Russia Introduced New Rules on Data Processing Consent

Beginning September 1, 2025 data controllers are prohibited from including consent language into any documents and legal clauses other than the consent forms. It is likely that new amendments restricting the cases where the personal data processing may be based on the consent will be quick to follow.

Consent to be Separated from Other Documents and Clauses

According to Art.6(1) of the Federal Law on Personal Data № 152-FZ dated July 27, 2006 (the PDL), operators (this term is a Russian equivalent to controllers) may apply data subject’s consent as a lawful basis for personal data processing. They obtain consent in “any form that can serve as proof of having been granted” (e. g. check-box on a website) except for specific cases where the consent must be in written form (Art.9 PDL). Written consent must be executed either as a hard copy or as an e-signed document if the processing includes, among other things, disclosing employee data to third parties (Art.88 of the Labour Code), establishing person’s identity with biometrical data (art.11 PDL), and conducting operations with health information, ethnical origin and other special categories of data (Art.10 PDL). Furthermore, written consent must contain mandatory elements listed in Art.9(4) PDL including the processing purpose, list of data categories, processing operations and methods, name and address of data processors (if any), and other details.

On September 1, 2025 Art.9(1) PDL was amended to include the following requirement: “Consent to the processing of personal data must be obtained separately from any other information and/or documents confirmed and/or signed by the data subject”. This rule applies to both written consent and consent “in any form”. According to the explanatory note to the bill, the stated purpose is “<…> to eliminate legal uncertainty that allows unfair personal data operators to “mislead” individuals regarding the granting of consent to the processing of their personal data and determining of the conditions and purposes of such processing”.¹

In practical terms, the amendment raises more questions than it gives answers. Upon the Association of Russian Banks’ inquiry, the Data Protection Authority (in Russian, Roscomnadzor) issued guidance that the consent language is to be separated from banking documents and could be placed on the reverse side of printed application forms and other papers.² Following this rationale, consent clauses must be also separated from the texts of employment contracts, services, sales and other consumer contracts, and various standardized forms and templates signed by data subjects (e. g. marketing survey questionnaires and office visitor forms). Controllers are obliged to complete additional paperwork, which increases the risk of errors in legal documentation.

Taken literally, the new requirement may be understood such as that the website and mobile app owners should not include both the consent to data processing and declaration of the user agreement acceptance in one cookie banner. The provisions of privacy policies and user agreements should not incorporate data subject’s consent clauses. The consent language must be accompanied by a separate checkbox in web-forms aiming at creating accounts, giving feedback, ordering products, and other purposes. The granting of consent should not be synchronized with sending a web-form. For instance, the clauses like “By clicking Submit button I consent to…” may no longer comply with the new requirement.

The Data Protection Authority actively monitors websites that processes Russian users’ data. As a result, improper use of consent language and cookie banners can be easily detected.

The laws do not establish specific penalties for breaching the said requirement. In general, invalid consent may result in imposing administrative fines up to RUB300 000 on the operator and/or up to RUB100 000 on the operator’s responsible managers if the consent should have been received “in any form” (Art.13.11(1) of the Code of Administrative Offences). If written consent should have been obtained, the amount of administrative fines may reach RUB700 000 for the operator and/or RUB300 000 for the operator’s responsible manager (Art.13.11(2) of the same Code). The responsible managers are usually the Data Protection Officer (DPO) and/or the Chief Executive Officer (CEO). The Data Protection Authority has the power to decide at its own discretion, which person(s) — a responsible manager, the legal entity (operator) or both — are to be charged with an administrative offence, depending on the circumstances of the case and the job duties of the said managers. Data subjects may bring civil lawsuits against operators seeking deletion of illegally collected data, compensation of moral hazard and damages (Art.24(2) PDL).

Operators should review their compliance and business documents, websites, mobile apps and other sources of personal data operating in Russia and/or accessible to users located in that country. Where appropriate, operators may rely on a lawful basis other than consent. For example, the PDL provides that personal data processing may be carried out without consent where necessary to perform a contract to which the data subject is a party, a beneficiary, or a surety, or for entering into such a contract at the initiative of a data subject.

Initiative to Restrict the Use of Consent as a Lawful Basis

Today, operators are free to use data processing consent as a lawful basis in all cases at their discretion. Contrary to the GDPR, it is common to rely on several lawful bases to one and the same process. For instance, online stores often collect consumer data for the purpose of rendering services and delivering products based on consumers’ consent and contracts simultaneously.

The Ministry of Digital Development, Telecom and Mass Communications has recently published for public review a draft bill intended to combat cyber-fraud, though it significantly impacts businesses.³ The Government is expected to submit it to Parliament for consideration. Among other things, the draft bill introduces the following restriction: “The operator has no right to require consent to the processing of personal data in cases where the obligation to obtain such consent is not established by an international treaty of the Russian Federation or by federal law.” Currently, the PDL explicitly requires the operator to obtain consent to engage a data processor, conduct direct marketing, perform fully automated data processing triggering legal consequences to data subjects and in other circumstances. If adopted, this requirement would prevent operators from using consent in most business operations, such as using cookie files and receiving feedback on websites, operating call centers, communicating with job applicants, running loyalty programs, etc. Businesses would have to primarily rely on performance of their obligations and duties under law (e. g. the employer processes employee data for HR and financing purposes by virtue of the Labour Code), contracts with data subjects and operator’s legitimate interests as lawful bases for the personal data processing.

Given that neither the current law nor the draft bill defines the criteria for legitimate interest or detailed rules on the data processing under consumer contracts, it may present practical challenges.

The draft bill states that the data subjects will have the right to grant or withdraw consent either directly to operator or through the online portal of state services⁴ beginning March 1, 2028. The technical side of communication between operators and data subjects remains unclear.

The companies operating in Russia should keep monitoring the upcoming legislative changes and case law developments.

1. https://sozd.duma.gov.ru/download/4b9d9aa9-c5a2-4a89-b41f-3f9f9c21960a
2. https://arb.ru/b2b/docs/roskomnadzor-10690804/#history
3. https://regulation.gov.ru/projects/159652/
4. https://www.gosuslugi.ru/