cookie Requirements
Use this checklist to assess whether your website meets the IDPC's cookie consent standards.
Audit your cookies - run a cookie scan to identify every cookie and tracking technology on your site, including those set by third-party scripts
Categorise correctly - assign each cookie to strictly necessary, functional, analytics, or marketing categories based on its actual purpose
Display a consent banner before setting non-essential cookies - the banner must appear on the first page load and block non-essential cookies until the user makes a choice
Provide granular controls - users must be able to accept or reject individual cookie categories, not just "accept all" or "reject all"
Make rejection as easy as acceptance - the reject option must be equally prominent and require the same number of clicks
Store proof of consent - record when, how, and what each user consented to, in case the IDPC requests evidence
Allow withdrawal - users must be able to change or withdraw their consent at any time, and the mechanism should be clearly accessible
Maintain a cookie policy - list every cookie by name, purpose, provider, type, and expiry duration
Implement Google Consent Mode - if you use Google services, configure Consent Mode v2 to respect user choices and maintain measurement capabilities
Malta Compared to Other EU Member States
Malta's cookie rules closely follow the EU baseline, without significant national additions like those found in Spain's AEPD cookie guide or Belgium's APD guidelines. The core obligation remains the same: prior, informed, opt-in consent for all non-essential cookies.
As a small EU member state, Malta shares characteristics with Cyprus and Luxembourg in terms of enforcement scale. The IDPC's fining powers under SL 586.01 are capped at lower amounts than GDPR maximums, which differs from countries where ePrivacy fines mirror GDPR levels. That said, the GDPR itself applies in parallel, so serious cookie violations could still attract significant penalties.
Website owners serving visitors across multiple EU countries should treat Malta's requirements as part of a unified compliance approach rather than a separate project. A properly configured cookie consent banner that meets GDPR standards will satisfy Maltese requirements as well.
Frequently Asked Questions
Does Malta require cookie consent for analytics cookies?
Yes. Under SL 586.01, analytics cookies such as _ga and _gid are not strictly necessary and require prior opt-in consent before being placed on a user's device.
What is the IDPC and what does it enforce?
The Information and Data Protection Commissioner (IDPC) is Malta's supervisory authority for data protection. It enforces the GDPR, the Data Protection Act, and SL 586.01, which covers cookie consent and electronic communications privacy.
Can I use implied consent for cookies in Malta?
No. The IDPC's guidance note requires affirmative action for valid consent. Continued browsing, scrolling, or pre-ticked checkboxes do not constitute valid consent under Maltese law.
How much can the IDPC fine for cookie violations?
Under SL 586.01, fines can reach EUR 23,293.73 per violation plus EUR 2,329.37 per day the infringement continues. Under the GDPR, fines can reach EUR 20 million or 4% of global annual turnover.
Do I need a cookie banner if my website only uses strictly necessary cookies?
Strictly necessary cookies are exempt from the consent requirement. If your site genuinely uses only session cookies and essential functionality cookies, a consent banner is not required, though a cookie policy explaining their use is still recommended.
Is Malta's cookie law different from the GDPR?
SL 586.01 and the GDPR are separate but complementary. SL 586.01 specifically regulates the placing of cookies on devices, while the GDPR governs the processing of personal data collected through those cookies. Both apply simultaneously in most cases.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of Maltese and EU law.
