How Federal Law 152-FZ Applies to Cookies
Russia's primary data protection statute is Federal Law No. 152-FZ on Personal Data, originally adopted in 2006 and amended repeatedly since. The law regulates the collection, storage, use, and transfer of personal data by any operator - a term that includes website owners.
152-FZ does not explicitly reference cookies, HTTP headers, or browser storage. Roskomnadzor, the federal regulator, has however confirmed through guidance and enforcement practice that cookies fall within the definition of personal data when they can identify a user, either alone or in combination with other information. Identifiers such as _ga, _fbp, or a session token like PHPSESSID tied to a logged-in account all qualify.
This interpretation means that the consent, transparency, and data localisation rules in 152-FZ apply to your website if it processes cookies belonging to Russian citizens - regardless of where your servers are physically located.
Roskomnadzor: The Regulator You Need to Know
Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology and Mass Media) is Russia's data protection authority. It oversees compliance with 152-FZ, maintains the public register of data operators, investigates complaints, and issues fines.
The agency has broad powers. It can conduct scheduled and unscheduled inspections, order data processing to stop, demand the deletion of unlawfully collected data, and block websites that refuse to comply. Since 2024, Roskomnadzor has also gained authority under new amendments to impose substantially higher administrative fines for data breaches and non-compliance.
Unlike many EU ePrivacy-style regimes, Roskomnadzor does not publish detailed cookie-specific guidance documents. Compliance expectations are drawn from the text of 152-FZ itself, from the regulator's public statements, and from enforcement patterns.
Consent Requirements for Cookies Under 152-FZ
Article 9 of 152-FZ states that personal data may only be processed with the data subject's consent, unless a specific legal exemption applies. For cookies, this translates into a requirement for prior opt-in consent before setting any non-essential cookie that identifies or could identify a user.
Consent must be:
Informed - the user must know what data is collected, for what purpose, who processes it, and for how long
Specific - consent for different processing purposes must be collected separately
Provable - you must be able to demonstrate that consent was obtained
Revocable - the user must be able to withdraw consent at any time
A critical amendment that took effect on 1 September 2025 prohibits bundling consent language into user agreements or terms of service. Consent for data processing must be presented as a standalone action - a separate checkbox or a dedicated cookie banner interaction. Burying consent inside a wall of legal text no longer satisfies the law.
Strictly necessary cookies - those required for the basic functioning of the website, such as session cookies or load-balancer cookies - are generally exempt from the consent requirement, as they fall under the contractual necessity exemption in 152-FZ.
Data Localisation: The Server Location Rule
Article 18(5) of 152-FZ requires that the initial collection and storage of personal data belonging to Russian citizens take place on servers located within Russian territory. This has been a legal requirement since 2015, but amendments under Federal Law No. 23-FZ, effective 1 July 2025, tightened it considerably.
The updated wording establishes a mandatory prohibition against using databases outside Russia for the recording, systematisation, storage, and retrieval of Russian citizens' personal data. The obligation now extends to data processors acting on behalf of the operator, not just the operator itself.
For cookie-related data, this means that if your analytics or advertising cookies send identifiable information about Russian users to servers outside Russia, you may be in breach. The practical effect is significant for websites using tools such as Google Analytics or Meta Pixel, where data is typically routed to servers in the United States or the EU.
Fines and Penalties: What Has Changed
Russian data protection fines were historically modest. That changed sharply in late 2024 with the adoption of Federal Law No. 420-FZ (30 November 2024), which came into force on 30 May 2025.
The new fine structure depends on the scale of the breach:
| Number of affected individuals | Fine for organisations (RUB) | Fine for officials (RUB) |
|---|---|---|
| 1,000 - 10,000 | 3 - 5 million | 200,000 - 400,000 |
| 10,000 - 100,000 | 5 - 10 million | 300,000 - 500,000 |
| Over 100,000 | 10 - 15 million | 400,000 - 600,000 |
| Repeat violations | Up to 3% of annual turnover (max 500 million RUB) | Up to 600,000 |
Separate fines apply for failing to notify Roskomnadzor of a data breach: up to 800,000 RUB for officials and 3 million RUB for organisations.
Federal Law No. 421-FZ, also adopted on 30 November 2024, introduced criminal liability for the illegal collection, use, or transfer of personal data. Penalties include imprisonment for up to four years, with harsher sentences where the data involves minors or biometric identifiers.
The limitation period for administrative data protection violations has been extended from three months to one year.
How 152-FZ Compares to the GDPR
If you already comply with the GDPR, some elements of 152-FZ will feel familiar - but there are significant differences.
| Aspect | GDPR (EU) | 152-FZ (Russia) |
|---|---|---|
| Legal bases for processing | Six legal bases (consent, contract, legal obligation, vital interests, public interest, legitimate interest) | Similar bases exist, but legitimate interest is narrower in scope |
| Cookie-specific rules | ePrivacy Directive provides cookie-specific regulation | No cookie-specific statute; cookies governed by general personal data rules |
| Data localisation | No mandatory localisation within the EU | Mandatory storage on Russian servers |
| Consent bundling | Consent must be separate from terms (Article 7(2) GDPR) | Since September 2025, consent must be a standalone document or interaction |
| Maximum fines | Up to 4% of global annual turnover or 20 million EUR | Up to 3% of annual turnover or 500 million RUB for repeat breaches |
| DPA enforcement style | Varies by member state; detailed guidance published | Roskomnadzor issues limited public guidance; enforcement driven by inspections |
The data localisation requirement is the most significant divergence. Under GDPR cookie consent rules, data can move freely within the EEA and to adequate third countries. Under 152-FZ, the initial collection and storage must happen on Russian soil.
Practical Compliance Checklist
If your website receives traffic from Russian users, these steps reduce your legal exposure under 152-FZ.
Audit Your Cookies
Run a cookie audit to identify every cookie your site sets. Categorise them as strictly necessary, functional, analytics, or advertising. Cookies that generate or store user identifiers - _ga, _gid, _fbp, fr - are personal data under Russian law.
Implement a Cookie Banner with Opt-in Consent
Display a consent mechanism before setting non-essential cookies. The banner must explain which cookie categories are used and allow granular choices. Pre-ticked boxes or implied consent through continued browsing do not satisfy 152-FZ.
Keep Consent Separate
Do not bundle cookie consent into your general terms of service or user agreement. Since September 2025, this is explicitly prohibited. Use a standalone banner or form.
Address Data Localisation
If cookies transmit identifiable data to servers outside Russia, assess whether you can route that data through Russian-hosted infrastructure first. For analytics cookies, consider server-side tagging or privacy-focused analytics tools that support regional data storage.
Publish a Privacy Policy in Russian
Your privacy policy must disclose the categories of personal data collected, the purposes of processing, the legal basis, data retention periods, and how users can exercise their rights. If you target Russian users, provide a Russian-language version.
Register with Roskomnadzor
Data operators processing personal data of Russian citizens are required to submit a notification to Roskomnadzor before commencing processing. This is done through the regulator's online portal.
Maintain Consent Records
Keep auditable records of when and how each user gave consent. 152-FZ places the burden of proof on the operator.
Frequently Asked Questions
Does Russia require cookie consent on websites?
Yes. Roskomnadzor treats cookies that can identify users as personal data under Federal Law 152-FZ. You need opt-in consent before setting non-essential cookies such as analytics or advertising trackers.
What is Roskomnadzor and what does it do?
Roskomnadzor is Russia's federal data protection authority. It enforces 152-FZ, maintains the register of data operators, investigates complaints, conducts inspections, and can block non-compliant websites.
Do I need to store cookie data on servers in Russia?
If cookies collect personal data from Russian citizens, the initial recording and storage must take place on servers within Russian territory. This data localisation rule was tightened in July 2025 under Federal Law 23-FZ.
How much are the fines for data protection violations in Russia?
Since May 2025, organisations face fines of 3 to 15 million RUB depending on the number of affected individuals. Repeat violations can result in penalties of up to 3% of annual turnover, capped at 500 million RUB.
Can I bundle cookie consent with my terms of service?
No. Since 1 September 2025, Russian law requires that consent to personal data processing be obtained as a standalone action, separate from any other agreements or documents.
Does 152-FZ apply to websites outside Russia?
152-FZ applies to any operator processing personal data of Russian citizens, regardless of where the operator is based. If your site collects cookie data from users in Russia, the law applies to you.
Take Control of Your Cookie Compliance
If your website attracts visitors from Russia, meeting 152-FZ requirements starts with knowing which cookies you set. Kukie.io detects and categorises cookies automatically, making it straightforward to present a compliant consent banner with the granular controls Russian law demands.
