Securiti Named a 2022 Cool Vendor in Data Security by Gartner

Download Now

On 16 March 2022, the Latvian data protection authority, Data State Inspectorate (DVI) published Guidance on the use of cookies by goods and service providers and a model cookie policy that can be used by websites. The guidance outlines categories and types of cookies for which user’s consent is required, applicable conditions for the use of cookies on websites, the use of consent tools including consent management platforms, as well as methods of obtaining consent. According to the DVI, it is pertinent that users pay attention and read cookie policies in detail, to decipher which data controllers are ‘trustworthy’. It also further states that this guidance is relevant for data controllers that process personal data on their websites on a daily basis.

Some of the key takeaways of the Guidelines are as follows:

  • Consent for the use of Cookies
    All non-essential cookies and similar tracking technologies require the consent of the user. According to the DVI, the categories of cookies as per their purpose are:

    1. Technical Cookies/Functional Cookies: Essential cookies are considered necessary to provide the service or functionality of the website or facilitate communications over a network. Given the technical nature of these cookies, this category also includes cookies that allow advertising fields included in the design of websites, to be managed as efficiently as possible, provided that the user information is not collected for other purposes, such as personalising and customizing content. The user’s consent is not required for the use of such cookies.
    2. Personalized Cookies: These are optional cookies that are also referred to as visitor settings cookies. Personalized cookies allow websites to remember user preferences. Examples of such user preferences include: the language chosen, the number of search results requested, the aspect of the service or content depending on the browser and its availability in the particular registration, etc; The user’s consent is not required for the use of such cookies.
    3. Analytical Cookies: These are optional cookies used by advertisers that allow websites to track and analyse the user’s browsing habits. Such cookies also allow advertisers to customize ads according to the user's interests. Cookies that allow statistical information in relation to website visitors are also considered analytical cookies. The user’s consent is required for the use of such cookies.
  • Consent for the use of similar tracking technologies:
    While these guidelines focus on cookies, these also cover the use of the processing, storage and collection of information through similar tracking technologies that obtain information from the user's end device such as web beacons and fingerprinting devices.
  • Valid Consent

    Consent must be given by a clearly affirmative action as per Article 4(11) of the GDPR. This implies a freely given, specific, informed and unambiguous indication of the data subject's consent to the processing of personal data relating to them, for example by written, including by means of an electric, or oral statement. The DVI clarifies that any such cookie consent choice must not adversely affect the user and the choice must not affect the quality of the service received. This means the use of cookie walls is prohibited.
  • Consent of Underage Persons

    ​​If the website user is under 13 years of age, the processing of personal data within the scope of public service will be lawful if the consent has been provided by the legal guardian. The data controller must make reasonable efforts to verify in such cases whether consent has been given or approved by a person who is a parent or legal guardian. Moreover, controllers are asked to refrain from profiling children for marketing purposes as children represent a vulnerable group of society and can be easily affected by behavioral advertising.
  • Ability to Withdraw Consent

    Data controllers must allow users to withdraw their consent at any time to the processing of cookies via a user-friendly and easy method. To this end, the website must provide information to users on how to withdraw consent and remove cookies.
  • Proof of Consent

    Where the processing is based on the consent of the data subject, data controllers must be able to provide, at any time, the proof of valid collection of users’ consent. Such consent records will help organizations demonstrate compliance with the applicable legal requirements.
  • Renewal of Consent

    Consent to cookies is valid until the purpose of the processing of personal data is achieved. If the purpose of the processing of personal data has been achieved or changed, then the data controller must request consent to the use of cookies on the website again.
  • Consent Management Tools 

    The DVI provides a non-exhaustive list of tools used for obtaining the user’s consent.

    1. Website Setup Menus

      Many websites and smartphone programs allow users to set service menus, for example, users can be asked to allow access to information on their smartphone. In this process, users can set their consent to cookies through the settings of an integrated user.
    2. Consent before Downloads of Featured Service or Applications

      Users should be duly informed that a request for download of a service or application in question requires their consent for the use of certain cookies for a specific purpose. Users should be informed if the processing of these cookies is provided by a third party and must be informed of the purposes of such third-party cookies to make an informed decision.
    3. Consent Management Platforms

      If the data controller is unable to provide sufficient information on the purpose of using third-party cookies, information may be provided including a link to a third-party website. In this case, the solution may have consent management platforms (CMPs) that meet the requirements of GDPR.
  • User Browser Settings

    As a general rule, obtaining the user’s consent via the user’s browser settings is not permitted. However, in order for the user browser settings to constitute a valid. This is because of the reason that an average user is not always aware of how to use their browser settings to reject cookies even if the information is included in the privacy policy. The DVI emphasizes that assuming user’s consent by its browser settings would mean that the users would accept data processing without possibly knowing the purposes of cookies. Therefore, such consent is not valid.
  • Compliant Cookie Banner

    Data controllers must provide clear, concise, simple, perceptible, and comprehensive information to the users about the use of cookies. This must include information on the purpose of using cookies including essential/technical cookies, communicated to users in a transparent manner before the processing of cookies.

Multi-layered Approach to Ensure Transparency

Controllers may use a multi-layered approach to ensure transparency. Multi-layer cookie notifications can help address the issue of overloading of information by allowing users to switch directly to the section of the notification they want to read. The layers should contain the following:

1. First Layer : This layer is to include information provided prior to the use of cookies and must be stored until consent or refusal is provided. It must contain the name of the manager (controller) provided that the controller’s identification data is not clearly indicated in other sections of the website; purposes of the use of cookies; categories of cookies (whether they are first-party or third-party cookies); general information about types of data collected and when user profiling is used; mechanism for users to accept, set and reject cookies; a link connecting to the second information level which contains information such as the "Cookie Policy" or access to the cookie setup panel. As per the DVI, an example of a good practice compliant cookie banner (first layer) is:

Cookies

We use our own and third-party cookies to store your shopping history and use information about your previously purchased products to advise you on other products that we believe will be of interest to you. To learn more about our cookie policy, please click on the "More information" button.

You can agree to all cookies by clicking on the "Agree" button or reject by clicking the "Disagree" button.

If the website user clicks on the "Disagree" button, the website stores the technical cookies that are necessary to ensure the operation of the site and the use of which does not require the user's consent.

2. Second Layer: This layer is to include information that must be permanently available on the website. It must include the Cookie Policy; the purpose of cookies; the identity of the recipients of the cookies; information on how to confirm, refuse or withdraw consent to the use of cookies; information on consequences if the user refuses to consent to cookies; information about the period of storage of cookies; information pertaining to third-party transfers (including cross-border transfers) of personal data; profiling information related to automated decision-making which can have a significant impact on users.

Agree and Disagree Buttons

In order to ensure that the cookie banner complies with the applicable legal requirements, data controllers must give equal prominence to “Agree”, “Disagree” and “More Information” buttons on the cookie consent banner. This means that these buttons should be in the same font and color fill, without any accents.

  • Cookie Policy

    In order to be compliant with the principle of transparency, the terms and conditions included in the cookie policy developed by the data controller should contain information about the planned processing of personal data by using cookies. This should include information on categories of cookies:

    • According to their management structure;
    • According to the purpose of processing thereof;
    • According to their shelf life.

    This obligation requires data controllers to outline such information in an intelligible manner and appropriate language for the users before they are offered the opportunity to consent or refuse consent. The DVI has also provided a model cookie policy on their website for further clarification.

  • Cookie Lifespans

    Subject to the principles of minimization and retention restrictions, cookies cannot be stored longer than necessary to achieve the purpose.
  • Impact Assessment before the use of cookies

    The Data State Inspectorate has published a list of processing operations for which the performance of a data protection impact assessment is mandatory. The list contains processing operations that include systematic monitoring, tracking or surveillance of the location or behavior of individuals, as well as large-scale profiling of individuals. Consequently, the DVI encourages careful consideration of the performance of the data protection impact assessment if the website offers content that could be attributed to sensitive personal data (e.g. dating network website, or a website providing information health services), or which the client could consider to be specially protected (for example, the main activity of the website is related to a financial service). This is also recommended in cases where a result of an analysis carried out by the controller, concludes that the processing may pose a high risk to the rights and freedoms of the data subject.

How Securiti can help?

Securiti’s Cookie Consent Banner Solution enables companies to build cookie consent banners in accordance with the applicable legal requirements. It can help you comply with the Latvian Guidance on the use of cookies with the help of the following features:

  • Periodic scanning of websites
  • Configurable preference center
  • Auto-blocking of non-essential cookies
  • Dynamic consent refresh
  • Granular consent records and reporting

Ask for a DEMO today to understand how Securiti can help you comply with consent requirements of global data privacy laws and regulations, with ease.

Share this

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Related Content

Solutions

Systems

Newsletter


Securiti PrivacyOps Named a Leader in The Forrester WaveTM

View