Legal nuances of cookie collection: how to comply with 152-FZ + free script

Cookies: What They Are and Why They Are Regulated by Law

Cookies are small text files that a website saves in the user's browser. They allow the site to "remember" actions, preferences, and technical parameters of the visit: interface language, shopping cart contents, page behavior, referral source, and much more.

Thanks to cookies, websites become more user-friendly, and businesses operate more efficiently. Cookies are used for:

• analytics and tracking visitor behavior;
• content personalization;
• retargeting and ad customization;
• authentication and session management.

However, in recent years, cookies have come under regulatory scrutiny. Why?

1. Cookies = User Behavior

Modern cookies can contain unique identifiers that allow tracking the actions of a specific individual, even without revealing their name. This already falls under the definition of personal data.

2. Users Aren’t Always Aware They’re Being Tracked

In most cases, cookies are set silently when a website loads. The user doesn’t have a chance to give consent or even realize their data is being processed.

3. The Law Requires Transparency

Under Russian law (specifically, Federal Law No. 152-FZ "On Personal Data"), any processing of information that can identify a user requires their informed and voluntary consent.

Thus, if your website uses analytical, advertising, or personalization cookies, you must notify users and obtain their consent for data processing.

Even if cookies don’t contain a user’s full name or email, their combination—such as IP address, behavior, or device IDs—can still identify a person. This is why cookies fall under legal regulation.

152-FZ and Cookies: What the Law Says

In Russia, the primary law governing personal data is Federal Law No. 152-FZ "On Personal Data." It requires that any actions involving personal data (collection, storage, use, transfer) be based on lawful purposes and subject to the data subject’s consent.

Are Cookies Personal Data?

At first glance, cookies seem like mere technical markers. But in practice, they:

• store unique user identifiers;
• can be linked to a specific IP address;
• track website activity, including clicks, purchases, and input data.

All this combined can identify a user or at least individualize their behavior—meaning such data is considered personal.

Roskomnadzor (Russia’s communications regulator) explicitly states: if cookies allow or facilitate user identification, they fall under the scope of 152-FZ.

What Does the Law Require?

Key provisions of Law No. 152-FZ regarding cookies:

1. Consent for processing – Users must voluntarily and knowingly agree to cookie usage.
2. Transparency – Before processing, you must disclose:
• what data is collected;
• the purpose of collection;
• who processes it;
• where the privacy policy is located.
3. Right to refuse – Users can decline consent, and the site must remain functional (within reason).

What Happens If You Don’t Comply?

Violating personal data processing rules may lead to:

• administrative fines (Art. 13.11 of the Russian Administrative Code);
• website blocking in case of serious violations;
• user complaints and Roskomnadzor inspections.

Even small websites or blogs must comply. A cookie consent banner is no longer a formality—it’s a legal requirement.

Common Mistakes Websites Make

Even with a cookie banner, many sites still violate the law—often unintentionally, due to misunderstanding legal requirements. Below are the most frequent errors that can lead to trouble.

1. Notification Without an Opt-Out Option

A banner with an "Accept" button but no alternative (e.g., closing without consent or adjusting settings) doesn’t count as voluntary consent and may be deemed invalid.

2. Setting Cookies Before Consent

Some sites load analytical and marketing cookies immediately upon visit, before obtaining user consent. This violates the principle of prior notice and can result in fines.

3. No Link to the Privacy Policy

The law requires users to be informed about the purpose, methods, and scope of data processing. A vague "We use cookies" message isn’t enough—there must be a clear, accessible link to the privacy policy.

4. Lack of Explicit Consent

Some sites interpret "continued use of the site" as consent, but this doesn’t meet 152-FZ requirements. The law demands active confirmation—clicking a button, checking a box, or similar action.

5. Banner Doesn’t Reappear

If a user declines consent or closes the banner but returns later, the banner should reappear. Failing to do so may be seen as a violation of consent storage rules.

How to Avoid Mistakes?

The safest approach is using a solution designed for legal compliance from the start. For example, QForm’s cookie notification script includes all legally required elements:

• notification text,
• active consent,
• privacy policy link,
• customization and flexible integration.

Learn more about how it works and how to install it in our article Free Cookie Consent Script for Websites by QForm.

QForm - платформа для автоматизации опросов и сбора данных

Оставьте заявку на получение демо-доступа к сервису QForm

Получить демо-доступ

How to Properly Manage Cookie Collection and Processing

To comply with 152-FZ and avoid issues with users or regulators, a simple banner isn’t enough. You need a transparent and correct cookie processing workflow. Here are the key legal requirements.

1. Voluntary and Informed Consent

User consent must be:

• voluntary—no pressure, coercion, or forced access;
• informed—users must understand what they’re agreeing to;
• specific—clearly state what’s collected and why;
• active—e.g., clicking "Accept" or "Agree."

Continued site use doesn’t qualify as valid consent.

2. User Notification

Under 152-FZ, site owners must disclose:

• which cookies are collected;
• the purpose of collection;
• who processes the data (site owner or third parties like analytics/ad providers);
• where to find the full privacy policy.

3. Opt-Out and Choice Modification

Users must have the right to:

• refuse cookies (partially or entirely);
• change their decision anytime;
• continue using the site, even with limited functionality.

An "Accept" button without alternatives violates the law.

4. Consent Storage

If a user consents to cookies, their choice must be:

• recorded (e.g., in localStorage, a cookie, or CRM);
• stored for a predefined period (typically 30–90 days);
• requested again upon expiration.

5. Privacy Policy

This mandatory document must be linked in the banner. It should describe:

• what data is collected;
• how it’s used;
• who it’s shared with (if applicable);
• how users can withdraw consent;
• operator contact details.

A properly implemented cookie banner isn’t just about compliance—it builds user trust. For a hassle-free solution, consider a ready-made option.

QForm’s Script: A Legally Compliant Solution

Everything above isn’t just theory—it’s a practical requirement for all cookie-using websites. But implementing it correctly can be tricky: you need legally precise wording, technical execution, cross-browser compatibility, and design adaptation.

That’s why QForm developed a ready-made, free, and legally compliant cookie consent script that:

• meets 152-FZ requirements;
• integrates easily with any site;
• requires no registration, plugins, or server-side processing;
• fully adapts to your site’s visual style.

What Does the Script Do?

It automatically adds a pop-up cookie notice with:

• legally vetted text;
• an "Accept" button;
• a privacy policy link;
• customizable appearance;
• adjustable consent duration (e.g., 30 days).

How the Script Complies with Legal Requirements:

What the QForm Script Does

Prior NotificationBanner appears before cookies are loadedExplicit and Voluntary Consent"Accept" button, customizable text and styleUser TransparencyOption to link to the privacy policyFlexible Display SettingsCustomizable colors, position, fonts, and textConsent StorageStorage duration is configurable and aligns with processing purposes (e.g., 30, 60, or 90 days). Users can withdraw consent anytime.

Advantages of the QForm Script

• Simplicity — Added with just one line of code;
• Flexibility — Easily adapts to your brand;
• Neutral Design — Unobtrusive, fits any website;
• Free — No subscription, API keys, or registration required;
• Secure — Client-side only, no tracking or data collection.

We’ve already covered the script’s setup and customization examples in detail in a separate article.

Conclusion

Cookies are a vital tool for analytics, personalization, and advertising, but the law also sees them as a potential risk if mishandled. Federal Law No. 152-FZ requires that any collection and processing of personal data occur with user consent—and cookies (even technical ones) are increasingly treated as such data.

Key Takeaways:

1. Don’t just add a banner—ensure it meets legal requirements;
2. Avoid guesswork—secure documented user consent;
3. Steer clear of outdated or superficial solutions that only create the illusion of compliance.

If you want to protect your site and do it right, you don’t need to build a solution from scratch.