Cookie Consent and Analytics in Poland: What Polish Website Owners Need to Know in 2026

Poland's anti-corruption bureau spent PLN 25 million of a crime victims' fund to buy Pegasus spyware. They used it to hack into an opposition senator's phone 33 times during an election campaign. A prosecutor investigating the government's illegal postal voting scheme was targeted 6 times. The European Parliament called Poland "the most blatant case" of spyware abuse in the EU, alongside Hungary.

Meanwhile, the same country's data protection authority received 53 privacy complaints from Europe's most effective privacy organization and issued decisions on exactly none of them.

I'm David, founder of Clickport. I build privacy-first analytics that don't use cookies or require consent banners. This article is specifically for Polish website owners: what your cookie consent obligations actually are, why UODO has been silent on Google Analytics while every other major DPA acted, what's changing under new leadership, and why Poland's unique browser landscape makes cookie-based analytics worse here than almost anywhere else in Europe.

A country shaped by surveillance

Poland's relationship with privacy is personal. For 45 years under communist rule, the Sluzba Bezpieczenstwa (SB) maintained files on millions of citizens. Neighbors informed on neighbors. Phone calls were tapped. Mail was opened. After 1989, the lustration process of opening those files revealed the scale: the security apparatus had penetrated every layer of society.

That history should have made Poland a privacy leader. Instead, something more complicated happened.

In 2016, Poland passed surveillance legislation that authorized law enforcement to access metadata without court orders, monitor foreign citizens without prior judicial approval, and hold terrorism suspects for 14 days without charges. In May 2024, the European Court of Human Rights ruled this surveillance law violates Article 8 (right to private and family life), finding that Poland lacked "sufficient safeguards against excessive recourse to surveillance."

Then came Pegasus. Between 2017 and 2020, Poland's Central Anti-Corruption Bureau (CBA) deployed NSO Group's Pegasus spyware against opposition politicians, journalists, lawyers, and a prosecutor. Senator Krzysztof Brejza, head of the opposition's campaign team, was hacked 33 times during the 2019 election campaign. Lawyer Roman Giertych was infected 18 times. Prosecutor Ewa Wrzosek, who was investigating the government's illegal postal voting attempt, was targeted 6 times. The spyware was purchased using PLN 25 million from the Justice Fund, money designated for crime victims.

This context matters for understanding Poland's data protection landscape. The country has deep experience with what happens when personal data is weaponized. But the institutions meant to prevent it have been compromised by the same forces they're supposed to regulate. The Panoptykon Foundation, founded in Warsaw in 2009 and named after Jeremy Bentham's panopticon, has been fighting this fight for over 16 years, documenting surveillance abuses and pushing for stronger data protection. But until recently, the regulators weren't listening.

UODO: 267 people, zero noyb decisions

The Urzad Ochrony Danych Osobowych (UODO) is Poland's data protection authority. It has 267 employees working on a budget of PLN 45.4 million (approximately EUR 10.5 million). It received 6,962 complaints in 2023, 8,056 in 2024, and complaints surged over 40% in the first half of 2025.

Those aren't bad numbers. UODO has more staff and a larger budget than Austria's DSB (53 staff, EUR 5.9 million). The problem isn't resources. It's what UODO has done with them.

In August 2020, noyb filed 5 complaints with UODO as part of its 101 complaints across the EU targeting Google Analytics and Facebook Connect data transfers. The targets: TVN (player.pl), Telewizja Polska (tvp.pl), Grupa Interia.pl (interia.pl), PKO BP (pkobp.pl), and Onet-RAS Polska (jakdojade.pl). Five major Polish websites. Four using Google Analytics, one using Facebook Connect.

All five complaints are still pending. After more than five years, not a single decision.

But it's worse than that. According to noyb's DPA tracker, UODO has received 53 total noyb complaints across all projects and has issued zero decisions on any of them. Zero. For comparison:

A joint report by noyb and the Panoptykon Foundation documented the systemic problems. Complainants must physically travel to Warsaw to photograph their case files because UODO refuses to provide electronic access. UODO doesn't accept complaints via email. The Polish Code of Administrative Procedure requires cases to be decided within one to two months, but most UODO cases drag on for six months or more. And Jan Nowak, who served as UODO president from 2019 to January 2024, resigned from the ruling Law and Justice party just before his appointment, raising questions about independence.

The most telling example: when the government ordered Poczta Polska to process the personal data of approximately 30 million citizens from the PESEL register for an illegal postal election in April 2020, over 230 citizens filed complaints with UODO. Under Nowak, all were dismissed as "unfounded."

New leadership, new enforcement

That changed on January 26, 2024, when Miroslaw Wroblewski took over as UODO president. Wroblewski spent 17 years at Poland's Office of the Commissioner for Human Rights and served on the EU Fundamental Rights Agency board. He's an academic with nearly 100 publications on constitutional law and human rights.

His first year was a signal. In March 2025, Wroblewski fined Poczta Polska EUR 6.4 million (PLN 27.1 million) for the same data breach his predecessor had dismissed. The Minister of Digital Affairs was fined separately for authorizing the transfer. Wroblewski stated: "The fact that personal data from the PESEL register were illegitimately made available and processed by Poczta Polska jeopardised the proper exercise of citizens' rights under the Constitution."

2025 brought record fines across the board:

Complaints to UODO are up 40% in the first half of 2025 compared to 2024. Data breach notifications reached 14,842 in 2024, up from 12,772 in 2022. UODO created a new department dedicated to preliminary complaint review to handle the increased volume.

The question Polish website owners should be asking: if UODO is finally waking up, how long before it turns its attention to cookies and analytics?

The rules you're actually subject to

Cookie consent in Poland is governed by the Electronic Communications Act of July 12, 2024 (Prawo komunikacji elektronicznej), which replaced the old Telecommunications Law. Cookie consent is now in Articles 398-400 of the new law.

The requirements are straightforward.

Prior consent is required for all non-essential cookies. Under Article 399, users must receive advance notice in an "unambiguous, simple and understandable manner" about the purpose of storing cookies, and consent must be obtained after providing this information. Consent must comply with GDPR standards: freely given, specific, informed, and unambiguous.

There are only two exemptions. A cookie is exempt if it's necessary for transmitting messages via public telecommunications networks, or for delivering an electronically-rendered service the user explicitly requested. Session cookies, shopping carts, consent status storage. That's the full list.

There is no analytics exemption. This is critical. Unlike France, where CNIL allows 18 analytics tools to operate without consent, Poland makes no distinction between essential, functional, analytical, and advertising cookies. If your analytics tool sets a cookie and the cookie isn't technically necessary for delivering the service, you need consent. Period.

Enforcement is split between two authorities. UKE (Urzad Komunikacji Elektronicznej, Office of Electronic Communications) handles cookie consent violations under the Electronic Communications Act. Fines: up to 3% of company revenue or PLN 1,000,000, whichever is higher. Individual managers can be fined up to 300% of their monthly salary. UODO handles the GDPR layer on top: up to EUR 20 million or 4% of global turnover. A single non-compliant cookie banner could trigger enforcement from both.

One important detail: UODO's only cookie-related decision so far was against Interia Group in October 2021. UODO ruled that browser default settings do not constitute valid consent, calling such consent "passive and tacit, and thus invalid." Cookie IDs and IP addresses were confirmed as personal data. The decision was a reprimand, not a fine, but it established the principle: implied consent through browser settings is not consent at all.

And there is no official UODO guidance on cookie banners. Polish website owners are operating without a playbook from their own regulator.

Google Analytics: the silence

Every major DPA in Europe has taken a position on Google Analytics. Austria ruled it illegal in December 2021. France followed in February 2022. Italy, Denmark, Finland, Sweden, and Norway all issued their own rulings. The EDPB set up a task force to coordinate a consistent approach.

UODO said nothing.

Five complaints about Google Analytics on major Polish websites have been pending since August 2020. TVN, Telewizja Polska, Interia, PKO BP, Onet-RAS. Five years, seven months. No decisions. No statements. No guidance.

The practical result: Polish websites continue to use Google Analytics freely. There is no domestic regulatory pressure. No Polish court has ruled on analytics legality. No company has been warned, fined, or even formally questioned about GA usage.

The EU-US Data Privacy Framework (adopted July 2023) technically resolved the Schrems II transfer issue for DPF-certified companies like Google. But that only addresses the data transfer layer. The cookie consent layer remains: Google Analytics sets cookies, Polish law requires consent for analytics cookies, and consent means losing most of your visitor data.

And the DPF itself is under threat. Philippe Latombe, a sitting CNIL commissioner, has appealed to the CJEU to overturn it. The US Privacy and Civil Liberties Oversight Board (PCLOB), cited 31 times in the adequacy decision as a crucial oversight mechanism, has been gutted by the Trump administration. If the DPF falls, Google Analytics faces the same illegal transfer status it had in 2022 across Europe, including in Poland, whether UODO has ruled or not.

For the full EU-wide picture, see our detailed analysis of Google Analytics' legal status.

The Opera problem: why Poland loses more data than anywhere

This is where Poland's story gets unique. Every country loses analytics data to cookie consent rejection and ad blockers. Poland loses more than most, and the reason is a browser.

Opera holds 20.84% of Polish desktops. That's 9.4x the global average of 2.21% and 4.5x the European average of 4.63%. One in five Polish desktop users browses with Opera.

Why? Opera's desktop development hub is in Wroclaw, Poland. All desktop browser development happens there. The browser has deep roots in the Polish market going back over a decade. Opera GX, their gaming browser, has driven recent growth. And critically: Opera includes a built-in ad blocker and tracker blocker.

But Opera is just the start. Poland was the world's #1 country for ad blocker adoption in 2016-2017, driven by Polish websites that overloaded pages with intrusive advertising. Ad blocker usage remains around 34% today, above the global average. The Polish community maintains three dedicated ad filter lists: Polish Ads Filter (723 GitHub stars, 30,000+ commits), Polish Annoyance Filters, and EasyList Polish.

On mobile, 30% of Polish users are on iOS/Safari with ITP cookie restrictions. Firefox, with Enhanced Tracking Protection, holds 9.8% on desktop.

Now add cookie consent rejection. When Polish visitors encounter a legally compliant banner, the majority reject analytics cookies.

Poland has 34.1 million internet users (89.8% penetration), an e-commerce market exceeding PLN 150 billion (approximately EUR 35 billion), and over 2.5 million .pl domains. If you're running cookie-based analytics on a Polish website, you're making business decisions based on a minority of your actual traffic.

Poland's homegrown alternative

There's an irony in Poland's analytics landscape. The country's data protection authority has been the slowest in Europe to act on Google Analytics. But Poland is also home to one of Europe's most successful privacy-first analytics companies.

Piwik PRO was founded in Wroclaw in 2013 by Maciej Zawadzinski (CEO of Clearcode, a Wroclaw software house) and Matthieu Aubry (creator of the original Piwik open-source project, now Matomo). What started as commercial support for the open-source project became a full enterprise analytics platform.

Today, Piwik PRO serves the European Commission, the Government of the Netherlands, the Council of Europe, and enterprise clients including Airbus, Microsoft, and Credit Agricole. In November 2023, Piwik PRO merged with Cookie Information (a Danish consent management platform), backed by Kirk Kapital, the investment vehicle of the LEGO founding family. The combined entity has over 225 employees, 10,000 user organizations, and subscription revenue exceeding DKK 150 million (approximately EUR 20 million).

Piwik PRO is ISO 27001 and SOC 2 Type II certified, CNIL consent-exempt when properly configured, and EU-hosted. Google's former Head of Web Analytics for Europe, Brian Clifton, joined as advisor in 2023.

Poland also has Gemius, founded in Warsaw in 1999, which provides the standard digital audience measurement across Central and Eastern Europe. Their gemiusAudience product is the currency for digital advertising in Poland and a dozen other CEE markets.

The tools exist. The expertise is Polish. The market just hasn't been forced to move yet, because the regulator hasn't acted.

What's coming in 2026 and beyond

Three developments will reshape Poland's analytics landscape.

1. The Digital Omnibus would override Poland's lack of guidance.

The Digital Omnibus (proposed November 2025) creates a consent exemption for audience measurement analytics at the EU level through a new Article 88a GDPR. The conditions: first-party only, no cross-site tracking, aggregated data only, used solely by the website operator. Because it's a Regulation, not a Directive, it would be directly applicable in Poland without any transposition into national law. Poland's Electronic Communications Act cookie provisions would be superseded automatically.

This matters more for Poland than for most countries. France already has an exemption framework. Austria's strict position would be overridden. But Poland has had no guidance at all. The Omnibus would give Polish website owners their first clear legal path to consent-free analytics. The EDPB and EDPS issued a joint opinion in February 2026 broadly supporting simplification.

2. UODO under Wroblewski may finally address cookies and analytics.

With complaints up 40%, record fines issued, and a new department for preliminary complaint review, UODO's enforcement trajectory is clear. The 53 unanswered noyb complaints represent a backlog that Wroblewski inherited, not one he created. Whether he acts on the Google Analytics complaints specifically is uncertain, but the DPF has reduced the urgency of the transfer question. The cookie consent question, however, remains entirely unresolved.

3. The Latombe CJEU appeal could invalidate the Data Privacy Framework.

Philippe Latombe's appeal is pending at the Court of Justice. If it succeeds, EU-to-US data transfers lose their legal basis again. Google Analytics faces the same illegal transfer status it had in 2022. Even UODO would have no choice but to act. A ruling is expected in late 2026 or 2027.

What this means for your website

If you run a website that serves Polish visitors, here's a practical assessment.

If you're using Google Analytics with a cookie banner: UODO hasn't acted, so there's no domestic enforcement pressure today. But you're losing an unusually high share of your visitor data. Poland's combination of high ad blocker usage, Opera's 21% desktop share with built-in blocking, and cookie consent rejection means your analytics see a smaller slice of actual traffic than in almost any other European market. You're making decisions for a PLN 150 billion e-commerce market based on incomplete data.

If your cookie banner isn't compliant: The risk is growing. UODO under Wroblewski has issued more fines in 2025 than in the previous three years combined. UKE can fine up to 3% of revenue separately. Noyb's 53 pending complaints represent a queue that will eventually get processed. And noyb, now a Qualified Entity for EU-wide class actions, can bring cases on behalf of affected individuals across all member states.

If you want to see all your traffic and eliminate the risk: Switch to an analytics tool that doesn't store anything on the visitor's device. No cookie, no local storage, no fingerprint, no Electronic Communications Act consent requirement. No banner needed for analytics. 100% of visitors visible, including the Opera users and ad blocker users you're currently missing entirely.

Clickport is built for exactly this situation. No cookies, no consent banner required, EU-hosted, first-party only, privacy-first by design. Every visitor is visible. Every session is tracked. No dependency on US data transfers. You can try it free for 30 days, no credit card required, and see the difference in your data within the first hour.

Poland has a complicated relationship with surveillance and privacy. The country that endured decades of secret police files, that was targeted by its own government with Pegasus spyware, that has a data protection authority only now beginning to function independently. Polish website owners, perhaps more than anyone in Europe, understand why privacy matters. The tools to protect your visitors' privacy and see all your traffic at the same time already exist. One of them was built in Wroclaw.