How Slovenia Regulates Cookies
Slovenia sits at the crossroads of Central and Southern Europe, and its cookie rules reflect the dual-layer approach common across the EU. Two pieces of legislation govern how your website may store and read cookies on a visitor's device: the Electronic Communications Act (ZEKom-2) and the General Data Protection Regulation (GDPR).
ZEKom-2 is Slovenia's transposition of the ePrivacy Directive. It came into force in 2022, replacing the earlier ZEKom-1, and sets out the rules on when cookies may be placed. The GDPR, which has applied directly since 2018, governs what happens with any personal data those cookies collect. Together, they create a consent-first regime: no non-essential cookie may be set until the visitor has given active, informed consent.
The national authority responsible for enforcing both laws is the Informacijski pooblascenec (Information Commissioner), commonly abbreviated to IP-RS, based in Ljubljana.
ZEKom-2 Article 225: The Cookie Rule
Article 225 of ZEKom-2 transposes Article 5(3) of the ePrivacy Directive into Slovenian law. It states that storing information or gaining access to information already stored on a user's terminal equipment is permitted only if two conditions are met: the user has been given clear and comprehensive information about the purpose of the processing, and the user has given consent.
Two narrow exceptions apply. Cookies used solely to carry out a transmission over an electronic communications network do not require consent. Cookies that are strictly necessary to deliver a service the user has explicitly requested are also exempt.
This means session cookies such as PHPSESSID and shopping cart tokens typically fall outside the consent requirement, while analytics cookies like _ga and advertising trackers like _fbp always require prior opt-in.
What Counts as Valid Consent Under IP-RS Guidelines
The IP-RS has published guidelines on cookie usage that align closely with the GDPR Article 7 consent standard. The key requirements are:
Active and explicit - pre-ticked checkboxes do not constitute valid consent. The visitor must take a deliberate action to opt in.
Informed - before consent is given, the visitor must receive information about the data controller's identity and the purpose of each cookie category, in line with Article 13 of the GDPR.
Freely given - access to the website must not be conditional on accepting non-essential cookies. Cookie walls that block content until a visitor consents are not permitted.
Withdrawable - visitors must be able to withdraw their consent at any time, and doing so must be as straightforward as giving it.
Granular - visitors should be able to accept or refuse cookies by category rather than being forced into an all-or-nothing choice.
Your cookie banner must present a genuine "Accept" and "Reject" option on the first layer. Burying the reject option behind a secondary settings panel does not satisfy the requirement that consent be freely given.
Cookie Categories Under Slovenian Law
The IP-RS follows the standard EU classification of cookies. Your cookie policy should categorise each cookie your site sets into one of the groups below.
| Category | Consent Required | Examples |
|---|---|---|
| Strictly necessary | No | PHPSESSID, csrf_token, load balancer cookies |
| Functional / preferences | Yes | pll_language, theme preferences, region selectors |
| Analytics / statistics | Yes | _ga, _gid, _hjSessionUser |
| Marketing / advertising | Yes | _fbp, _gcl_au, IDE |
Only strictly necessary cookies may be set without consent. If you are unsure which cookies your site drops, running a cookie scan is the fastest way to build an accurate inventory.
ZVOP-2 and the GDPR Layer
Slovenia was the last EU member state to adopt national GDPR-implementing legislation. The Personal Data Protection Act (ZVOP-2) entered into force in January 2023, replacing the earlier ZVOP-1. The delayed adoption meant that for several years, the IP-RS had limited ability to impose GDPR-level fines.
ZVOP-2 now grants the IP-RS full sanctioning powers. Fines under the national act reach up to EUR 40,000 for administrative offences. For GDPR infringements, the standard EU ceiling applies: up to EUR 20 million or 4% of global annual turnover, whichever is higher.
The IP-RS has signalled increased enforcement activity since ZVOP-2 took effect. In 2024, it issued fines in several data protection cases, including a EUR 6,255 penalty against a legal entity and a EUR 300 fine against the responsible individual in one decision. While cookie-specific enforcement actions remain relatively rare compared to authorities like the CNIL in France, the risk of investigation is growing as the IP-RS builds capacity under ZVOP-2.
How Slovenia Compares to Neighbouring Countries
If your website targets visitors across Central Europe, understanding regional differences matters. The table below compares Slovenia's approach with its neighbours.
| Country | ePrivacy Transposition | DPA | Cookie Wall Stance | Enforcement Level |
|---|---|---|---|---|
| Slovenia | ZEKom-2 (Art. 225) | IP-RS | Not permitted | Growing |
| Austria | TKG 2021 | DSB | Not permitted | Moderate |
| Croatia | ECA (ZEK) | AZOP | Not permitted | Low |
| Hungary | Act C of 2003 | NAIH | Not permitted | Moderate |
| Italy | D.Lgs. 196/2003 | Garante | Permitted with conditions | High |
Slovenia's framework is broadly aligned with Austria and Croatia, which is helpful if you operate across the region. The consent standard is effectively the same; the main differences lie in enforcement intensity and local procedural rules.
Compliance Checklist for Slovenian Cookie Consent
Use this checklist to verify your site meets IP-RS and GDPR requirements for Slovenian visitors.
Audit your cookies - identify every cookie and tracker your site sets, including those from third-party scripts. A cookie scanning tool automates this step.
Categorise correctly - assign each cookie to the right category (strictly necessary, functional, analytics, or marketing).
Block before consent - non-essential cookies must not fire until the visitor opts in. Implement script blocking or use Google Consent Mode v2 for Google tags.
Present equal choices - your banner must show Accept and Reject buttons with equal visual weight on the first layer.
Provide granular controls - allow visitors to choose consent by category.
Enable easy withdrawal - include a persistent link or icon that lets visitors change their preferences at any time.
Display in Slovenian - if your audience is primarily Slovenian, the banner and privacy information should be available in Slovenian. Multilingual consent management handles this automatically.
Keep consent records - store proof of each visitor's consent decision, including timestamp, categories accepted, and the banner version shown.
Review regularly - re-scan your site after adding new tools or scripts to catch any new cookies.
Frequently Asked Questions
Does Slovenia require cookie consent for analytics cookies?
Yes. Under ZEKom-2 Article 225, analytics cookies such as _ga require prior active consent because they are not strictly necessary to deliver a service the visitor requested.
What is the IP-RS and what does it enforce?
The IP-RS (Informacijski pooblascenec) is Slovenia's national data protection authority. It enforces both the GDPR and ZEKom-2, including rules on cookie consent and electronic communications privacy.
Can I use a cookie wall on a Slovenian website?
No. The IP-RS guidelines require that consent be freely given, which means access to your website cannot be conditional on accepting non-essential cookies.
What fines can the IP-RS impose for cookie violations?
Under ZVOP-2, administrative fines reach up to EUR 40,000. For GDPR-related infringements, the IP-RS can impose fines of up to EUR 20 million or 4% of global annual turnover.
Is ZEKom-2 the same as the ePrivacy Directive?
ZEKom-2 is Slovenia's national transposition of the EU ePrivacy Directive. It applies the directive's requirements - including Article 5(3) on cookies - within Slovenian law, with some local procedural differences.
Do I need a cookie banner in Slovenian language?
If your site primarily targets Slovenian visitors, providing the cookie banner and privacy information in Slovenian is expected. For international sites, offering both Slovenian and English is recommended.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
