Romania's Cookie Law Framework: GDPR and Law 506/2004
Romania applies two overlapping legal instruments to cookie consent. The GDPR governs the processing of personal data collected through cookies, while Law 506/2004 transposes the ePrivacy Directive (Directive 2002/58/EC) into Romanian law. Together, they create a dual obligation: cookies that store or access information on a user's device require prior consent under Law 506/2004, and any personal data those cookies collect must be processed in line with GDPR principles.
Law 506/2004 specifically addresses the processing of personal data and the protection of private life in the electronic communications sector. Article 4 of the law mirrors Article 5(3) of the ePrivacy Directive, requiring that website operators obtain informed, explicit consent before placing non-essential cookies on a visitor's device.
Strictly necessary cookies - those required for a service the user has explicitly requested - remain exempt from this consent requirement.
Who Enforces Cookie Rules in Romania?
The Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP) is Romania's data protection authority. It supervises compliance with both the GDPR and Law 506/2004, investigates complaints, conducts audits, and issues fines.
The ANSPDCP has been one of the more active DPAs in Central and Eastern Europe. Romania ranks among the top EU member states by number of GDPR fines issued, with over 60 sanctions on record. In late 2025 and early 2026, the authority targeted cookie-specific violations, issuing fines between RON 15,000 and RON 30,000 to companies that placed non-essential cookies without obtaining valid consent.
Consent Requirements Under Romanian Law
Valid cookie consent in Romania must satisfy both the GDPR standard (Article 7) and the ePrivacy standard under Law 506/2004. The practical requirements are:
Prior consent - non-essential cookies (such as
_ga,_fbp, or advertising trackers) must not be set before the user actively consents.Informed - the user must receive clear information about what cookies are used, their purpose, and who receives the data.
Freely given - consent cannot be bundled with terms of service or forced through dark patterns. Cookie walls that block access unless the user accepts all cookies are considered non-compliant by the EDPB and by ANSPDCP enforcement practice.
Specific - users should be able to accept or reject cookies by category (e.g. analytics, marketing, functional).
Easy withdrawal - it must be as simple to withdraw consent as it was to give it.
Pre-ticked checkboxes, implied consent through continued browsing, and consent obtained by deceptive banner design all fail to meet these standards.
ANSPDCP Enforcement Actions and Fines
The ANSPDCP can impose fines under two regimes. For GDPR violations, penalties can reach up to 20 million EUR or 4% of global annual turnover. For breaches of Law 506/2004, fines range from RON 5,000 to RON 100,000, or up to 2% of turnover for companies with revenue exceeding RON 5 million.
| Penalty regime | Legal basis | Maximum fine |
|---|---|---|
| GDPR (personal data processing) | Regulation (EU) 2016/679 | 20 million EUR or 4% of global turnover |
| ePrivacy (cookie placement) | Law 506/2004, Art. 4 | RON 100,000 or 2% of turnover |
Recent enforcement has shown the ANSPDCP's willingness to act on cookie-specific complaints. In November 2025, the CJEU issued its judgment in Inteligo Media SA v ANSPDCP (Case C-654/23), providing guidance on electronic marketing consent that reinforces the strict opt-in standard Romania applies.
Beyond cookie-specific actions, the ANSPDCP has fined companies such as Rompetrol (RON 19,893 in November 2024) and Automobilus International (RON 24,885 in March 2025) for data security failures, signalling a broad enforcement posture across all areas of data protection.
How Romania Compares to Neighbouring EU Countries
Romania's approach aligns closely with the general EU model but has some local characteristics worth noting. Unlike Germany, which enacted a dedicated cookie statute (TTDSG) to replace its older Telemediengesetz provisions, Romania still relies on the 2004 transposition without significant updates.
Compared to Hungary and Bulgaria, Romania has issued more total GDPR fines. Poland's UODO has taken a similar enforcement trajectory, though with higher individual fine amounts in some cases.
| Country | DPA | ePrivacy transposition | Cookie enforcement activity |
|---|---|---|---|
| Romania | ANSPDCP | Law 506/2004 | Active - multiple cookie fines in 2025-2026 |
| Bulgaria | CPDP | Electronic Communications Act | Moderate |
| Hungary | NAIH | Act C of 2003 | Moderate |
| Poland | UODO | Telecommunications Law | Active |
The common thread across all four countries is that GDPR Article 7 sets the consent standard, and national ePrivacy laws govern the technical act of storing cookies on a device. If your site serves visitors from multiple EU countries, multilingual consent and geo-detection become practical necessities.
Compliance Checklist for Romanian Visitors
Use this checklist to verify your site meets Romanian cookie consent requirements:
Audit your cookies - run a cookie audit to identify every cookie and tracker your site sets. Classify each as strictly necessary, functional, analytics, or marketing.
Block non-essential cookies before consent - scripts that set cookies like
_ga,_gid,_fbp, orfrmust not fire until the user has given consent for the relevant category.Display a compliant banner - your cookie banner must offer granular category-level choices, with a visible reject option that is equally prominent as the accept button.
Provide clear information - list the specific cookies, their purposes, expiry periods, and whether third parties receive data. Link to a full cookie policy.
Store consent records - keep a log of when and how each user consented. The ANSPDCP can request proof of valid consent during an audit.
Enable easy withdrawal - provide a persistent link or button allowing users to change their preferences at any time.
Respect the choice - if a user rejects analytics or marketing cookies, those cookies must not be set. Verify with a scanner after deployment.
Google Consent Mode and Romanian Compliance
If your site uses Google Analytics 4 or Google Ads, Google Consent Mode v2 provides a mechanism to adjust tag behaviour based on the user's consent status. When a Romanian visitor declines analytics cookies, Consent Mode should block the _ga and _gid cookies and switch to cookieless pings instead.
Consent Mode does not replace your obligation to present a lawful consent banner. It is a technical integration that works alongside your CMP, not a substitute for one.
Frequently Asked Questions
Does Romania have its own cookie law separate from GDPR?
Yes. Law 506/2004 transposes the EU ePrivacy Directive into Romanian law and specifically governs cookie placement and electronic communications privacy. It works alongside the GDPR, which applies to the personal data those cookies collect.
What fines can the ANSPDCP impose for cookie violations?
Under Law 506/2004, fines range from RON 5,000 to RON 100,000, or up to 2% of turnover for larger companies. GDPR-related cookie violations can attract fines up to 20 million EUR or 4% of global annual turnover.
Are cookie walls allowed in Romania?
Cookie walls that block site access unless a visitor accepts all cookies are considered non-compliant. The EDPB has stated that consent obtained this way is not freely given, and ANSPDCP enforcement follows this position.
Do I need a cookie banner if my site only uses strictly necessary cookies?
If your site genuinely sets only strictly necessary cookies required for the service the user requested, consent is not required under Law 506/2004. You should still inform users about these cookies in a cookie policy, but a consent banner is not mandatory.
How do I prove consent to the ANSPDCP during an audit?
Maintain timestamped consent records showing when each visitor consented, what categories they accepted, and the version of the banner they saw. A consent management platform with built-in logging simplifies this.
Can I use implied consent or pre-ticked boxes for Romanian visitors?
No. Romanian law requires explicit, affirmative consent. Pre-ticked boxes, implied consent from scrolling, and banners without a reject option do not meet the legal standard.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
