Latvia’s Data State Inspectorate just published a blunt assessment of how badly most websites are handling cookie consent — and the problems they’re describing aren’t unique to Latvia.
Cookie banners have become one of the most universal features of the modern web. They’re also, by the assessment of regulators across Europe, one of the most widely abused. Latvia’s Data State Inspectorate — the DVI — published guidance this month that pulls no punches about what it has observed in practice: companies are systematically designing consent mechanisms that don’t produce real consent, and users are being misled about their rights in ways that undermine the legal foundation of the entire cookie compliance structure.
The DVI’s message to website operators is direct: the shortcomings it has described in previous guidance must be corrected proactively, without waiting for an enforcement action or a user complaint to force the issue. Given how broadly the problems it identifies are shared across the industry, that message carries well beyond Latvia’s borders.
What the DVI Found
The Inspectorate’s guidance identifies four categories of non-compliance that it has observed repeatedly in its website inspections.
Cookies installed before consent is obtained. This is the most fundamental violation of the consent framework, and it remains remarkably common. Analytics and marketing cookies are being dropped on users’ devices the moment they land on a page — before they’ve clicked anything, before they’ve been given a choice. Under GDPR and the ePrivacy framework, this is unlawful regardless of what the banner that appears a second later says. The consent must come first. The cookie must come after.
Misleading or unrealistic banner structure. Consent interfaces are often designed to make agreement the easiest path and refusal the hardest. “Accept all” is a single prominent button. Declining requires navigating through multiple layers of settings, unchecking boxes that were pre-ticked, or locating an option that isn’t immediately visible. The DVI characterizes this as a structural problem, not a cosmetic one: a banner designed to make refusal inconvenient is a banner designed to produce invalid consent.
Incomplete information about cookie use. Users are frequently not told — clearly and accessibly — which specific cookies are being set, what they’re used for, who the third parties receiving data are, or how that data connects to the targeted advertising they subsequently see. The DVI notes that many users don’t understand the relationship between their cookie choices and the ads that follow them around the web. That informational gap is not a user education problem. It’s a disclosure failure by the controller.
Non-functioning banners. In the most egregious cases, the banner exists but the choices don’t work. Users select preferences that are not honored. Opt-outs don’t register. Or the banner reappears repeatedly as though no choice was ever made, wearing down the user’s willingness to engage with it at all.
The Consent Standard the DVI Is Enforcing
The Inspectorate’s guidance reiterates the consent standard that GDPR establishes — but in language pointed enough to make clear that it views many current implementations as falling far short of it.
Consent for analytics and marketing cookies must be freely given, specific, informed, and unambiguous. The DVI is explicit about what fails each of those tests:
Not freely given: Consent obtained through a structure that offers no real alternative — where declining cookies means the site won’t load, or where finding the decline option requires effort that most users won’t expend — is not free. Coerced agreement is not agreement. The DVI specifically states that personal data obtained through fraud, or consent obtained without a genuine possibility to refuse optional cookie processing, does not meet the legal standard.
Not unambiguous: Continuing to browse a website is not consent to cookie processing. Closing a cookie banner is not consent to cookie processing. These are behaviors that some operators have attempted to characterize as implied agreement. The DVI rejects that characterization clearly: valid consent requires an affirmative act, and passive behavior does not qualify.
Not informed: Users who don’t understand what they’re agreeing to — because the disclosure is incomplete, buried, or written in a way that obscures the practical consequences of consenting — have not given informed consent. The connection between cookie choices and targeted advertising is one of the most important disclosures operators are failing to make clearly.
Why This Matters Outside Latvia
The DVI’s findings reflect patterns that data protection authorities across the EU have been documenting for years. France’s CNIL, Germany’s state DPAs, the Irish DPC, and the Belgian APD have all taken enforcement action over cookie consent failures, and the specific violations they’ve cited — pre-consent cookie installation, dark patterns in banner design, inadequate disclosure — are the same ones Latvia is now cataloguing.
The scale of the problem is a function of how the cookie advertising ecosystem was built. Third-party tracking infrastructure was designed to collect data broadly and quickly, and consent management platforms were largely retrofitted onto that infrastructure rather than built from the ground up to produce genuine consent. The result is a compliance surface that looks like it covers the legal requirements — there’s a banner, there’s a button — but functions in ways that systematically undermine them.
Regulators are no longer accepting the aesthetic of consent in place of the substance of it. The enforcement trend across EU jurisdictions has moved toward scrutiny of banner design and user experience as a compliance question, not just a UX one. Dark patterns — interface designs that nudge users toward choices that benefit the operator at the expense of the user — are increasingly treated as a violation in themselves, separate from whatever the underlying data processing is.
The Practical Compliance Checklist
For website operators and the compliance teams that support them, the DVI’s guidance maps onto a set of concrete questions worth working through systematically.
Timing: Are any non-essential cookies — analytics, advertising, social media pixels — being loaded before user consent is recorded? If your consent management platform is integrated correctly, this should be technically enforced, not just policy-stated. Audit it with browser developer tools, not just documentation.
Parity: Is declining cookies as easy as accepting them? If “Accept all” is a single click and “Decline all” requires navigating a settings menu, your banner is not providing a free choice. The consent interface should offer equivalent friction — or no friction — for both options.
Pre-selection: Are any non-essential cookie categories pre-ticked in your preference center? Pre-ticked boxes do not produce valid consent under GDPR. They never did. This is not an area of regulatory ambiguity.
Disclosure quality: Does your cookie notice tell users, in plain language, which specific cookies are set, what each one does, which third parties receive data, and how that connects to the advertising they’ll see? “We use cookies to improve your experience” is not sufficient disclosure.
Honor the choice: When a user selects preferences, are those preferences actually respected? Does your CMP correctly suppress tags for non-consented categories? Is consent properly stored and applied on return visits? Testing this with actual traffic monitoring — not just configuration review — is the only way to know.
Withdrawal: Is it as easy to withdraw consent as it was to give it? Under GDPR, users must be able to change their cookie preferences at any time, without friction. A buried “manage preferences” link in the footer that is difficult to find and slow to load does not meet that standard.
Cookie Consent Compliance
Cookie consent has been a compliance issue for long enough that “we’re still working on it” is no longer a defensible posture for most organizations. The legal requirements have been clear since GDPR took effect. The technical tools to implement them correctly exist and are widely available. What has been missing, in many cases, is the organizational will to treat consent as a genuine user right rather than a legal formality to be minimized.
The DVI frames this accurately: websites are not doing users a favor by making consent easy to give and hard to take back. They are obscuring a right that the law explicitly protects. And regulators across Europe are increasingly treating that obscuring as a violation in itself — not just a compliance gap, but a harm to the people the law exists to protect.
The question for website operators isn’t whether to fix their cookie consent implementation. That question has been settled. The question is whether to fix it now or wait for an enforcement action to force the issue — and what the cost of waiting is likely to be.
Cookie compliance is one of the most commonly audited areas of EU data protection enforcement. Captain Compliance keeps you current on what regulators are looking for and how to stay ahead of it and we have a cookie consent platform that is guaranteed to work. We believe in our product so much we cover any GDPR fines you get as a result of using our software if its not functioning correctly. Thats why the Captain Compliance Cookie Consent Solution is the worlds best especially for European companies.
