Latvia's Cookie Law Framework
Latvia sits at the intersection of EU-wide data protection rules and national legislation that predates the GDPR. Two laws govern cookies on Latvian websites: the Law on Information Society Services (Informacijas sabiedribas pakalpojumu likums), which transposes the ePrivacy Directive into Latvian law, and the GDPR itself, applied directly as EU regulation.
The Law on Information Society Services requires that before any cookie is placed on a visitor's device, the visitor receives clear and comprehensive information about the purpose of that cookie and gives prior consent.
Strictly necessary cookies - those required to deliver a service the visitor explicitly requested - are exempt from the consent requirement. Every other cookie, whether used for analytics, advertising, or personalisation, needs affirmative consent before it fires.
The DVI and Its Role in Cookie Enforcement
The Datu valsts inspekcija (Data State Inspectorate, or DVI) is Latvia's national data protection authority. Established in 2001, the DVI supervises compliance with the GDPR and national data protection legislation from its offices in Riga.
In February 2022, the DVI published results from a cookie audit of 29 merchant websites operating in Latvia. The audit examined whether visitors received proper information about cookies and whether consent mechanisms met legal standards. The findings were blunt: most of the audited websites violated Latvian cookie rules.
Following that audit, the DVI released formal cookie guidelines in April 2022. These guidelines set out cookie categories, requirements for lawful use, and a model cookie policy that website owners can adapt.
What the DVI Cookie Guidelines Require
The 2022 DVI cookie guidelines establish several concrete obligations for website owners.
Multi-Layer Cookie Notifications
The DVI recommends a multi-layer approach to cookie banner design. The first layer - the banner itself - must be clearly visible and contain essential information about cookie use and data processing. A second layer should provide detailed descriptions of each cookie category, individual cookies set, their purposes, and retention periods.
This mirrors guidance from other EU data protection authorities, such as the CNIL in France and the BfDI in Germany.
Consent Must Be Freely Given and Specific
Under the DVI guidelines, consent must comply with GDPR Article 4(11) and Article 7. That means consent must be freely given, specific, informed, and unambiguous. Pre-ticked checkboxes do not constitute valid consent. Cookie walls that deny access to the site unless the visitor accepts all cookies are also problematic, as they undermine the "freely given" requirement.
Equal Ease of Refusal and Withdrawal
The DVI specifically requires that withdrawing consent must be as easy as giving it. If consent is collected through a pop-up banner with an "Accept" button, a comparable mechanism must exist for revoking that consent later. Forcing visitors to dig through browser settings to delete cookies does not satisfy this requirement.
Cookie Categories Under Latvian Law
The DVI guidelines classify cookies into categories that align with standard EU practice. The table below summarises each category and its consent status.
| Cookie Category | Examples | Consent Required |
|---|---|---|
| Strictly necessary | PHPSESSID, shopping cart tokens, authentication cookies | No |
| Functional / preference | pll_language, accessibility settings | Yes |
| Analytics / performance | _ga, _gid, session replay cookies | Yes |
| Marketing / advertising | _fbp, _gcl_au, retargeting pixels | Yes |
Functional cookies - such as those storing a visitor's language preference - do require consent in Latvia. Only cookies that are strictly necessary for a service the visitor explicitly requested qualify for the exemption under Article 5(3) of the ePrivacy Directive.
DVI Enforcement Actions and Fines
Latvia's enforcement record is modest compared to larger EU member states. The DVI received 708 complaints in 2022 and imposed monetary penalties in 12 cases that year.
The most significant Latvian GDPR fine to date targeted the telecommunications provider TET, which received a penalty of 1.2 million euros for disclosing unverified customer data to debt recovery services in breach of Articles 5(1) and 6(1) GDPR. The original fine was 3.2 million euros but was reduced after the DVI considered mitigating factors, including the company's cooperation.
While that case did not involve cookies directly, it signals that the DVI is prepared to impose substantial penalties when it identifies violations. Given the 2022 cookie audit found widespread non-compliance, cookie-specific enforcement actions remain a real possibility for websites targeting Latvian visitors.
How Latvian Cookie Rules Relate to the GDPR
The Information Society Services Act governs when cookies may be placed on a device - the "gateway" question. The GDPR governs what happens with any personal data those cookies collect or generate.
This dual framework means that even if a cookie does not collect personal data, the Information Society Services Act still requires prior consent (unless the cookie is strictly necessary). And if a cookie does collect personal data - as Google Analytics cookies and Meta Pixel cookies typically do - both the national law and the GDPR apply simultaneously.
Latvia set the age of digital consent at 13, one of the lowest thresholds in the EU. Websites that specifically target younger audiences should account for this when designing their consent mechanisms.
Baltic Context: Latvia, Estonia, and Lithuania
The three Baltic states share a similar regulatory posture on cookies, though each has its own national DPA and legislation.
Estonia's AKI enforces cookie rules through the Electronic Communications Act. Lithuania's VDAI applies the Law on Electronic Communications. All three countries require opt-in consent for non-essential cookies, and all three apply the GDPR directly.
If your website serves visitors across the Baltic region, a single geo-targeted consent banner that meets the strictest requirements will cover all three jurisdictions. The differences are in enforcement culture rather than in the substance of the rules.
Compliance Checklist for Latvian Cookie Consent
Use this checklist to assess whether your site meets Latvian requirements.
Run a cookie scan to identify every cookie and tracker on your site
Classify each cookie as strictly necessary, functional, analytics, or marketing
Block all non-essential cookies until the visitor gives affirmative consent
Display a clearly visible first-layer banner with basic cookie information
Provide a second layer with detailed cookie descriptions, purposes, and retention periods
Offer granular choices - visitors should be able to accept or reject each category individually
Make the "Reject" option as prominent and accessible as the "Accept" option
Provide a persistent method to withdraw consent that is as easy as giving it
Maintain records of consent as proof of compliance
Publish a cookie policy in Latvian (and English, if your site serves international visitors)
Frequently Asked Questions
Does Latvia require cookie consent for analytics cookies?
Yes. Under the Law on Information Society Services and the DVI guidelines, analytics cookies such as _ga and _gid require prior opt-in consent from the visitor before they are set.
What is the DVI in Latvia?
The DVI (Datu valsts inspekcija), also known as the Data State Inspectorate, is Latvia's national data protection authority. It supervises GDPR compliance and enforces national data protection and cookie laws.
Are cookie walls allowed under Latvian law?
Cookie walls that block access to a website unless the visitor accepts all cookies are considered problematic under the DVI guidelines, as they undermine the GDPR requirement that consent be freely given.
Which law governs cookies in Latvia?
The Law on Information Society Services (the Latvian transposition of the ePrivacy Directive) governs the placement of cookies. The GDPR applies to any personal data collected through those cookies.
Can I use implied consent for cookies on a Latvian website?
No. The DVI guidelines require explicit, affirmative consent. Continued browsing or pre-ticked boxes do not constitute valid consent under Latvian law.
Do I need a cookie policy in Latvian?
If your website targets Latvian visitors, publishing a cookie policy in Latvian is strongly recommended. The DVI expects clear and comprehensive information to be provided in a language the visitor understands.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of Latvian and EU law.
