Cookie Compliance in Runet 2026
Enterno.io audited cookie banners across top-500 Russian sites (March 2026) for compliance with Federal Law 152-FZ (Personal Data). Only 42% run a correct consent flow: opt-in, reject = no analytics cookies, link to privacy policy. 35% just show a banner but still set cookies. 23% have no banner at all — potential Roskomnadzor fines up to ₽500k.
Below: key findings, platform breakdown, implications, methodology, FAQ.
Key Findings
| Metric | Pass / Value | Median | p75 |
|---|---|---|---|
| Companies with a cookie banner | 77% | — | — |
| Proper opt-in consent | 42% | — | — |
| Banner shown but cookies set immediately (non-compliant) | 35% | — | — |
| No cookie banner at all | 23% | — | — |
| Link to privacy policy | 68% | — | — |
| Separate opt-in for analytics/marketing | 12% | — | — |
| Reject-All button available | 28% | — | — |
| Yandex.Metrika without consent | 64% | — | — |
Breakdown by Platform
| Platform | Share | Detail | — |
|---|---|---|---|
| CookieYes / CookieBot plugins | 14% | compliance: 82% | — |
| Bitrix default module | 22% | compliance: 31% | — |
| WordPress GDPR plugin | 8% | compliance: 74% | — |
| Custom implementation | 33% | compliance: 38% | — |
| Tilda default | 5% | compliance: 24% | — |
| No banner at all | 23% | compliance: 0% | — |
Why It Matters
- Fines under Art. 13.11 RF Administrative Code — up to ₽500k for legal entities (strengthened in 2023)
- Non-compliant = tax authority and Roskomnadzor can request a cookie audit during scheduled inspection
- Yandex.Metrika and Google Analytics without consent — the largest violation bucket
- Right pattern: banner BEFORE any tracking cookies (only essential until decision)
- TCF 2.2 (IAB Europe) does not apply in RU — domestic consent frameworks
Methodology
Top-500 Russian sites (SimilarWeb.ru ranking, March 2026). Loaded via headless Puppeteer from a clean profile, recorded cookies before interaction, after decline, after accept. Compliance classifier: 3 checkpoints (banner presence, consent-gated tracking, reject-all works).
Learn more
Research
Frequently Asked Questions
What does Federal Law 152-FZ require from a site?
Informed consent before collecting personal data (tracking cookies). Explicit opt-in (not pre-checked). Withdrawal option. Link to privacy policy.
Does Yandex.Metrika strictly require consent?
Yes if you collect personal data through it (including IP for geo-targeting). Consent in the banner before activation script.
How big is the fine?
Up to ₽500k per legal entity (Art. 13.11). Repeat — up to ₽6M. Roskomnadzor issues ~100 fines/year for cookie violations.
How to check my site?
<a href="/en/cookie">Enterno Cookie Analyzer</a> — scans all set cookies, checks flags (HttpOnly, Secure, SameSite), classifies by purpose.