Latvia: DVI's new cookie guidelines - Key takeaways
When is consent required?
The Cookie Guidelines clarify that prior consent of the subscriber or user is required before placing cookies on the user's or subscriber's device, as required by Section 7.1(1) of the Law on Information Society Services of 4 November 2004 ('the Information Society Services Law'). Furthermore, the subscriber or user must have been provided with clear and comprehensive information on the purpose of the processing before consenting, in accordance with the Data Protection Law (Section 7.1(1) of the Information Society Services Law).
Consent is, however, not required if the cookie is necessary for the flow of information in the electronic communications network or for providing a service requested by a subscriber or user as outlined in Section 7.1(2) of the Information Society Services Law. Furthermore, the Cookie Guidelines clarify that prior consent is not required in the case of technical cookies; however, when using analytical cookies prior consent is needed.
What cookies are exempted from consent?
As discussed above, prior consent is not required when the cookie is necessary for the flow of information in the electronic communications network or for providing a service requested by a subscriber or user. For example, the Cookie Guidelines state that the use of personalised cookies does not require consent, as these cookies are responsible for a service that is directly requested by users, such as when users choose the website language by clicking on the relevant section on the website. However, personalised cookies must be used solely for this purpose in order to fall under the consent exemption.
Furthermore, the Cookie Guidelines outline that pursuant to Section 7.1(2) of the Information Society Services Law the following cookies are not subject to consent:
- user-input cookies (session ID), such as first-party cookies to track what the user inputs when filling in online forms, shopping carts, etc.;
- authentication cookies to identify the user during the session;
- user-centric security cookies used to detect authentication breaches for a limited, persistent period of time;
- media player cookies used to store technical data for the playback of video or audio content during a session;
- in-session load balancing cookies;
- user customisation cookies, such as language or background preferences, during the session or slightly longer; and
- third-party social plug-in content sharing cookies for social network members.
How to design a cookie consent mechanism?
What information must be given?
The Cookie Guidelines note in particular that controllers should consider the target audience and the approximate age of the target audience for which the service is offered when determining the language used in the information to be provided to the user or subscriber. Additionally, the information should be specific and definitive and should not leave room for interpretation. The legal basis and the purposes of processing must especially be clear. Furthermore, controllers should avoid using terms such as 'may', 'could', 'some', 'often' and 'probably'. The Cookie Guidelines also emphasise that if controllers are not able to use specific language, they should demonstrate, in accordance with the principle of accountability, why it is not possible to avoid using non-specific language and that this does not undermine the integrity of the processing.
Additionally, the Cookie Guidelines suggest a multi-layered approach to cookie notices to help address information overload by allowing users to navigate directly to the section in the notice that they are interested in. Multi-layered cookie notices allow controllers to link different categories of information that need to be provided as part of the transparency principle. However, the Cookie Guidelines emphasise that despite this, all information should be easily available in one section of the website or in one document in cases where the user wants to read the full information on cookies.
Furthermore, the Cookie Guidelines outline that the first layer of the cookie notice should be such that the user can clearly see the information available to them about the processing of their personal data and where or how they can find more detailed information about cookies. Hence, according to the Cookie Guidelines the first layer should include the following information:
- Controller's name. However, if the controller's identification data is provided in other sections of the website, in the 'About', 'Contact', etc. sections, it is not necessary to identify the controller by the name of the company in the first layer. Also, if the identity of the controller can be clearly read from the domain address, for example, the domain name is the same as the name or trademark by which the controller is known to the general public, or if such name or trademark is clearly indicated on the website, then a separate name of the controller is not necessary in the information notice.
- Purposes of cookies used on the website.
- Information on whether the cookies used are first-party, i.e. controller cookies only or third-party cookies.
- General information about the type of data collected and used when profiling users, for example when using analytical cookies.
- The way in which users can accept, set and reject cookies.
Moreover, the Cookie Guidelines state that the first layer of the information must be provided to the user before the cookie is used, in a format that is visible to the user and which must be retained until the user provides consent or refusal in the prescribed manner.
- Definition and general function of cookies.
- Information about the types of cookies used and their purposes.
- Recipients of cookies. Users must be able to identify the controller(s) of the processing(s), including joint controllers, before consenting or refusing cookies. To achieve this, information about the controllers can be aggregated in a list, allowing users to consult this list as part of the information to be provided in addition to the first layer. The list should be easily accessible to users at all times, regardless of whether the processing relates to a website or a mobile app. The list of the most recent data controllers should preferably be placed in areas of the screen that attract users' attention or in areas where it is easy for the user to find it during navigation. The user must be informed who will process the information obtained from each specific cookie i.e. the first party service provider or third parties. However, if the service provider is not able to provide sufficient explanation of the purpose of the use of third-party cookies, information may be provided, including a link to the third party's website. In this case, the solution may be the use of a Consent Management Platform ('CMP'), which complies with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
- Information about the cookie retention period. This applies to first-party and third-party cookies and, if it is not possible to determine the period for which cookies will be stored, the criteria used to determine that period must be specified.
- Where applicable, information that the controller intends to transfer the personal data to a third country or an international organisation.
- Information on profiling where it involves automated decision-making, which can have a significant impact on users. Under the GDPR, meaningful information must be provided on the logic behind profiling, as well as on the relevance of such processing and the foreseeable consequences for users.
What is the status of analytical cookies?
'Analytical cookies' are defined in the Cookie Guidelines as allowing the cookie manager to track and analyse user behaviour on websites. This category includes cookies used by advertisers to track a user's habits when browsing websites, thereby allowing advertisers to tailor advertisements to the user's interests. Analytical cookies also include cookies that allow statistical information relating to website visitors to be obtained. Essentially, any information obtained through the use of analytical cookies is used to measure the performance of any website, application or platform in order to improve the analysis of data relating to the use of the services provided to users.
The Cookie Guidelines make it clear that consent is required for the use of analytical cookies in accordance with Section 7.1(1) of the Information Society Services Law. However, before obtaining consent, the user must be provided with clear and comprehensive information about the purposes of the use of analytical cookies.
How long is consent valid?
The Cookie Guidelines note that websites must implement 'agree'/'disagree' cookies which store the choices made by the user of the IP address concerned about the cookies used on the website in order to demonstrate consent.
In addition, the Cookie Guidelines state that there is no specific time limit for how long consent is valid, as this depends on the context, the scope of the original consent and the user's expectations. However, if the processing activities change or evolve substantially, the original consent will no longer be valid, hence a new consent must be sought.
Alexandra From Privacy Analyst