Granular cookie consent


In the last three years since GDPR has entered into force we have noticed various (technical) solutions of the cookie notice pop-ups, that is, various forms and methods of obtaining the cookie consents. Although cookies are generally regulated by the Croatian Electronic Communications Act (by which the so-called EU E-Privacy Directive was transposed to the national legislation) and by GDPR regulations, there is still no regulation that specifically regulates the visual formatting of the cookie consent.


Our supervisory authority, the Croatian Personal  Data Protection Agency has not issued nor published any official guidelines in this respect, but from the workshop organised in May 2021 by AZOP and HGK on "Personal data protection and harmonization with the GDPR in tourism", it transpires that the so-called "granular consent" is the only adequate form of the cookie consent. Namely, the visitor of the website must have the option to set the cookies on the website directly and independently. Visitor must not be directed to other websites (eg. web browsers such as The visitor must be given the option to choose which cookies he/she wants to accept and which not. For each type of cookie, depending on their purpose, a special consent should be given (granular consent), either immediately upon opening the website (so-called first level) or on the next page (the so-called second level). Necessary cookies may be pre-enabled and may be thus displayed, however analytical and marketing cookies are not necessary, and therefore, when giving a consent, the visitor should have an option to turn them on independently and they should not be set in advance as if they were enabled with the visitor's option to turn them off.


The above described position of AZOP can be interpreted as the best practice and the beginning of the standardization but for now it represents just a recommendation and the milestone for detailed regulation of this matter.