Latvia has taken a clear position on cookie compliance: websites that place or access cookies on user devices must
inform users transparently and obtain valid consent where required. This obligation is enforced by Latvia’s national
data protection authority, the Datu valsts inspekcija (DVI), and is grounded in both EU rules and Latvia’s domestic
legal framework.
The DVI’s message is practical and enforcement-oriented: cookie consent banners and cookie policies are not optional
UX features. They are compliance controls meant to ensure users understand what is happening on their device and can
make a real choice before non-essential technologies run.
The legal basis: EU rules plus Latvian national law
Latvia’s cookie requirements arise from two overlapping frameworks:
(1) EU ePrivacy rules that regulate storing or accessing information on a user’s device, and
(2) the GDPR, which applies when cookies or similar technologies process personal data (for example, identifiers,
IP-based signals, or behavior-linked analytics).
Latvia implements these obligations in national law, including the Information Society Services Law, which requires
users to receive clear information about cookies before they are used. In practice, this means that if a cookie is not
strictly necessary to provide the service the user requested, websites should not deploy it until the user has been
informed and has provided valid consent.
Why cookie consent banners are mandatory in practice
The DVI’s logic is simple: to be meaningful, consent must come before tracking. If cookies are already placed before
a user can decide, any later “consent” is largely performative and may not meet the GDPR’s standard for informed,
freely given, specific consent.
Cookie banners are therefore treated as the first, user-facing compliance layer. They are the mechanism that makes
the legal requirement operational at the exact moment cookies would otherwise be set.
What a compliant banner needs to do
- Tell users that cookies or similar technologies are being used.
- Explain the main purposes at a high level (for example, analytics or marketing).
- Provide a genuine choice before non-essential cookies are set (accept, reject, and manage preferences).
- Link clearly to a detailed cookie policy for deeper information.
- Make it easy to change the decision later (withdraw or adjust consent without friction).
Cookie policy vs. privacy policy: a recurring compliance failure
One of the DVI’s recurring concerns is that organizations blur the line between cookie disclosures and broader privacy
notices. A privacy policy typically covers the organization’s full set of processing activities (accounts, support,
HR, transactions, and more). A cookie policy should focus specifically on cookies and similar technologies, including
what they do, why they run, and who receives the resulting data.
This distinction matters because cookie ecosystems often involve third parties, cross-border transfers, or profiling
logic that requires particularly clear disclosures. The DVI’s expectation is that cookie information is either
presented as a separate document or structured so it is unmissable and clearly separated within a broader notice.
The layered information model Latvia expects
Latvia aligns with the layered transparency approach used across Europe. The idea is to keep the first interaction
simple and readable, while still making full detail available immediately through a second layer.
In practice:
the banner provides the essential facts and choices at first visit, and the cookie policy provides deeper specifics
for users who want them.
What the DVI expects websites to disclose
- What cookies are and how they function on the user’s device.
- Which categories of cookies are used and the purpose of each category.
- Whether cookies are first-party or third-party, and who the recipients are.
- How long cookies persist (or the criteria used to determine retention).
- How users can refuse, grant, or withdraw consent at any time.
- Whether cookie data is transferred outside the EU/EEA and what safeguards apply where relevant.
- Whether cookies support profiling or materially affect users through automated logic.
Why Latvia is taking this seriously
Latvia’s approach reflects a wider EU enforcement trend: unlawful cookie practices are increasingly treated as
systemic privacy violations rather than minor technical mistakes. From the DVI’s perspective, cookie compliance is
about user autonomy and preventing covert tracking. That is why cookie consent banners are treated as compliance
infrastructure, not cosmetic design.
What this means for businesses
If your website is accessible to users in Latvia, you should assume cookie consent rules apply. Organizations that
fail to implement proper banners, granular controls, and clear cookie disclosures expose themselves to regulatory
scrutiny, potential orders to stop unlawful tracking, and, where GDPR applies, administrative penalties.
