April 2026
by Adela Nuță
A draft law amending and supplementing Law No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector (the legislative act transposing into national law Directive 2002/58/EC – the “ePrivacy Directive”) is currently under legislative review in the Romanian Parliament.
Adopted over 20 years ago, the law no longer adequately reflects current digital realities, even though the field has subsequently been supplemented and strengthened by other relevant legal instruments, including Regulation (EU) 2016/679 (“GDPR”) and related national legislation.
Adopted more than two decades ago, the law has not kept pace with contemporary digital realities, notwithstanding the fact that the regulatory framework has subsequently been complemented and strengthened by other relevant legal instruments, including Regulation (EU) 2016/679 (“GDPR”) and related national legislation.
The specific issue which the draft law seeks to address is one that any internet user has inevitably encountered: cookie banners that conceal the “reject” option in obscure or hard-to-access locations, pre-select all categories of tracking by default, or otherwise render acceptance significantly easier than refusal. These practices, known as “dark patterns”, had already been considered problematic in light of the GDPR and the guidelines issued by the European Data Protection Board (EDPB). However, the draft law aims to address them explicitly and to strengthen their enforcement at the national level.
The proposed amendments primarily target Article 4(5), laying down detailed rules governing the mechanisms for obtaining users’ consent for the storage of information on their terminal equipment (including cookies and similar tracking technologies).
The requirement of an ‘’equally accessible refusal button’’
The most significant proposed amendment consists in the introduction of a new paragraph, requiring that cookie banner/panel interfaces provide, at the first layer, an option for full refusal that is equally visible and accessible as the option for full acceptance. This provision codifies into national law the standards already established in the EDPB guidelines and in the ANSPDCP guidelines, thereby eliminating the common practice of concealing the refusal option within submenus or secondary pages.
The law further provides that the possibility to set preferences in detail (i.e., which cookies are accepted and which are not) remains a separate feature and cannot be used as a justification for eliminating the simple refusal button. In other words, it is not sufficient to state “you can customize” where the user is not able to refuse swiftly, through a single click.
Prohibition of deceptive “dark pattern” practices
The draft law expressly prohibits three categories of practices:
(a) pre-ticked or implicitly activated options – it will no longer be permitted for all categories of cookies to be selected by default, leaving the user to manually deselect those that are not desired. Consent must constitute an active expression of will, not a passive omission;
(b) confusing or misleading wording – formulations such as “Accept for a better experience” or buttons containing unclear messages as to the consequences of refusal are prohibited. The user must clearly understand the nature of the choice being made;
(c) design elements that render refusal more difficult – refusal buttons that are smaller in size, less visible, or more difficult to identify than acceptance buttons shall no longer be permitted. Both options must be equally accessible.
Withdrawal of consent — as easy as granting it
The new law establishes a clear principle: the withdrawal of consent must be at least as simple as its provision. Thus, if cookies have been accepted at a given moment, the user must be able to revisit this decision at any time through an easily accessible mechanism, without being required to search through settings or to contact the controller.
Sanctions
Failure to comply with the new rules constitutes an administrative offence and is subject to fines ranging from RON 5,000 to RON 100,000. For companies with a turnover exceeding RON 5 million, the fine may reach up to 2% of the annual turnover. The finding and application of such sanctions remain within the competence of ANSPDCP.
Transitional obligations
Article II of the draft provides for a period of 120 days from the entry into force to achieve compliance.
In practice, any company operating a website addressed to users in Romania and using cookies must review and, where necessary, amend:
(i) the cookie banner — the structure and content of the message;
(ii) the equal visibility and accessibility of the acceptance and refusal options;
(iii) the absence of pre-ticked options;
(iv) the existence of a simple mechanism for withdrawing consent;
(v) the system for recording and storing proof of consent.
Conclusions
The proposed amendments to Law No. 506/2004 mark the transition from general, principle-based standards to concrete and verifiable obligations in the area of cookie consent, significantly reducing the margin of interpretation that has existed to date. In this context, controllers must review their consent collection mechanisms and digital interfaces in order to ensure a genuine balance between acceptance and refusal options, as well as to mitigate the risks of sanctions.
Details about our Data Privacy and Data Protection practice are available HERE.