Latvian Guide on the use of Cookies

On 16 March 2022, the Latvian data protection authority, Data State Inspectorate (DVI) published Guidance on the use of cookies by goods and service providers and a model cookie policy that can be used by websites. The guidance outlines categories and types of cookies for which user’s consent is required, applicable conditions for the use of cookies on websites, the use of consent tools including consent management platforms, as well as methods of obtaining consent. According to the DVI, it is pertinent that users pay attention and read cookie policies in detail, to decipher which data controllers are ‘trustworthy’. It also further states that this guidance is relevant for data controllers that process personal data on their websites on a daily basis.

Some of the key takeaways of the Guidelines are as follows:

• Consent for the use of Cookies
  All non-essential cookies and similar tracking technologies require the consent of the user. According to the DVI, the categories of cookies as per their purpose are:
  1. Technical Cookies/Functional Cookies: Essential cookies are considered necessary to provide the service or functionality of the website or facilitate communications over a network. Given the technical nature of these cookies, this category also includes cookies that allow advertising fields included in the design of websites, to be managed as efficiently as possible, provided that the user information is not collected for other purposes, such as personalising and customizing content. The user’s consent is not required for the use of such cookies.
  2. Personalized Cookies: These are optional cookies that are also referred to as visitor settings cookies. Personalized cookies allow websites to remember user preferences. Examples of such user preferences include: the language chosen, the number of search results requested, the aspect of the service or content depending on the browser and its availability in the particular registration, etc; The user’s consent is not required for the use of such cookies.
  3. Analytical Cookies: These are optional cookies used by advertisers that allow websites to track and analyse the user’s browsing habits. Such cookies also allow advertisers to customize ads according to the user's interests. Cookies that allow statistical information in relation to website visitors are also considered analytical cookies. The user’s consent is required for the use of such cookies.
• Consent for the use of similar tracking technologies:
  While these guidelines focus on cookies, these also cover the use of the processing, storage and collection of information through similar tracking technologies that obtain information from the user's end device such as web beacons and fingerprinting devices.
• Valid Consent
  
  Consent must be given by a clearly affirmative action as per Article 4(11) of the GDPR. This implies a freely given, specific, informed and unambiguous indication of the data subject's consent to the processing of personal data relating to them, for example by written, including by means of an electric, or oral statement. The DVI clarifies that any such cookie consent choice must not adversely affect the user and the choice must not affect the quality of the service received. This means the use of cookie walls is prohibited.
• Consent of Underage Persons
  
  ​​If the website user is under 13 years of age, the processing of personal data within the scope of public service will be lawful if the consent has been provided by the legal guardian. The data controller must make reasonable efforts to verify in such cases whether consent has been given or approved by a person who is a parent or legal guardian. Moreover, controllers are asked to refrain from profiling children for marketing purposes as children represent a vulnerable group of society and can be easily affected by behavioral advertising.
• Ability to Withdraw Consent
  
  Data controllers must allow users to withdraw their consent at any time to the processing of cookies via a user-friendly and easy method. To this end, the website must provide information to users on how to withdraw consent and remove cookies.
• Proof of Consent
  
  Where the processing is based on the consent of the data subject, data controllers must be able to provide, at any time, the proof of valid collection of users’ consent. Such consent records will help organizations demonstrate compliance with the applicable legal requirements.
• Renewal of Consent
  
  Consent to cookies is valid until the purpose of the processing of personal data is achieved. If the purpose of the processing of personal data has been achieved or changed, then the data controller must request consent to the use of cookies on the website again.
• Consent Management ToolsThe DVI provides a non-exhaustive list of tools used for obtaining the user’s consent.
  1. Website Setup Menus
     
     Many websites and smartphone programs allow users to set service menus, for example, users can be asked to allow access to information on their smartphone. In this process, users can set their consent to cookies through the settings of an integrated user.
  2. Consent before Downloads of Featured Service or Applications
     
     Users should be duly informed that a request for download of a service or application in question requires their consent for the use of certain cookies for a specific purpose. Users should be informed if the processing of these cookies is provided by a third party and must be informed of the purposes of such third-party cookies to make an informed decision.
  3. Consent Management Platforms
     
     If the data controller is unable to provide sufficient information on the purpose of using third-party cookies, information may be provided including a link to a third-party website. In this case, the solution may have consent management platforms (CMPs) that meet the requirements of GDPR.
• User Browser Settings
  
  As a general rule, obtaining the user’s consent via the user’s browser settings is not permitted. However, in order for the user browser settings to constitute a valid. This is because of the reason that an average user is not always aware of how to use their browser settings to reject cookies even if the information is included in the privacy policy. The DVI emphasizes that assuming user’s consent by its browser settings would mean that the users would accept data processing without possibly knowing the purposes of cookies. Therefore, such consent is not valid.
• Compliant Cookie Banner
  
  Data controllers must provide clear, concise, simple, perceptible, and comprehensive information to the users about the use of cookies. This must include information on the purpose of using cookies including essential/technical cookies, communicated to users in a transparent manner before the processing of cookies.

Multi-layered Approach to Ensure Transparency

Controllers may use a multi-layered approach to ensure transparency. Multi-layer cookie notifications can help address the issue of overloading of information by allowing users to switch directly to the section of the notification they want to read. The layers should contain the following:

1. First Layer : This layer is to include information provided prior to the use of cookies and must be stored until consent or refusal is provided. It must contain the name of the manager (controller) provided that the controller’s identification data is not clearly indicated in other sections of the website; purposes of the use of cookies; categories of cookies (whether they are first-party or third-party cookies); general information about types of data collected and when user profiling is used; mechanism for users to accept, set and reject cookies; a link connecting to the second information level which contains information such as the "Cookie Policy" or access to the cookie setup panel. As per the DVI, an example of a good practice compliant cookie banner (first layer) is: