What are the legal requirements for the use of cookies?

What are cookies?

Cookies are small text files saved on a device when a person browses a website. They are processed and stored by the web browser. Cookies can be saved on a personal computer, a mobile device, or any other type of device which can store information. Information stored in cookies can include IP addresses, usernames, Unique Device Identifiers, e-mail addresses, language settings, types of device, and other types of information.

Application of the GDPR and the e-Privacy Directive

The placing of cookies is regulated by the e-Privacy Directive, which should be transposed into national legislative acts by EU member states. Among other issues, the e-Privacy Directive regulates the confidentiality of communications and tracking and monitoring in an online environment. The Directive requires that the user’s consent is obtained for the placing of any cookies that are not strictly necessary to ensure a website’s functioning. As a rule, the consent mechanism must meet the requirements of the General Data Protection Regulation (GDPR), as cookie identifiers that can be associated with a natural person qualify as personal data.

What are the different types of cookies?

Cookies can be classified based on how long they endure, their provenance and what purpose they serve.

Duration:

• Session cookies: cookies are temporary and expire once the browser is closed or the session expires. These cookies process information relevant to the actions directly required by the clients (for example, a list of items in a shopping cart).
• Persistent cookies: these are cookies that remain on the hard drive until they are erased by the user or the browser, depending on the expiration date. According to the e-Privacy Directive, the expiration period must not be longer than 12 months.

Provenance:

• First-party cookies: cookies that are placed directly by the website. The website directly processes the data collected by first-party cookies.
• Third-party cookies: these cookies are placed on the device by third parties. A third party (e.g. an advertiser) processes the data collected by these cookies.

Purpose:

• Strictly necessary cookies: these cookies allow users to browse the website, platform or app and use their features. They are necessary to ensure the website’s functioning and management, allowing a website to provide its features and services – for example, to control data flow and communication, hold items in a cart while a user is shopping, process payments, or prevent fraud. They are generally first-party cookies. Consent is not required. However, please note that first-party analytics cookies are not exempt from consent as such. The purpose of the cookie, rather than its technical features, should always be the basis for evaluating if the exemption can be successfully applied.
• Preference cookies: these cookies allow the website to remember information about users’ past preferences in order to provide users with personalised services. Information of this kind could include languages, regions, usernames or passwords for automatic login. Consent is not required if these cookies are used for services that the users directly require (for example, when users select a language by clicking on the relevant button); otherwise, consent is necessary.
• Analytics cookies: analyse and track how users use a website, and can be divided into two categories:

1) marketing cookies, which are used to develop more relevant advertising

2) statistics cookies, which collect statistics regarding the use of the website. Their purpose is to improve website functions, and users cannot be identified

User consent is always required for using analytics cookies.

Recent updates in the Baltic countries

Latvia

The Latvian Data State Inspectorate has conducted a preventive inspection regarding the use of cookies in Latvia in the private and public sectors:

a) Private sector (e-commerce): in 2021, the Data State Inspectorate performed a preventive inspection to check the use of cookies on 26 e-commerce websites. In total, at least one or more instances of non-compliance were found on the websites of all merchants inspected. The most common failure was that merchants did not acquire appropriate consent when necessary. The smallest number of instances of non-compliance were related to the development of cookie policy/terms of use.

b) Public sector: a similar inspection was carried out in the public sector, analysing the websites of state and municipal authorities. Conversely to the private sector, the largest number of instances of non-compliance in the public sector were related to a lack of appropriate cookie policy/terms of use. The smallest number of instances of non-compliances were related to the duty to appoint data protection officers.

The Data State Inspectorate requested that the data controllers in question eliminate the deficiencies.

In addition to this, the Data State Inspectorate has issued guidance on the use of cookies, which is available in Latvian here. This provides examples of good and bad practice. The guidance states that data controllers should not use a design that “encourages” the user to accept cookies rather than reject them (e.g. the size and colour of the acceptance button).

Estonia

In Estonia, the requirement to obtain the user’s consent for the placing of cookies that are not strictly necessary for the functioning of the website is not expressly transposed into national law. However, this requirement is followed in practice and enforced by the Estonian Data Protection Inspectorate. In its decisional practice, the Data Protection Inspectorate relies directly on the e-Privacy Directive (the direct applicability is supported by the case law of the Court of Justice of the European Union). Lately, the Estonian authority has increasingly focused on various technical means, including cookies, which are used to process personal data. This year, the authority has already made multiple decisions requiring companies to implement a consent mechanism for the use of cookies. Therefore, companies that operate websites targeted at Estonian users are required to follow the EU requirements described above: implement a consent mechanism on their websites and provide users with transparent and comprehensive information regarding the use of cookies.

Lithuania

In Lithuania, the State Data Protection Inspectorate has issued FAQs on the use of cookies, which is available in Lithuanian here. This provides examples of bad practice. According to local authority, the Lithuanian Law on Electronic Communications requires that the user’s consent is obtained for the placing of any cookies that are not strictly necessary to ensure a website’s functioning. Therefore, relying on the data controller’s legitimate interest (Article 6(1)(f) of the GDPR) when placing such cookies does not comply with the Law on Electronic Communications.

Please also note that the State Data Protection Inspectorate is planning to conduct preventive inspections in Q3 and Q4 2022 at some private and public entities regarding the use of cookies in Lithuania. The 2022 Preventive Inspection Plan is available in Lithuanian here.