Skip to content
web1o
Blog

Cookie consent and privacy policy: what your LT website needs

Cookie consent and privacy policy under GDPR: what a Lithuanian website must have to meet the data protection requirements.

  • GDPR
  • Cookies
  • Compliance

Every commercial Lithuanian website needs two things: a cookie consent banner that does not activate non-essential (analytics, marketing) cookies until the visitor explicitly agrees, and a privacy policy explaining what personal data you collect, why, and how long you keep it. This is not goodwill – it is required by the GDPR and Lithuania's Electronic Communications Law. Below is exactly what that means in practice and how to avoid the attention of the State Data Protection Inspectorate (VDAI).

Why this is mandatory for every commercial website

Even the simplest brochure site almost always collects data: a contact form captures a name and email, Google Analytics or Meta Pixel sets cookies, and your hosting stores IP addresses in server logs. All of these fall under the General Data Protection Regulation (GDPR), while cookie use is additionally governed by the Lithuanian Electronic Communications Law (which transposes the EU ePrivacy Directive).

The core rule is simple: before placing any cookie that is not strictly necessary for the site to function, you must obtain the visitor's clear, freely given and informed consent. Strictly necessary cookies (cart contents, login session, language choice) need no consent – they work immediately.

Enforcement in Lithuania is carried out by VDAI. The inspectorate can audit based on complaints or on its own initiative, and GDPR fines reach up to EUR 20 million or 4% of annual turnover. For a small business the realistic risk is rarely the maximum fine – it is an order to fix violations, reputational damage and lost customer trust.

"Consent by default" – where cookies are already on and the banner merely announces "we use cookies" – has been invalid across the EU since the 2019 Court of Justice ruling (the Planet49 case).

Cookie types and how consent differs

To configure a banner correctly, you first need to understand how cookies differ by purpose:

  • Strictly necessary (technical) cookies. The site would not work without them – session, security, cart, language cookies. No consent needed, but you must still name them in the policy.
  • Statistics (analytics) cookies. Google Analytics, Hotjar and similar. They collect anonymised or pseudonymised usage data. Consent required.
  • Marketing (tracking) cookies. Meta Pixel, Google Ads, remarketing. Used for advertising and cross-site tracking. Consent required and usually the source of most questions.
  • Functional cookies. Embedded YouTube videos, chat widgets, maps. These often set their own third-party cookies, so they also require consent.

The point: consent must be split by category, not a single "Accept all" button. A visitor must be able to allow analytics while declining marketing.

What a compliant cookie banner requires

To meet GDPR and VDAI expectations, a banner must satisfy several conditions at once.

Consent before cookies fire, not after

Non-essential cookies (analytics, marketing) must not be written until the visitor clicks "Accept". In practice this means tracking scripts load only after consent, through a Consent Management Platform (CMP). If Google Analytics fires the moment the page opens, the banner is decoration and the violation remains.

Refusing must be as easy as accepting

If the first banner screen shows a prominent "Accept" button, an equally visible and easy-to-click "Reject" or "Essential only" must sit next to it. Hiding the refusal behind several clicks or a settings menu while keeping "Accept" one tap away is forbidden – these are so-called "dark patterns", which both VDAI and the European Data Protection Board view very critically.

Consent must be withdrawable at any time

A visitor must be able to withdraw consent as easily as they gave it. In practice this is usually a small persistent icon in a corner or a "Cookie settings" link in the footer that reopens the same banner. Without this option, consent is considered invalid.

Additionally, the banner must: clearly name the data controller, link to the cookie policy, have no pre-ticked boxes for non-essential cookies, and behave the same on desktop and mobile.

What a privacy policy must contain

A privacy policy is a document separate from the cookie banner, explaining your overall data processing. To satisfy GDPR Articles 13–14 it must include:

  1. Data controller details – company name, registration number, address, contact email (which can be verified at the Centre of Registers).
  2. What data is collected – name, email, phone, IP address, browsing data, and so on.
  3. Purposes and legal basis – e.g. contract performance, consent, legitimate interest.
  4. Retention periods – how long data is kept and on what criteria.
  5. Data recipients – accounting, IT providers, marketing platforms, especially if data leaves the EU.
  6. Individual rights – access, rectification, erasure, restriction, portability, objection, withdrawal of consent.
  7. The right to lodge a complaint with VDAI and the inspectorate's contact details.

Good practice is to write the policy in plain rather than legalistic language and update it whenever tools or providers change.

Common mistakes that draw VDAI attention

From real practice, these mistakes recur most often:

  • Cookies fire immediately, before consent – technically the most common and most serious error.
  • Only an "Accept" button with no equivalent way to refuse.
  • Pre-ticked boxes for analytics and marketing categories.
  • No way to withdraw consent – the banner disappears forever.
  • A privacy policy copied from another company, with someone else's details and tools you do not actually use.
  • The policy is never updated – you installed Meta Pixel but it is missing from the document.
  • A contact form without a consent note and without a link to the privacy policy.

A quick self-check example

Open your site in an incognito browser window and check the developer tools under "Application → Cookies" to see whether _ga, _fbp or similar third-party cookies are already present before you click the banner. If they are, the consent mechanism is not working as it should, no matter how polished the banner looks.

Where to get reliable templates

Do not rush to copy the first text you find. Reliable reference points:

  • VDAI (vdai.lt) – official guidance on cookies and consent, and recommendations for data controllers.
  • VVTAT (vvtat.lrv.lt) – consumer rights and accessibility information, also relevant for online stores.
  • EUR-Lex – the primary text of the GDPR (Regulation 2016/679), if you need to verify a specific article.

A template is only a starting point – it must be adapted to your real situation: name your actual tools, details and retention periods. A generic, unadapted document is often worse than none, because it misleads both visitors and the inspector reviewing it.

Keeping all your legal documents in one place is convenient – our documents section offers a structure you can adapt to your business.

Note: the information here is illustrative (2026) and is not legal advice. Always verify exact requirements on the VDAI website or consult a lawyer.

How to fix your website quickly

If you are unsure whether your banner and policy are compliant, start with a free website check – it shows whether cookies fire before consent and whether required documents are missing. Next, review and download adaptable cookie policy and privacy policy examples. And if you would rather we handle everything for you – from a correct consent banner to updated documents – get in touch and we will agree on a concrete plan for your website.

All posts

Related articles

Website accessibility: what the 2025 accessibility law changes

Website accessibility under the 2025 law and WCAG: who it applies to, what businesses must meet and where to start adapting.