May 2026 – Romania is taking a significant step towards bringing its cookie consent rules into line with the standards established under the General Data Protection Regulation (GDPR) and the guidance of the European Data Protection Board (EDPB). A legislative proposal currently under parliamentary review would introduce binding, prescriptive requirements governing the design and operation of cookie consent mechanisms – requirements that will have direct practical consequences for any organisation operating a website or digital service accessible from Romania.
The domestic legal framework on cookies is primarily governed by Law No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, which transposes Directive 2002/58/EC into Romanian law. The law already establishes the requirement to obtain user consent prior to storing or accessing information on a user’s terminal equipment. However, it has not been substantively updated to reflect the consent standard introduced by the GDPR, namely that consent must be freely given, specific, informed and unambiguous, and demonstrated through a clear affirmative act. This gap between the general legal requirement and its practical implementation in cookie banner design is precisely what the current proposal seeks to address.
Legislative Proposal no. 256/2026, which amends Law No. 506/2004, is currently under parliamentary review (the “Proposal”). The Proposal does not introduce new legal principles. Rather, it operationalises – at the level of binding statutory rules – consent requirements that already flow from the GDPR and from EDPB guidance, but which have not previously been codified in Romanian sectoral law. The practical effect is to translate existing supervisory expectations regarding consent interface design into enforceable domestic obligations.
Key changes
The Proposal introduces the following specific requirements:
1. Mandatory “accept / refuse” all cookies – at first layer
Where a cookie banner offers an “accept all” option at the first level, it must also include, at the same level, a direct “refuse all” option. This option must be presented clearly and without reduced visibility or accessibility compared to acceptance.
2. No substitution by preference centres
The Proposal clarifies that the option allowing users to manage cookie preferences must be presented separately from the main consent options and cannot replace the requirement to offer a direct refusal option at the first layer, together with the accept option.
3. Explicit ban on invalid consent mechanisms
The Proposal goes beyond general consent requirements and explicitly identifies and prohibits common “dark pattern” practices used in cookie interfaces. In particular, the Proposal expressly forbids obtaining consent through:
- pre-ticked boxes or any form of pre-selected options for non-essential cookies;
- misleading, ambiguous or deceptive wording that may distort the user’s understanding of the consequences of accepting, refusing or configuring cookies;
- interface designs that make the refusal option unjustifiably more difficult to exercise than acceptance (e.g. additional steps, reduced visibility or inferior placement).
By codifying these practices as prohibited, the Proposal effectively transforms existing regulatory guidance into binding statutory rules, significantly increasing the compliance risk associated with common banner design strategies.
4. Right to withdraw consent easily
Consistent with Article 7(3) GDPR, the Proposal requires that users be able to withdraw consent at any time through a mechanism that is at least as simple as the process of granting it. The Proposal does not, however, prescribe the specific form that withdrawal mechanisms must take; it does not address, for example, whether withdrawal must be available through a persistent interface element, whether access through a layered preference centre is sufficient, or what minimum level of visibility is required.
5. Obligation to demonstrate consent
The Proposal introduces an explicit obligation to demonstrate that consent was validly obtained. Any company storing or accessing information on an end user’s terminal equipment on the basis of consent must be in a position to evidence: the consent mechanism deployed at the time of collection, the affirmative action taken by the user, and the moment at which consent was expressed. This provision directly mirrors the accountability principle under Article 5(2) GDPR and the controller’s burden of proof under Article 7(1) GDPR, and reinforces the need for robust, auditable consent management systems.
Why does this matter?
The Proposal does not introduce new legal principles. Rather, it sets a higher threshold for compliance by translating EU-level standards into detailed, enforceable requirements at the level of interface design and consent architecture.
Practices that were already non-compliant under the GDPR and EDPB guidance (such as pre-ticked boxes, asymmetric refusal options and deceptive banner design) will, once the Proposal is adopted, also constitute express violations of Romanian sectoral law. This increases both the likelihood of regulatory action and the strength of any enforcement case, including potential administrative fines.
The Proposal provides for an implementation period of 120 days following entry into force. Organisations should adopt a proactive approach and review their cookie framework, including interface design, default settings, withdrawal mechanisms and transparency disclosures, in order to ensure timely alignment with the forthcoming requirements.
In this context, organisations should consider taking the following steps:
- Review and redesign cookie banners to ensure that refusal is available at the first interaction layer, with equal prominence and functionality as acceptance.
- Verify that consent management platforms do not rely on pre-enabled settings or pre-ticked options.
- Assess the use of third-party technologies, including analytics, advertising and social media tools, and ensure that all relevant vendors are clearly identified prior to consent.
- Strengthen consent record-keeping, including maintaining evidence of the interface used, the user’s affirmative action and the timing of consent.
- Review and update cookie policies and privacy notices, ensuring that they accurately reflect cookie categories, purposes and third-party involvement, and are aligned with the consent flow.
Conclusion
The Proposal should be viewed in the context of increasingly active enforcement by the Romanian data protection authority, which has, in recent practice, imposed sanctions with growing frequency in relation to cookie compliance. In these circumstances, it is becoming increasingly difficult to maintain an approach whereby cookie practices are treated as a secondary or merely formal requirement.
In our view, organisations should instead treat this area as a key priority within their broader data protection compliance framework, requiring a well-documented approach across consent architecture, interface design, default configurations, withdrawal mechanisms and internal governance processes.