Ukraine's Data Protection Framework: Where Things Stand
Ukraine's primary data protection statute is the Law on Personal Data Protection No. 2297-VI, enacted on 1 June 2010. The law established basic principles for processing personal data, but it predates the explosion of cookie-based tracking and offers no specific rules on cookies or similar technologies.
The 2010 law was amended in 2012 and 2014 to bring it closer to European standards. Those changes were driven by the EU-Ukraine Association Agreement, which obligated Ukraine to approximate its data protection rules with the highest European and international benchmarks.
Enforcement sits with the Ukrainian Parliament Commissioner for Human Rights (the Ombudsman), who serves as the de facto data protection authority. The Commissioner can receive complaints, conduct inspections, and issue binding orders - but the office has limited resources and enforcement activity has been modest by European standards.
Cookies Under the Current Law
The 2010 law does not mention cookies by name. It treats personal data broadly, and if a cookie stores or accesses personal data on a user's device, the general consent provisions apply.
Under current rules, data controllers may place cookies on a user's device provided the user has given prior consent. That consent can be electronic, as long as the user has the opportunity to read the privacy policy before agreeing. There is no ePrivacy-style distinction between strictly necessary cookies and analytics or marketing trackers - all processing of personal data requires a legal basis.
In practice, many Ukrainian websites either ignore cookie consent entirely or show a basic notice without a genuine opt-in mechanism. The lack of cookie-specific regulation and weak enforcement means compliance varies widely.
Draft Law No. 8153: Ukraine's GDPR Overhaul
The Verkhovna Rada (Ukraine's parliament) adopted Draft Law No. 8153 in first reading on 20 November 2024. The bill is being prepared for a second reading and, once enacted, will replace the 2010 law entirely.
Draft Law No. 8153 draws directly from the GDPR, the ePrivacy Directive (2002/58/EC), and the modernised Convention 108+. It introduces data protection by design and by default, the right to be forgotten, data portability, and mandatory breach notification - concepts absent from the current framework.
For website owners, the most relevant change is the explicit regulation of cookies and similar tracking technologies. The bill permits cookies if one of four conditions is met:
The individual has given explicit consent
The processing is necessary for the operation of the website or application
The processing is strictly necessary to deliver a service the individual requested
The processing is needed to ensure data security, prevent fraud, or protect against unauthorised interference
This mirrors the exemptions found in Article 5(3) of the ePrivacy Directive, which means strictly necessary cookies like PHPSESSID or pll_language would not require consent, while analytics cookies like _ga and advertising trackers like _fbp would.
Fines: Current and Future
Under the 2010 law, penalties are remarkably low. Failing to notify the Commissioner about data processing can result in a fine of around USD 230, rising to approximately USD 1,150 for repeat offences within a year. Ignoring a lawful request from the Commissioner carries a fine of up to USD 580.
Draft Law No. 8153 changes this dramatically.
| Violation type | Current law | Draft Law No. 8153 |
|---|---|---|
| Failure to notify the authority | Up to USD 230 | UAH 10,000 - 30,000 (minor violation) |
| Repeat offence within 12 months | Up to USD 1,150 | Higher bracket applies |
| Non-compliance with authority orders | Up to USD 580 | Fines scaled to severity |
| Severe violations (e.g. unlawful processing at scale) | No specific provision | Up to 5% of annual turnover, minimum UAH 300,000 per violation |
The 5% turnover threshold exceeds the GDPR's 4% maximum, though the final figures may shift during the second reading.
EU Candidate Status and GDPR Alignment
Ukraine received EU candidate status in June 2022. As part of the accession process, alignment with the EU acquis - including the GDPR and ePrivacy rules - is not optional. The EU-Ukraine Association Agreement already commits Ukraine to ensuring an adequate level of data protection in line with European standards.
Ukraine does not yet hold an EU adequacy decision. Achieving one would simplify cross-border data transfers and make Ukraine a more attractive partner for European businesses. Draft Law No. 8153 is a clear step toward that goal.
Neighbouring EU member states already enforce the GDPR directly. If your website targets users in Poland, Romania, or Hungary, you are already subject to those countries' cookie rules regardless of where your servers sit. Targeting Ukrainian users will eventually require a similar level of compliance once the new law is enacted.
How Ukraine Compares to the GDPR
| Requirement | GDPR / ePrivacy | Ukraine (Draft Law No. 8153) |
|---|---|---|
| Cookie consent required | Yes, for non-essential cookies | Yes, same exemptions for strictly necessary cookies |
| Consent must be freely given, specific, informed | Yes (Article 4(11) GDPR) | Yes, explicit consent with active action required |
| Right to withdraw consent | Yes (Article 7(3) GDPR) | Yes |
| Data Protection Officer required | In certain cases | Expected for certain controllers |
| Breach notification | 72 hours (Article 33 GDPR) | Yes, details pending second reading |
| Maximum fine | 4% of annual turnover | 5% of annual turnover |
| Supervisory authority | Independent DPA | New dedicated authority planned |
The New Supervisory Authority
One major structural change under Draft Law No. 8153 is the plan to establish a dedicated, independent data protection authority. The current arrangement - where the Ombudsman handles data protection alongside a broad human rights mandate - has been criticised for lacking focus and technical expertise.
The new authority would have powers comparable to EU data protection authorities: investigating complaints, conducting audits, issuing fines, and ordering controllers to cease unlawful processing. Until the new body is operational, the Ombudsman retains oversight.
Compliance Checklist for Website Owners
If your website attracts Ukrainian visitors, the following steps will help you prepare for the incoming rules.
Audit your cookies. Run a cookie scan to identify every cookie and tracker on your site, including third-party scripts from analytics and advertising platforms.
Categorise cookies correctly. Separate strictly necessary cookies from analytics, functional, and advertising cookies. Only strictly necessary cookies will be exempt from consent.
Implement a proper consent mechanism. A cookie banner must collect genuine opt-in consent before setting non-essential cookies. Pre-ticked boxes or implied consent through continued browsing will not satisfy the new law.
Allow withdrawal of consent. Visitors must be able to change their cookie preferences at any time, not just on first visit.
Update your privacy policy. Disclose which cookies your site uses, their purposes, retention periods, and any third parties that receive the data.
Consider geo-detection. If you serve visitors from both Ukraine and EU member states, geo-detection rules let you apply the correct consent model per jurisdiction.
Keep records. Document the consent you collect, including timestamps and the specific choices each visitor made.
Frequently Asked Questions
Does Ukraine currently require cookie consent?
The 2010 Law on Personal Data Protection requires consent for processing personal data, which can include data collected through cookies. There is no cookie-specific regulation yet, but Draft Law No. 8153 will introduce explicit cookie consent rules once enacted.
What fines can Ukrainian authorities impose for cookie violations?
Under the current law, fines are minimal - up to approximately USD 230 for a first offence. Draft Law No. 8153 introduces fines of up to 5% of annual turnover, with a minimum of UAH 300,000 per severe violation.
Is Ukraine's data protection law the same as the GDPR?
Not yet. The 2010 law predates the GDPR and lacks many of its provisions. Draft Law No. 8153, currently in parliamentary process, is designed to align Ukrainian law closely with the GDPR and ePrivacy Directive.
Who enforces data protection rules in Ukraine?
The Ukrainian Parliament Commissioner for Human Rights (the Ombudsman) currently acts as the supervisory authority. Draft Law No. 8153 proposes creating a dedicated, independent data protection authority.
Do I need a cookie banner if my website targets Ukrainian users?
Once Draft Law No. 8153 is enacted, you will need to obtain explicit consent before setting non-essential cookies for Ukrainian visitors. Implementing a cookie banner with genuine opt-in controls is the most straightforward way to comply.
Does Ukraine have an EU adequacy decision?
No. Ukraine does not currently hold an EU adequacy decision. As an EU candidate country, achieving adequacy is a stated goal, and Draft Law No. 8153 is part of that alignment effort.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
