Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Latvia: DVI's new cookie guidelines - Key takeaways

The Data State Inspectorate ('DVI') published, on 16 March 2022, guidelines for using cookies on websites1 ('the Cookie Guidelines') and a model cookie policy2. The Cookie Guidelines are very comprehensive and discuss among other things, consent, consent exemptions, transparency obligations and cookie consent mechanism while also outlining different types of cookies. OneTrust DataGuidance summarises the key points from the Cookie Guidelines.

Marcus Lindstrom / Signature collection / istockphoto.com

When is consent required?

The Cookie Guidelines clarify that prior consent of the subscriber or user is required before placing cookies on the user's or subscriber's device, as required by Section 7.1(1) of the Law on Information Society Services of 4 November 2004 ('the Information Society Services Law'). Furthermore, the subscriber or user must have been provided with clear and comprehensive information on the purpose of the processing before consenting, in accordance with the Data Protection Law (Section 7.1(1) of the Information Society Services Law).

Consent is, however, not required if the cookie is necessary for the flow of information in the electronic communications network or for providing a service requested by a subscriber or user as outlined in Section 7.1(2) of the Information Society Services Law. Furthermore, the Cookie Guidelines clarify that prior consent is not required in the case of technical cookies; however, when using analytical cookies prior consent is needed.

What cookies are exempted from consent?

As discussed above, prior consent is not required when the cookie is necessary for the flow of information in the electronic communications network or for providing a service requested by a subscriber or user. For example, the Cookie Guidelines state that the use of personalised cookies does not require consent, as these cookies are responsible for a service that is directly requested by users, such as when users choose the website language by clicking on the relevant section on the website. However, personalised cookies must be used solely for this purpose in order to fall under the consent exemption.

Furthermore, the Cookie Guidelines outline that pursuant to Section 7.1(2) of the Information Society Services Law the following cookies are not subject to consent:

  • user-input cookies (session ID), such as first-party cookies to track what the user inputs when filling in online forms, shopping carts, etc.;
  • authentication cookies to identify the user during the session;
  • user-centric security cookies used to detect authentication breaches for a limited, persistent period of time;
  • media player cookies used to store technical data for the playback of video or audio content during a session;
  • in-session load balancing cookies;
  • user customisation cookies, such as language or background preferences, during the session or slightly longer; and
  • third-party social plug-in content sharing cookies for social network members.

The Cookie Guidelines also provide that where the website uses cookies that are exempted from the consent requirement, the controller may inform the user of the existence of cookies in a privacy policy that must be available on the website. However, in this case it is not obligatory for the controller to use a pop-up window to inform users that the website uses technical cookies. On the other hand, if the controller chooses to provide the information via a pop-up alert, the controller does not have to seek consent in the pop-up alert, though it must provide clear and comprehensive information.

How to design a cookie consent mechanism?

Among other things, the Cookie Guidelines note that when using a pop-up warning window, controllers must not use text that 'prompts' the user to accept cookies instead of rejecting them. Therefore, if the 'Accept' button is used on the pop-up warning window, the controller should equally highlight the option that allows the user to 'Decline' the use of cookies. For example, the individual options must be of the same colour, without any highlights, and should be of the same font and colour fill.

Furthermore, the Cookie Guidelines highlight that information must be presented in a way that the user can recognise it and not confuse it with advertising or other information on the website. Therefore, it is important to ensure that the button, link or box that indicates an active action is at or near the point where information about the use of cookies is provided on the website. In addition, the information about the use of cookies must be available on the website and must not disappear until the user has consented or opted out to the use of cookies. Moreover, clicking on the 'more information about cookies' link cannot be considered as consent, as the user is only requesting additional information, nor can the absence of any action be considered as valid consent.

However, closing the cookie alert window is an active action by the user indicating that the user has not decided regarding the use of cookies on the website. Thus, in this case using non-essential cookies is not allowed until the user consents to the use of such cookies.

What information must be given?

The Cookie Guidelines note in particular that controllers should consider the target audience and the approximate age of the target audience for which the service is offered when determining the language used in the information to be provided to the user or subscriber. Additionally, the information should be specific and definitive and should not leave room for interpretation. The legal basis and the purposes of processing must especially be clear. Furthermore, controllers should avoid using terms such as 'may', 'could', 'some', 'often' and 'probably'. The Cookie Guidelines also emphasise that if controllers are not able to use specific language, they should demonstrate, in accordance with the principle of accountability, why it is not possible to avoid using non-specific language and that this does not undermine the integrity of the processing.

Additionally, the Cookie Guidelines suggest a multi-layered approach to cookie notices to help address information overload by allowing users to navigate directly to the section in the notice that they are interested in. Multi-layered cookie notices allow controllers to link different categories of information that need to be provided as part of the transparency principle. However, the Cookie Guidelines emphasise that despite this, all information should be easily available in one section of the website or in one document in cases where the user wants to read the full information on cookies.

Furthermore, the Cookie Guidelines outline that the first layer of the cookie notice should be such that the user can clearly see the information available to them about the processing of their personal data and where or how they can find more detailed information about cookies. Hence, according to the Cookie Guidelines the first layer should include the following information:

  • Controller's name. However, if the controller's identification data is provided in other sections of the website, in the 'About', 'Contact', etc. sections, it is not necessary to identify the controller by the name of the company in the first layer. Also, if the identity of the controller can be clearly read from the domain address, for example, the domain name is the same as the name or trademark by which the controller is known to the general public, or if such name or trademark is clearly indicated on the website, then a separate name of the controller is not necessary in the information notice.
  • Purposes of cookies used on the website.
  • Information on whether the cookies used are first-party, i.e. controller cookies only or third-party cookies.
  • General information about the type of data collected and used when profiling users, for example when using analytical cookies.
  • The way in which users can accept, set and reject cookies.
  • A clearly visible link connecting to the second layer, which contains more detailed information, such as 'Cookie Policy' or 'Click here for more information'. The same link can be used to redirect users to the cookie settings panel if such access to the settings panel is made directly so users do not need to browse the second information layer to find it.

Moreover, the Cookie Guidelines state that the first layer of the information must be provided to the user before the cookie is used, in a format that is visible to the user and which must be retained until the user provides consent or refusal in the prescribed manner.

Furthermore, the information in the second layer, which can be for example a cookie policy, must be permanently available on the website or application and it should contain the following information as outlined in the Cookie Guidelines:

  • Definition and general function of cookies.
  • Information about the types of cookies used and their purposes.
  • Recipients of cookies. Users must be able to identify the controller(s) of the processing(s), including joint controllers, before consenting or refusing cookies. To achieve this, information about the controllers can be aggregated in a list, allowing users to consult this list as part of the information to be provided in addition to the first layer. The list should be easily accessible to users at all times, regardless of whether the processing relates to a website or a mobile app. The list of the most recent data controllers should preferably be placed in areas of the screen that attract users' attention or in areas where it is easy for the user to find it during navigation. The user must be informed who will process the information obtained from each specific cookie i.e. the first party service provider or third parties. However, if the service provider is not able to provide sufficient explanation of the purpose of the use of third-party cookies, information may be provided, including a link to the third party's website. In this case, the solution may be the use of a Consent Management Platform ('CMP'), which complies with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
  • Information on how to confirm, refuse or withdraw consent to the use of cookies and the consequences if the user refuses to accept cookies.
  • Information about the cookie retention period. This applies to first-party and third-party cookies and, if it is not possible to determine the period for which cookies will be stored, the criteria used to determine that period must be specified.
  • Where applicable, information that the controller intends to transfer the personal data to a third country or an international organisation.
  • Information on profiling where it involves automated decision-making, which can have a significant impact on users. Under the GDPR, meaningful information must be provided on the logic behind profiling, as well as on the relevance of such processing and the foreseeable consequences for users.

What is the status of analytical cookies?

'Analytical cookies' are defined in the Cookie Guidelines as allowing the cookie manager to track and analyse user behaviour on websites. This category includes cookies used by advertisers to track a user's habits when browsing websites, thereby allowing advertisers to tailor advertisements to the user's interests. Analytical cookies also include cookies that allow statistical information relating to website visitors to be obtained. Essentially, any information obtained through the use of analytical cookies is used to measure the performance of any website, application or platform in order to improve the analysis of data relating to the use of the services provided to users.

The Cookie Guidelines make it clear that consent is required for the use of analytical cookies in accordance with Section 7.1(1) of the Information Society Services Law. However, before obtaining consent, the user must be provided with clear and comprehensive information about the purposes of the use of analytical cookies.

How long is consent valid?

The Cookie Guidelines note that websites must implement 'agree'/'disagree' cookies which store the choices made by the user of the IP address concerned about the cookies used on the website in order to demonstrate consent.

In addition, the Cookie Guidelines state that there is no specific time limit for how long consent is valid, as this depends on the context, the scope of the original consent and the user's expectations. However, if the processing activities change or evolve substantially, the original consent will no longer be valid, hence a new consent must be sought. 

Furthermore, the Cookie Guidelines note that consent should be regularly reviewed and updated to comply with the latest cookie consent requirements as part of good practice. Moreover, cookie consent is valid until the purpose of the processing of personal data is achieved. If the purpose of the processing of personal data has been achieved or changed, consent for the use of cookies on the website must be requested again and this also applies when changes are made to the range and purpose of cookies.

Alexandra From Privacy Analyst
[email protected]


1. Available in Latvian at: https://www.dvi.gov.lv/lv/media/1517/download
2. Available to download in Latvian at: https://www.dvi.gov.lv/lv/media/1520/download