DPDPA is now in force in India. Run a free privacy scan on your site. Scan now

🇱🇺 European Union

Cookie consent in Lëtzebuerg

Consent and privacy law in Lëtzebuerg

In short
Luxembourg's CNPD acts as lead supervisory authority for several large international companies headquartered there, which makes it a significant cross border regulator despite the country's small size. The CNPD issued one of the largest GDPR fines on record against a major online retailer. Cookie rules derive from the national electronic communications framework and require consent for non-essential cookies. Luxembourg is multilingual, so notices may be in French, German, or Luxembourgish depending on the audience. The CNPD requires opt-in consent, an easy reject path, and clear information. Controllers should keep consent records and avoid pre-ticked boxes.
Authority
Commission nationale pour la protection des données (CNPD)
Status

GDPR applies since 25 May 2018, with the national Law of 1 August 2018

Primary law
GDPR
Languages

fr, de, lb

Who must comply

Any organization that offers goods or services to people in the EU or monitors their behavior, wherever the organization is based.

Penalties

Up to 20 million euros or 4 percent of global annual turnover, whichever is higher

Key obligations

  • Obtain prior, opt-in consent before non-essential cookies
  • Make refusing as easy as accepting
  • Keep records that prove consent
  • Honor withdrawal at any time
  • Respect data subject rights (access, erasure, portability)

Local guidance

  • Note the CNPD's role as lead authority for major companies
  • Provide notices in French, German, or Luxembourgish as appropriate
  • Use opt-in consent and an easy reject path
  • Keep consent records and avoid pre-ticked boxes

How ConsentX helps

  • Prior-script blocking for true opt-in
  • Equal-weight Allow and Reject controls
  • Tamper-evident consent receipts and evidence
  • One-click withdrawal trigger
  • Built-in DSAR workflow with 30-day SLA
Get started free
yoursite.com
🇱🇺 Luxembourg

We value your privacy

We ask for your consent before any non-essential cookie, with the rules that apply in your region.

Allow allReject non-essentialManage preferences

This page is a plain-English summary for general information and is not legal advice. Confirm your obligations with qualified local counsel.

How to comply with Luxembourg using ConsentX

  1. 1

    Scan your website

    Run a free scan to find every cookie and tracker on your site, so you know exactly what needs consent under Luxembourg.

  2. 2

    Show a geo-aware consent banner

    Add the ConsentX banner. It detects each visitor region and shows the consent experience that Luxembourg requires, automatically.

  3. 3

    Block trackers until consent

    Keep non-essential cookies and trackers blocked until the visitor agrees, so nothing fires before consent.

  4. 4

    Record tamper-evident proof

    Every choice is stored as a tamper-evident consent receipt you can produce in a Luxembourg audit.

  5. 5

    Handle data requests on time

    Use the built-in DSAR workflow with SLA timers to answer access, deletion and opt-out requests within the legal deadline.

Frequently asked questions

Why is Luxembourg's CNPD important despite the small country?+

Several large international companies are headquartered in Luxembourg, so the CNPD acts as lead authority for major cross border cases and has issued some of the largest GDPR fines on record.

What languages should Luxembourg cookie notices use?+

Luxembourg is multilingual, so notices may be in French, German, or Luxembourgish depending on the audience being served.

Governing law

🇪🇺 GDPR

Other countries in European Union

🇩🇪 Deutschland🇫🇷 France🇪🇸 España🇮🇹 Italia🇳🇱 Nederland🇧🇪 België / Belgique🇵🇱 Polska🇵🇹 Portugal🇸🇪 Sverige🇦🇹 Österreich🇮🇪 Éire / Ireland🇩🇰 Danmark