A MoFo Privacy Minute Q&A (9 September 2021)

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

Question: I think of cookie consent requirements as being driven by European law, specifically the EU ePrivacy Directive. But I recently heard that Russia also has a cookie consent requirement. Is this really the case? If so, do the requirements apply to a business that is not a Russian company?

Answer: Yes, Russia does indeed have cookie consent requirements, although they do not stem from legislation but rather from Russian case law. They apply to both Russian companies and companies that are not Russian companies. That said, the requirements are similar to those under the EU ePrivacy Directive.

In 2016, Russian courts decided that data collected from website visitors using cookies are considered personal data. On these grounds, Russia’s data protection authority (Roskomnadzor) requires companies to seek explicit consent from website visitors for the use of cookies to collect such data. 

Roskomnadzor apparently considers consent to be required when cookies are used to collect, for example, user nickname, user address or device address, IP-address, search requests, web-address entered by a user, topics viewed by a user, user ID, geolocation, operating system, time zone, browser type, browser language, screen color depth, screen resolution, Java script support, connection type, and browser window size.

Russia’s cookie consent requirements apply: 

• to Russian legal entities, in which case the cookie consent banner should be presented to all users, and 
• to organizations that are not located in Russia but that collect personal data from Russian users, in which case the cookie consent banner need only be presented to Russian users. In this case, the standard approach is to consider any user with a Russian IP addresses a Russian user.

Cookie notices and consent banners that are used to comply with EU’s ePrivacy Directive can likely also be used to comply with the cookie consent requirements under Russia law. However, in that case the presentation of these solutions must not be limited to EU visitors. Also, Russia’s data localization rules also apply to personal data collected through cookies, which may make compliance more challenging.

It is unclear how actively Roskomnadzor is enforcing Russia’s cookie consent requirements. That said, in its audit questionnaires, Roskomnadzor includes questions about cookie compliance. 

The possible monetary fines for not complying with Russia’s cookie consent requirements are relatively low:

• For a first breach, fines are up to (i) a RUB 40,000 fine against a company’s officer and (ii) a RUB 150,000 fine against a legal entity.
• For a repeated breach, fines are up to (i) a RUB 100,000 fine against a company’s officer and (ii) a RUB 500,000 fine against a legal entity.

On the positive side, Roskomnadzor usually gives organizations an opportunity to remedy a breach of its privacy laws before imposing fines, and it may be relatively easy to, at that point, add the required cookie consent banner, or to expand the scope of one that is already in place for the EU ePrivacy Directive.

Visit our Privacy + Data Security page to view the entire A MoFo Privacy Minute Series or for additional information from our privacy library and resource centers on cybersecurity, state privacy laws, and the GDPR.