Lithuania's Cookie Rules: Two Laws, One Requirement
Lithuania sits at the intersection of two overlapping legal frameworks governing cookies. The Law on Electronic Communications (Lietuvos Respublikos elektroninių ryšių įstatymas, Law No. IX-2135) transposes the EU ePrivacy Directive into Lithuanian law. The GDPR, which applies directly across the EU, sets the standard for what counts as valid consent.
The result is straightforward: prior, informed consent is required before placing any cookie that is not strictly necessary for delivering a service the visitor requested.
Relying on legitimate interest under Article 6(1)(f) of the GDPR as a basis for setting analytics, advertising, or preference cookies does not satisfy the Law on Electronic Communications. The VDAI has confirmed this position explicitly.
The VDAI: Lithuania's Data Protection Authority
The Valstybine duomenu apsaugos inspekcija (State Data Protection Inspectorate, or VDAI) is the independent supervisory authority responsible for enforcing both the GDPR and the Law on Electronic Communications in Lithuania. The VDAI is based in Vilnius at L. Sapiegos str. 17 and can be contacted at ada@ada.lt.
In 2023, the VDAI made cookie compliance a monitoring priority. Inspections focused specifically on whether organisations met the requirements for cookies and provided adequate information about them. That focus has continued into 2024 and 2025.
In 2024 alone, the VDAI received 1,408 complaints - a 15% increase over 2023 - and acted as lead supervisory authority in 57 international cases. The inspectorate imposed 13 administrative fines totalling EUR 2,423,971.
What the Law on Electronic Communications Requires
Article 61 of the Law on Electronic Communications mirrors Article 5(3) of the ePrivacy Directive. The core obligations are:
Provide clear, comprehensive information about each cookie's purpose before it is set
Obtain the visitor's consent before placing non-essential cookies
Allow visitors to withdraw consent as easily as they gave it
Two narrow exemptions apply. Cookies used solely for transmitting a communication over an electronic network do not require consent. Cookies strictly necessary for providing a service the visitor explicitly requested are also exempt - a session cookie like PHPSESSID that keeps a shopping cart alive, for example.
Everything else - _ga, _fbp, _gid, advertising pixels, A/B testing scripts - needs consent first.
GDPR Consent Standards Apply
The Law on Electronic Communications does not define its own consent standard. Instead, it defers to the GDPR definition under Article 4(11) and the conditions set out in Article 7. Consent must be:
| Requirement | What It Means in Practice |
|---|---|
| Freely given | Access to the site cannot depend on accepting cookies. No cookie walls that block content. |
| Specific | Separate consent for each purpose (analytics, marketing, preferences). Bundling is not allowed. |
| Informed | Visitors must know what cookies are set, by whom, for how long, and for what purpose - before consenting. |
| Unambiguous | Pre-ticked boxes, continued browsing, or implied consent do not count. A clear affirmative action is required. |
The VDAI has stated that "soft opt-in" and opt-out-by-silence do not constitute valid consent. A visitor scrolling past a banner or closing it with an X does not create a lawful basis for setting tracking cookies.
Enforcement Actions and Fines
Lithuania's penalty regime operates on two tracks.
For violations of the Law on Electronic Communications specifically, the Lithuanian Code of Administrative Offences sets fines between EUR 150 and EUR 580 for individuals, and between EUR 300 and EUR 1,150 for managers of legal entities. These amounts are modest compared to GDPR sanctions.
GDPR-based fines carry far more weight. The VDAI's largest fine to date was EUR 2,385,276, imposed on Vinted, UAB in July 2024 for infringements of Articles 5(1)(a), 5(2), 12(1), and 12(4) of the GDPR - relating to transparency and data subject rights. While that case was not cookie-specific, it signals the VDAI's willingness to impose significant penalties.
The VDAI also cooperates closely with Baltic neighbours. In 2022, the supervisory authorities of Lithuania, Latvia, and Estonia launched a coordinated inspection programme, demonstrating regional alignment on enforcement priorities.
How Lithuania Compares to Other Baltic and EU States
Lithuania's consent-first approach aligns with the majority of EU member states. The table below shows how it compares to its nearest neighbours and selected EU countries.
| Country | DPA | Consent Model | ePrivacy Transposition |
|---|---|---|---|
| Lithuania | VDAI | Prior opt-in | Law on Electronic Communications |
| Latvia | DVI | Prior opt-in | Electronic Communications Law |
| Estonia | AKI | Prior opt-in | Electronic Communications Act |
| Poland | UODO | Prior opt-in | Telecommunications Law |
| Germany | BfDI / State DPAs | Prior opt-in | TTDSG |
| France | CNIL | Prior opt-in | Loi Informatique et Libertes |
All three Baltic states require opt-in consent before non-essential cookies are placed. If your website serves visitors across the region, a single consent-first approach covers Lithuania, Latvia, and Estonia without conflict.
Compliance Checklist for Lithuanian Websites
Before Any Cookies Load
Run a cookie scan to identify every cookie and tracking script on your site
Categorise each cookie: strictly necessary, functional, analytics, or marketing
Block all non-essential cookies from firing until consent is collected
Your Cookie Banner
Display a clear banner on the first page visit, before setting non-essential cookies
Offer granular options - separate toggles or checkboxes for each cookie category
Make the reject option equally prominent as the accept option. No dark patterns
Do not use pre-ticked boxes
Write the banner in Lithuanian if your audience is primarily Lithuanian
After Consent Is Given
Store a record of each consent decision (timestamp, categories accepted, version of the policy)
Allow visitors to change or withdraw consent at any time via a persistent link or icon
Re-collect consent if your cookie usage changes materially
Documentation
Maintain an up-to-date cookie policy listing each cookie by name, provider, purpose, and duration
Keep consent records for at least as long as the GDPR's accountability principle requires
Frequently Asked Questions
Does Lithuania require cookie consent for analytics cookies like Google Analytics?
Yes. Analytics cookies such as _ga and _gid are not strictly necessary for delivering a requested service. The Law on Electronic Communications requires prior consent before these cookies are set.
Can I use legitimate interest instead of consent for cookies in Lithuania?
No. The VDAI has explicitly confirmed that relying on legitimate interest under Article 6(1)(f) of the GDPR does not satisfy the requirements of the Law on Electronic Communications for non-essential cookies.
What fines can the VDAI impose for cookie violations?
Fines under the Law on Electronic Communications range from EUR 150 to EUR 1,150. GDPR-based fines can reach up to EUR 20 million or 4% of global annual turnover, whichever is higher.
Do I need a cookie banner in Lithuanian language?
If your website targets Lithuanian visitors, providing the banner in Lithuanian is strongly recommended. The requirement for "clear and comprehensive information" is harder to meet if visitors cannot read the notice in their own language.
Are session cookies exempt from consent in Lithuania?
Session cookies that are strictly necessary for a service the visitor requested - such as PHPSESSID for maintaining a login session - are exempt. Session cookies used for analytics or tracking still require consent.
How does Lithuania's cookie law relate to the GDPR?
The Law on Electronic Communications governs when cookies can be placed (requiring consent for non-essential cookies). The GDPR defines what constitutes valid consent and applies to any personal data collected through those cookies. Both laws work together.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of Lithuanian and EU law.
