What is the Latvian DPA Cookie Guidelines and How Can You Comply with Them?

Latvian Data Protection Authority - DVI published its cookie guidelines in April 2022. The cookie guidelines were released following the cookie audit of websites of a number of merchants operating in Latvia, the result of which suggests that most of the websites are in violation of cookie laws in force in Latvia. 

Cookie Audit carried out by DVI

In February 2022, the Latvian DPA - Data Protection Inspectorate (DVI) released the results of its cookie audit of 29 websites. The DVI audited whether users of these websites were given clear and comprehensive information about the use of cookies, and whether consent obtained from the users was valid. According to the audit, several websites were found to be in violation of the GDPR and Latvia's Information Society Services Act. 

The Latvian DPA sent warnings to these website owners in order to bring their websites into compliance with the GDPR and Information Society Services Act. The merchants were given until 11 April or 12 August to cure violations depending on the nature of violations. 

Cookie Laws in Latvia

The use of cookies is subject to two pieces of legislation - the Information Society Services Act, which was adopted to transpose, inter alia, the ePrivacy Directive, and the General Data Protection Regulation (GDPR). The DVI refers to the Opinion issued by the European Data Protection Board (EDPB) which states that although the material scope of the two pieces of legislation is different, there are areas where the scope of both the GDPR and the ePrivacy Directive overlap. This is the case for the use of cookies. That is why, when using cookies on websites, it is important to ensure compliance with both the Information Society Services Law (national implementation of the ePrivacy Directive in Latvia) and the GDPR. 

What are Latvian DPA Cookie Guidelines

In March 2022, right after the results of the cookie audit was released, the Latvian Dast State Inspectorate published its cookie guidelines (“Cookie Guidelines”). The Cookie Guidelines set out information about cookies and their categories, requirements for lawful use of cookies by website owners and a model cookie policy for websites to publish on their sites. 

Categories of Cookies according to their purposes

The Cookie Guidelines distinguish between 3 types of cookies based on their purposes. These are 1) technical cookies (also referred to as functional cookies), 2) personalized cookies, 3) analytical cookies.

Technical cookies are those without which the website cannot function. These cookies are used  to  operate and manage the  website, which allow you to perform the functions of the website and provide the intended services, such as controlling traffic and communication, identifying the session, saving items into the shopping cart, completing the payment process, managing  payment, detect and prevent fraudulent activity, count the number of uses for software  licenses  that  allow you to use the service, etc. Without the use of technical cookies, a website or service may appear incomplete, both visually and technically. Technical cookies do not require consent  under the Information Society Services Act.

On the other hand, personalized cookies and analytics cookies are optional cookies that help to customize the content of the website and to analyze users’ activities on the website. The use of personalized cookies allows the website to remember the language or visual layout. Under certain circumstances, these cookies may be used without consent. For example, if a user chooses the language of the website by clicking on the  appropriate section of the website, you are no longer obliged to request consent for placing personalized cookies to save the language choice of the user. 

Analytical cookies track the user's activities, obtaining statistics on his/her habits, length of stay on specific website links and how often the website is visited by that user. The use of these cookies require prior consent of the user.

What are the requirements of the Latvian DPA Cookie Guidelines?

In order to comply with the Latvian DPA Cookie Guidelines, you should satisfy the following requirements:

1. Provide clear and comprehensible information to the users

The Law on Information Society Services of Latvia sets out that before using any cookies  (including technical cookies), the user must be provided with comprehensive and clear  information about the use of cookies and their purposes. This requirement mirrors that of the ePrivacy Directive. 

2. Use multi-layered approach

The Latvian Cookie Guidelines recommend using multi-layer cookie notifications. Instead of displaying all the information about cookies in one notification on the device screen, it should be divided into separate sections, avoiding information overload.

The first layer should be clearly visible to the user and should include information about the processing of users’ personal data and where/how users can find more detailed information about cookies.

The first layer of information should contain the following information:

• Identity of the website owner. 
• The purposes for which the cookies placed on the website are used.
• Information whether only first-party cookies are used, or whether there are third-party cookies as well.
• General information on what data is collected when using analytics cookies
• The way users can accept, reject or customize cookies

If there is a section on the website that provides information about the identity of the website owner (i.e., About the Company) then it is not necessary to identify the website owner in the first layer. Additionally, if the identity of the controller can be clearly understood from the domain address (for example, the domain name is the same as the website owner's name/trademark by which it is known to the general public, or if such a name/trademark is clearly indicated on the website), identity is not required to be repealed in the first layer.

The second layer should be accessible from the first layer. There should be a clear link to the second level of information, which contains more detailed information, such as "Cookie Policy" or "Click here for more information". The same link can be used to redirect users to the cookie settings panel if such access to the settings panel is done directly (users do not have to browse the second layer of information to find it).

3. Keep the cookie notice until the user makes a decision

The information provided to the user about the use of the cookies must be provided prior to the use of cookies, in a format that is visible to users. This information must be retained until the user consents or refuses in the prescribed manner. 

4. Consent must conform with GDPR standards

Consent provided by the website users must conform with GDPR standards of consent. In order for consent to be GDPR compliant it must be freely given, specific, informed and unambiguous indication of the wishes of the data subject.

5. Have both “Accept” and “Reject” options

The user should be given the options to accept and reject the use of cookies at the same time. Furthermore, the users must be provided a section where they can find more information about cookies (i.e., the "More information" button).

6. Closing the banner cannot be considered consent

The fact that a user decides to close a pop-up notification window (for example, by pressing the  "X" option) cannot be considered consent to the use of cookies, as pressing the "X" option  closes the informational alert and does not select whether the user "agrees" or "rejects" the cookies on the website.

7. Do not rely on browser settings for consent

Relying on the user's browser settings as a method of obtaining consent is not considered to comply with the requirements of the General Data Protection Regulation. That is why it is not recommended to rely on browser settings as an indication of consent.

8. Consent must be demonstrable

If the processing is based on the data subject's consent, the website owner must be able to demonstrate that the data subject has given his/her consent to the processing operation. 

9. Consent must be withdrawn easily

The user of the website can withdraw his/her consent at any time as easily as he/she has given it. To this end, the website must provide information on how to withdraw consent and remove cookies. For example, if consent is obtained with just one mouse click or  keystroke, data subjects should be able to withdraw that consent just as easily.

10. Renew consent regularly

It is a good practice to regularly review and update the consent. Consent to cookies is valid until the purpose of processing personal data is achieved. If the purpose of the processing of personal data has been achieved or changed, the consent to the use of cookies on the website must be requested again.

Model Cookies Policy

The Cookie Guidelines provide a model cookie policy for websites. The model cookie policy includes the following elements:

• Information on what cookies are
• Purposes of different types of cookies
• List of cookies used on the website
• Information on how a user can accept and reject cookies
• Information on how a user can withdraw consent

How to Obtain Valid GDPR Cookie Consent under the Latvian DPA’s Cookie Guidance

With Secure Privacy’s GDPR cookie banner, you can obtain valid cookie consent from users. Our solution helps you to ensure that:

• You implement a layered approach to seeking and explaining cookie consent to users. With the Secure Privacy cookie banner, you can first inform users about the need to use cookies and why their consent is required for their placement. Secondly, our banner also helps you explain to users the different types and analytics tools you use in your cookie notice.
• You do not bundle consents. Instead, Secure Privacy’s GDPR cookie banner ensures that consent is obtained for all purposes by allowing users to select the types of cookies to which they consent.  See more about the GDPR cookie guidelines.
• You include an opt-in for every type of cookie on your website that is not pre-checked to show user consent.
• You provide information on how to withdraw consent for using cookies within your cookie notice and a mechanism to guarantee that your visitors re-affirm their consent after every six months.
• You record consents in a way that can show the visitors ability to withdraw.
• You include a link to the cookie notice to give users additional information, such as the third parties that will have access to their personal data in case they give consent to the installation of a third-party analytics cookie.

If you would like to receive additional information on the BDPA’s cookies guidance or to have our data protection expert carry out a quick 'check-up' of your website, cookie consent banner, or your cookie policy, book a call today.

Relevant Links

Latvian Data State Inspectorate official website

Latvian DSI Cookie Guidelines (available in Latvian)

Additional Resources

Spanish AEPD Cookie Guidelines: The Ultimate Guide

Germany’s DSK

French CNIL Consent Guidelines

The Dutch DPA's Cookie Consent Guidelines

Greek DPA Cookie Consent Guidelines

Italian DPA Cookie Guidelines

Luxembourg DPA Cookie Guidelines

DSK Germany Cookie Guidelines

The ultimate guide to GDPR Cookie Consent Compliance

Czech Cookie Law