The Legal Framework: RODO and the Electronic Communications Law
Poland applies two overlapping laws to cookies and tracking technologies. The first is the GDPR, transposed into Polish law as RODO (Rozporządzenie o Ochronie Danych Osobowych), which governs any processing of personal data collected through cookies. The second is the ePrivacy Directive transposition - until recently the 2004 Telecommunications Law (Prawo telekomunikacyjne), and since 10 November 2024, the new Electronic Communications Law (Prawo komunikacji elektronicznej, or ECL).
The ECL replaced the old Telecommunications Law and broadened its scope to cover email providers, instant messaging services, and online meeting tools alongside traditional telecoms.
For website owners, the practical effect is straightforward: you need a legal basis under both laws before setting non-essential cookies on a visitor's device. RODO covers the data processing side, while the ECL covers the act of storing information on (or reading it from) terminal equipment.
What Article 399 of the ECL Requires
Article 399 of the new Electronic Communications Law sets out three conditions for placing cookies or similar technologies on a user's device:
The user must be informed in advance, in clear and understandable language, about the purpose of storing and accessing the information and about their ability to control cookie settings.
The user must give consent after receiving that information.
The stored information must not cause configuration changes to the user's device.
Under the old Telecommunications Law, some organisations argued that browser settings alone could constitute valid consent. The UODO (Urząd Ochrony Danych Osobowych - Poland's data protection authority) rejected this interpretation, and the ECL now makes the opt-in requirement explicit. Consent must be active, informed, and freely given - matching the standard set by the CJEU's Planet49 ruling.
Who Enforces Cookie Rules in Poland?
Two authorities share responsibility. The UODO enforces RODO and handles complaints about personal data processing, including data collected via cookies like _ga, _fbp, or _gid. The President of the Office of Electronic Communications (UKE) enforces the ECL provisions on storing and accessing information on terminal equipment.
Penalties differ between the two regimes. RODO violations can attract fines of up to 20 million EUR or 4% of global annual turnover. ECL violations carry fines of up to 3% of the prior calendar year's revenue, imposed by UKE.
In practice, a single cookie banner violation could trigger scrutiny from both regulators.
UODO Enforcement: Recent Actions
The UODO has become increasingly active. In March 2025, it imposed its largest fine to date - 27 million PLN (roughly 6.3 million EUR) - on Poczta Polska for processing personal data without a valid legal basis during the 2020 postal election controversy. While not a cookie case, it signals the authority's willingness to impose significant penalties.
In September 2024, mBank received a fine of over PLN 4 million (approximately 970,000 EUR) for failing to notify data subjects about a personal data breach. The UODO has also penalised organisations for insufficient technical and organisational security measures - a finding that can easily apply to websites leaking personal data through misconfigured third-party cookies.
For 2025, the UODO announced enforcement priorities including children's data, health data security, and breach documentation under Article 33(5) of the GDPR.
Cookie Categories and Consent Requirements
Polish law follows the same category-based approach seen across the EU. The table below summarises the consent position for each cookie type:
| Cookie Category | Examples | Consent Required? |
|---|---|---|
| Strictly necessary | PHPSESSID, csrf_token, load balancer cookies | No - exempt under Article 399 |
| Functional / Preferences | pll_language, theme settings | Yes - opt-in required |
| Analytics / Performance | _ga, _gid, _gat | Yes - opt-in required |
| Marketing / Advertising | _fbp, _gcl_au, IDE | Yes - opt-in required |
Users must be able to consent to each cookie category separately. Bundling all non-essential cookies into a single "accept all" option without granular controls does not meet the standard.
Valid Consent Under Polish Law: Six Tests
Drawing from both RODO and the ECL, valid cookie consent in Poland must pass these tests:
Prior - no cookies set before consent is given
Informed - clear explanation of purposes and cookie types
Freely given - no cookie wall blocking access to content
Specific - separate consent for each purpose or category
Unambiguous - an affirmative action (click, toggle) rather than pre-ticked boxes or continued browsing
Withdrawable - equally easy to withdraw as to give
The UODO has specifically stated that withdrawal of consent must not be impeded. If your "reject" button requires three extra clicks compared to "accept", that design is unlikely to survive scrutiny.
How Poland Compares to Neighbouring EU Countries
Poland's cookie rules broadly align with the EU standard, but enforcement intensity and specific interpretations vary across the region.
| Country | DPA | ePrivacy Transposition | Notable Feature |
|---|---|---|---|
| Poland | UODO | Electronic Communications Law (2024) | Dual enforcement by UODO and UKE |
| Germany | BfDI / State DPAs | TTDSG (2021) | Decentralised enforcement across 16 states |
| Czech Republic | UOOU | Electronic Communications Act | Lighter enforcement historically |
| Austria | DSB | TKG 2021 | Active cookie enforcement since noyb complaints |
The key difference in Poland is the updated ECL from November 2024, which modernised cookie provisions that had remained largely unchanged since 2004. Organisations already compliant with CNIL guidelines in France or German TTDSG rules will find Poland's requirements familiar.
Compliance Checklist for Polish Websites
Before Launch
Run a cookie scan to identify every cookie and tracker on your site
Classify each cookie into the correct category (strictly necessary, functional, analytics, marketing)
Draft a cookie policy in Polish, written in plain language
Ensure no non-essential cookies fire before consent is collected
Cookie Banner Configuration
Display the banner on first visit with clear purpose descriptions
Offer granular category-level controls - not just "accept all"
Make "reject all" equally prominent as "accept all"
Store consent records with timestamps for audit purposes
Set up geo-detection so Polish visitors receive the correct banner configuration
Ongoing Maintenance
Re-scan periodically - new tags added by marketing teams can introduce undisclosed cookies
Update your cookie policy when categories or purposes change
Integrate Google Consent Mode v2 if you use Google Analytics or Google Ads
Frequently Asked Questions
Does Poland require cookie consent for analytics cookies?
Yes. Under both RODO and the Electronic Communications Law, analytics cookies like _ga require prior opt-in consent. Only strictly necessary cookies are exempt.
Can browser settings count as cookie consent in Poland?
The UODO does not consider browser settings a reliable method of obtaining consent. The ECL requires that users be informed and actively consent through a mechanism provided by the website, such as a cookie banner.
What is the maximum fine for cookie violations in Poland?
Cookie-related fines can reach up to 3% of annual revenue under the Electronic Communications Law (enforced by UKE) or up to 20 million EUR / 4% of global turnover under RODO (enforced by UODO), depending on which law is breached.
Do I need a cookie banner in Polish for Polish visitors?
While no specific legal requirement mandates the Polish language, the ECL requires that information be provided in a "clear, easy and understandable manner." For Polish-speaking visitors, a banner in their language is the most reliable way to meet that standard.
Is UODO the only regulator that can fine for cookie issues?
No. The UODO enforces RODO (data protection), while UKE (the Office of Electronic Communications) enforces the ECL provisions on cookie storage and access. Both can impose separate penalties for the same violation.
Does the new 2024 Electronic Communications Law change cookie rules?
The ECL, effective 10 November 2024, modernised Poland's cookie provisions. It explicitly requires active opt-in consent and extends coverage to new communication services. The core consent standard remains aligned with the ePrivacy Directive and CJEU case law.
Take Control of Your Cookie Compliance
If your website targets visitors in Poland, getting cookie consent right means satisfying both RODO and the new Electronic Communications Law. Start with a free scan to see exactly which cookies your site sets, then configure a compliant banner with granular category controls and proper consent records.
