This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.
Question: I think of cookie consent requirements as being driven by European law, specifically the EU ePrivacy Directive. But I recently heard that Russia also has a cookie consent requirement. Is this really the case? If so, do the requirements apply to a business that is not a Russian company?
Answer: Yes, Russia does indeed have cookie consent requirements, although they do not stem from legislation but rather from Russian case law. They apply to both Russian companies and companies that are not Russian companies. That said, the requirements are similar to those under the EU ePrivacy Directive.
Roskomnadzor apparently considers consent to be required when cookies are used to collect, for example, user nickname, user address or device address, IP-address, search requests, web-address entered by a user, topics viewed by a user, user ID, geolocation, operating system, time zone, browser type, browser language, screen color depth, screen resolution, Java script support, connection type, and browser window size.
Russia’s cookie consent requirements apply:
Cookie notices and consent banners that are used to comply with EU’s ePrivacy Directive can likely also be used to comply with the cookie consent requirements under Russia law. However, in that case the presentation of these solutions must not be limited to EU visitors. Also, Russia’s data localization rules also apply to personal data collected through cookies, which may make compliance more challenging.
It is unclear how actively Roskomnadzor is enforcing Russia’s cookie consent requirements. That said, in its audit questionnaires, Roskomnadzor includes questions about cookie compliance.
The possible monetary fines for not complying with Russia’s cookie consent requirements are relatively low:
On the positive side, Roskomnadzor usually gives organizations an opportunity to remedy a breach of its privacy laws before imposing fines, and it may be relatively easy to, at that point, add the required cookie consent banner, or to expand the scope of one that is already in place for the EU ePrivacy Directive.
Visit our Privacy + Data Security page to view the entire A MoFo Privacy Minute Series or for additional information from our privacy library and resource centers on cybersecurity, state privacy laws, and the GDPR.