Prior, informed consent before any non-essential cookie fires — now under Poland's Electronic Communications Law.
Cookie consent in Poland is governed by the Prawo komunikacji elektronicznej (Electronic Communications Law, "PKE"), whose Article 399 took over the cookie-consent rule from Article 173 of the former Prawo telekomunikacyjne when the new statute entered into force on 10 November 2024. The PKE works alongside the Ustawa o ochronie danych osobowych of 10 May 2018 and the GDPR, and the standard of consent is read through GDPR Article 4(11) and Article 7. Personal-data aspects are supervised by the Prezes Urzędu Ochrony Danych Osobowych (UODO), while telecoms-specific obligations sit with the Prezes Urzędu Komunikacji Elektronicznej (UKE) — a dual-oversight structure that makes Poland distinctive in the EU.
Article 173 of the Telecommunications Act requires informed consent before storing cookies or accessing information already stored on a user's device.
Applicable laws
10 Nov 2024
Date the PKE entered into force, moving the cookie rule from Art. 173 to Art. 399
Prawo komunikacji elektronicznej (ustawa z 12.07.2024); prawo.pl
PLN 1M / 3%
UKE cookie-related penalty ceiling: up to PLN 1 million or 3% of prior-year revenue, whichever is higher
Prawo komunikacji elektronicznej (penalty provisions); idosell.com legal guide
2021
Year UODO ordered Interia to disclose cookie-based behavioural profiles under GDPR Art. 15
IAPP, 'the Polish cookie case' (Interia)
Oct 2025
Supreme Administrative Court ruling that UODO must prove identifiability before treating cookie IDs as personal data
Naczelny Sąd Administracyjny; EuroCloud / INPLP
Under Art. 399 PKE, information may be stored on or read from a user's device only after the user has been clearly informed of the purpose and has consented. Loading analytics, advertising or social trackers before that consent is unlawful — the exact failure CookieSentry's scan is built to surface.
Polish authorities read 'consent' under Art. 399 through GDPR Art. 4(11) and Art. 7: it must be freely given, specific, informed and unambiguous, given by a clear affirmative act. Pre-ticked boxes, implied consent and 'continued browsing' do not qualify.
A compliant banner must let users refuse non-essential cookies as easily as accept them and must separate purposes (analytics, marketing, personalisation) so consent can be given or withheld per category rather than as an all-or-nothing bundle.
Following the Interia decision and CJEU C-673/17, users must receive clear, understandable and sufficiently precise information about who sets each cookie, its purpose and duration, and any behavioural profiling — disclosable on request under GDPR Art. 15.
Controllers must be able to demonstrate that valid consent was obtained and allow withdrawal at any time as easily as it was given (GDPR Art. 7(1) and 7(3)). Maintaining a per-purpose cookie inventory and evidence of pre-consent behaviour is central to that proof.
For more than a decade Poland's cookie-consent rule lived in Article 173 of the Prawo telekomunikacyjne, the provision that transposed Article 5(3) of the ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC). That changed on 10 November 2024, when the Prawo komunikacji elektronicznej — Poland's implementation of the European Electronic Communications Code — entered into force and replaced the Telecommunications Law. The cookie rule now sits in Article 399 PKE, but its substance is consistent: storing or accessing information on a user's terminal device requires prior, informed consent unless the cookie is strictly necessary to deliver a service the user requested.
Because the legal text moved, banner copy and privacy documentation that still cite 'Art. 173 Prawo telekomunikacyjne' are now out of date. References should point to Article 399 PKE alongside the GDPR. This is precisely the kind of localisation drift CookieSentry's GDPR document generation is designed to keep current for the Polish market.
Poland splits supervision in a way few EU states do. The Prezes Urzędu Ochrony Danych Osobowych (UODO) — led since January 2024 by Mirosław Wróblewski — enforces the GDPR and the 2018 Personal Data Protection Act, including the consent standard that cookie processing must meet. The Prezes Urzędu Komunikacji Elektronicznej (UKE) supervises the telecoms-law obligations themselves, and under the PKE can impose financial penalties of up to PLN 1 million or 3% of the prior year's revenue, whichever is higher, for storing or accessing information on devices without valid consent.
The landmark substantive decision came from UODO in the so-called 'Polish cookie case' involving the media group Interia. The authority held that behavioural profiles built from cookies are personal data and ordered the company to disclose, under GDPR Article 15, which marketing categories had been assigned to the complainant and what data had been combined — invoking the CJEU's standard in C-673/17 that cookie information must be clear, understandable and sufficiently precise.
UODO has materially raised its enforcement profile, handling thousands of complaints a year and issuing record fines across sectors. Cookie banners that load trackers before consent, hide the reject option, or rely on pre-ticked boxes are exactly the patterns that draw complaints and scrutiny in Poland today.
At the same time, the Naczelny Sąd Administracyjny (Supreme Administrative Court) ruled in October 2025 that UODO cannot simply assume IP addresses and cookie identifiers are always personal data; it must show, on case-specific facts, that an individual is identifiable under GDPR Article 4(1). The practical takeaway for businesses is not to relax, but to document: knowing exactly which cookies fire, when, and from whom is the foundation of any defensible position — and that is what a pre-consent scan provides.
Storing information, or gaining access to information already stored, in the telecommunications terminal equipment of an end user is permitted provided that the end user is directly informed in advance, in a clear and comprehensible manner, and has given consent.
Poland's cookie-consent rule moved from Art. 173 Prawo telekomunikacyjne to Art. 399 of the new Prawo komunikacji elektronicznej (PKE), which entered into force on 10 November 2024. Documentation citing the old Art. 173 should be updated. Source: ustawa z 12.07.2024; prawo.pl.
UODO (Prezes Urzędu Ochrony Danych Osobowych, uodo.gov.pl) supervises GDPR/consent aspects; UKE (Urząd Komunikacji Elektronicznej) supervises the telecoms-law cookie obligations and can fine up to PLN 1M or 3% of annual revenue. Source: PKE penalty provisions; idosell.com legal guide.
In the Interia 'Polish cookie case', UODO held that cookie-derived behavioural profiles are personal data and ordered disclosure under GDPR Art. 15, applying CJEU C-673/17. Source: IAPP, 'Disclosing information on behavioral profiles: the Polish cookie case'.
CookieSentry scans your live site and flags every cookie and tracker that fires before consent — the failure UODO is most likely to act on — and names the source so you can fix it. It also generates GDPR documents localized to Poland's requirements, so your policies match the rules UODO applies. It is not a consent banner — keep your banner and add the audit and evidence layer on top.
Since 10 November 2024 it is Article 399 of the Prawo komunikacji elektronicznej (Electronic Communications Law), which replaced Article 173 of the former Prawo telekomunikacyjne. It operates together with the GDPR and Poland's Personal Data Protection Act of 10 May 2018, with the consent standard read through GDPR Art. 4(11) and Art. 7.
Two authorities. The Prezes Urzędu Ochrony Danych Osobowych (UODO, uodo.gov.pl) enforces the GDPR and the consent standard, while the Prezes Urzędu Komunikacji Elektronicznej (UKE) supervises the telecoms-law obligations and can impose penalties of up to PLN 1 million or 3% of annual revenue.
No. Consent must meet the GDPR standard: freely given, specific, informed and unambiguous, expressed by a clear affirmative act. Pre-ticked boxes, 'continued browsing' and implied consent do not qualify, and rejecting non-essential cookies must be as easy as accepting them.
CookieSentry loads your site like a real visitor and flags every cookie or tracker that fires before consent — naming its source — and produces an exportable PDF report as evidence. It also generates GDPR privacy and cookie documentation localised to Polish requirements, including current references to Art. 399 PKE. It is an audit and documents tool; you keep your own consent banner.
Operating across the EU? The rules differ by market — check the country that applies to you.
Run a free CookieSentry scan on your live pages, catch cookies firing before consent, and export evidence mapped to Poland's rules — no signup required.
Run a free scan →Last reviewed 2026-06-14. General information on Poland cookie rules, not legal advice; verify current requirements with UODO or qualified counsel.