Portugal's Cookie Consent Framework: Two Laws, One Authority
Portugal regulates cookies through two primary pieces of legislation. The ePrivacy Directive was transposed into Portuguese law as Law 41/2004, later amended by Law 46/2012. The GDPR was implemented through Law 58/2019, which entered into force on 8 August 2019 and replaced the earlier Law 67/1998.
The CNPD (Comissao Nacional de Protecao de Dados) is Portugal's data protection authority, responsible for enforcing both laws. Unlike some of its European counterparts such as France's CNIL or Spain's AEPD, the CNPD has not published detailed cookie-specific guidance. This means Portuguese websites must rely directly on the text of Law 41/2004 and the GDPR itself.
The absence of granular guidance does not reduce the obligation. The legal requirements are clear, and the CNPD retains full enforcement powers.
What Law 41/2004 Says About Cookies
Article 5(1) of Law 41/2004 (as amended by Law 46/2012) requires informed consent before any information is stored on, or accessed from, a user's terminal device. This covers cookies, local storage, pixels, and similar tracking technologies.
Article 5(2) provides two narrow exemptions where consent is not needed:
The cookie's sole purpose is carrying out the transmission of a communication over an electronic communications network.
The cookie is strictly necessary for the provider of an information society service to deliver a service explicitly requested by the user.
These exemptions mirror Article 5(3) of the ePrivacy Directive almost word for word. In practice, session cookies like PHPSESSID, authentication tokens, and shopping cart cookies fall within the exemption. Analytics cookies such as _ga, marketing cookies like _fbp, and any third-party tracking cookies require prior consent.
Consent Standards Under Portuguese Law
Because Law 58/2019 implements the GDPR, the definition of valid consent in Portugal follows Article 7 of the GDPR and the conditions set out in Article 4(11). Consent must be freely given, specific, informed, and unambiguous, demonstrated through a clear affirmative action.
Pre-ticked checkboxes do not qualify. Continued browsing does not qualify. Cookie walls that force an all-or-nothing choice are likely invalid under the EDPB's guidelines on consent.
Your cookie banner must present a genuine choice, with both accept and reject options equally accessible. The CNPD has not issued specific rules on banner design, but the GDPR's general consent requirements and the EDPB's guidance on dark patterns apply across all EU member states, Portugal included.
Age of Consent for Children
Law 58/2019 sets the age of digital consent at 13 years old for information society services. If your website targets minors below that age in Portugal, you need verifiable parental consent before setting non-essential cookies.
How Portuguese Cookie Rules Compare to Other EU Countries
The core consent requirement is consistent across the EU, but enforcement intensity and local guidance vary significantly. Here is how Portugal compares with its neighbours:
| Country | DPA | Cookie-Specific Guidance | Notable Enforcement |
|---|---|---|---|
| Portugal | CNPD | No dedicated cookie guidelines | Limited cookie-specific fines |
| Spain | AEPD | Detailed cookie guide published | Multiple cookie-related fines |
| France | CNIL | Comprehensive cookie guidelines | Record cookie fines (e.g. Google, Meta) |
| Germany | DSK/State DPAs | TTDSG provides explicit rules | Active enforcement via state authorities |
| Italy | Garante | Detailed 2021 cookie guidelines | Fines for non-compliant banners |
| Netherlands | AP | Clear cookie rules published | Fines for tracking without consent |
Portugal sits in the group of EU countries that rely on the general GDPR and ePrivacy framework without issuing supplementary national cookie guidance. This can create uncertainty, but it does not lower the compliance bar.
CNPD Enforcement: Fines and Priorities
The CNPD has been increasingly active in GDPR enforcement. In 2023, the authority issued 90 fines totalling approximately EUR 560,000. The most significant Portuguese GDPR fine to date was EUR 4.3 million, levied against the National Statistics Institute (INE) in 2022 for multiple GDPR violations related to census data processing.
Other notable actions include a EUR 400,000 fine against a hospital for data access control failures and a EUR 1.25 million fine against the Municipality of Lisbon.
Cookie-specific enforcement has been limited so far. The CNPD has not pursued a high-profile cookie consent case comparable to the CNIL's actions in France. However, the authority's 2025 activity plan signals a commitment to streamlining sanctioning procedures, which may lead to broader enforcement across all areas, including cookies.
Since 2022, the CNPD no longer publishes individual enforcement decisions, making it difficult to track case-by-case trends.
Penalty Ranges
Fines under Law 41/2004 for breaches of cookie consent rules range from EUR 5,000 to EUR 5 million for legal persons. Under the GDPR (via Law 58/2019), administrative fines can reach EUR 20 million or 4% of global annual turnover, with minimum thresholds of EUR 5,000 for very serious offences and EUR 2,500 for serious offences involving large companies.
Cookie Compliance Checklist for Portuguese Websites
Use this checklist to verify your website meets Portuguese cookie consent requirements:
Audit your cookies - Identify every cookie your site sets, including those from third-party scripts like
_ga,_fbp, and_gid.Classify by purpose - Separate strictly necessary cookies from analytics, marketing, and functional categories.
Block non-essential cookies before consent - No analytics or marketing cookies should fire until the user gives affirmative consent.
Present a compliant banner - Include clear accept and reject buttons. Do not use dark patterns such as hiding the reject option or using confusing colour schemes.
Provide granular choices - Allow users to accept or reject cookies by category.
Publish a cookie policy - List each cookie by name, purpose, provider, and duration in your cookie policy.
Record consent - Store proof of when and how consent was given, in case of a CNPD audit.
Allow withdrawal - Make it as easy to withdraw consent as it was to give it.
Review regularly - Run scheduled cookie scans to catch new cookies added by script updates or third-party changes.
Portuguese Language and Localisation Requirements
Portuguese law does not explicitly mandate that cookie banners be presented in Portuguese, but GDPR recital 42 states that consent must be informed. If your visitors are primarily Portuguese-speaking, presenting a banner in English alone may not meet the "informed" standard.
Best practice is to serve the banner in Portuguese for visitors located in Portugal. If your site targets both Portugal and Brazil, note that Brazil's LGPD has its own consent framework, and you should adapt both language and legal references accordingly. A multilingual cookie consent setup handles this automatically based on geo-detection.
Frequently Asked Questions
Does Portugal have specific cookie guidelines from the CNPD?
No. The CNPD has not published dedicated cookie consent guidelines. Portuguese websites must comply with Law 41/2004 (ePrivacy transposition) and the GDPR as implemented by Law 58/2019. EDPB opinions and guidance apply as supplementary reference.
Are analytics cookies exempt from consent in Portugal?
No. Analytics cookies like _ga and _gid are not strictly necessary for delivering a service requested by the user. They require prior informed consent under Article 5 of Law 41/2004.
What fines can the CNPD impose for cookie violations?
Under Law 41/2004, fines for legal persons range from EUR 5,000 to EUR 5 million. Under the GDPR via Law 58/2019, fines can reach EUR 20 million or 4% of annual worldwide turnover, whichever is higher.
Do I need a cookie banner in Portuguese?
There is no explicit legal requirement for Portuguese language, but GDPR consent must be informed. If your audience is primarily in Portugal, serving the banner in Portuguese is strongly recommended to meet the informed consent standard.
What is the age of digital consent in Portugal?
Law 58/2019 sets the age of digital consent at 13 years old. Below that age, parental consent is required for information society services.
Can I use a cookie wall on a Portuguese website?
Cookie walls that block access unless all cookies are accepted are likely non-compliant. The EDPB has stated that consent must be freely given, which means users should be able to access the service without being forced to accept non-essential cookies.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
