Cookie consent compliance for Lithuania, enforced by the VDAI under the Law on Electronic Communications.
In Lithuania, cookie consent is governed by the Law on Electronic Communications (Elektroninių ryšių įstatymas, No. IX-2135), which transposes the EU ePrivacy Directive, read together with the GDPR and the Law on Legal Protection of Personal Data (Asmens duomenų teisinės apsaugos įstatymas, ADTAI). Article 73(4) permits storing information on, or gaining access to information already stored in, a user's terminal equipment only after the user has been given clear and comprehensive information and has given consent. Enforcement of personal-data rules sits with the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI), which has published cookie guidance making clear that consent — not legitimate interest — is the lawful basis for non-essential cookies.
The Law on Electronic Communications requires prior consent before storing or accessing information on a user's device (non-essential cookies).
Applicable laws
Art. 73(4)
Provision of the Law on Electronic Communications requiring consent before storing or accessing data on terminal equipment
Lietuvos Respublikos elektroninių ryšių įstatymas, No. IX-2135
€2,385,276
GDPR fine imposed by VDAI on Vinted UAB in 2024 — the largest in Lithuania to date
EDPB / VDAI, 2 July 2024
1,408
Complaints received by VDAI in 2024, up roughly 15% on 2023
VDAI 2024 activity reporting
2022
Year VDAI made cookie compliance a planned-inspection priority for public and private bodies
VDAI annual inspection plan
Under Article 73(4) of the Law on Electronic Communications, non-essential cookies and similar trackers may only fire after the user has received clear, comprehensive information and given consent. Cookies must not be set on page load before the user has chosen.
Consent is not required where storage or access is solely to transmit a communication, or is strictly necessary to provide an information-society service the user has explicitly requested. Analytics, advertising and most third-party cookies fall outside this narrow exemption.
VDAI cookie guidance (FAQ) states that controllers cannot rely on legitimate interest under GDPR Article 6(1)(f) for non-essential cookies. Consent is the required lawful basis, and it must meet the GDPR standard: freely given, specific, informed and unambiguous.
Consent must be a genuine choice. Pre-ticked boxes, implied consent from continued browsing, or designs that make accepting effortless while burying the reject option do not produce valid consent under the GDPR standard applied by VDAI.
Controllers must be able to demonstrate that valid consent was obtained (GDPR Article 7) and let users withdraw consent as easily as they gave it, for example through a persistent cookie-settings control.
Lithuania's cookie rules sit at the intersection of two statutes. The substantive consent obligation comes from the Law on Electronic Communications (Elektroninių ryšių įstatymas, No. IX-2135), the national transposition of the EU ePrivacy Directive. Article 73(4) is the operative provision: it allows a website to store information on, or read information from, a visitor's terminal equipment only after that visitor has been given clear and comprehensive information and has consented.
The Communications Regulatory Authority (RRT) oversees the electronic-communications framework as a whole, but where cookies process personal data the supervisory authority is the State Data Protection Inspectorate (VDAI). In practice this means a non-compliant cookie banner is judged against both the Law on Electronic Communications and the GDPR's consent standard, with VDAI holding the enforcement powers — including administrative fines up to the GDPR maximum.
VDAI has issued cookie FAQs and guidance for Lithuanian website operators. A central point is that legitimate interest is not an acceptable basis for non-essential cookies — controllers must obtain consent that is freely given, specific, informed and unambiguous, in line with the GDPR. That rules out cookies firing on page load, pre-checked consent boxes, and 'continued browsing equals consent' patterns.
The guidance reflects the wider EDPB position that rejecting cookies must be as straightforward as accepting them, that purposes must be presented granularly, and that consent must be recorded and revocable. VDAI made cookie practices a planned-inspection priority for both public and private organisations from 2022, signalling that banner design is an active area of supervisory attention rather than a theoretical risk.
VDAI has shown it will levy significant penalties: in July 2024 it fined the Vilnius-headquartered marketplace Vinted UAB €2,385,276 for GDPR breaches, the largest data-protection fine issued in Lithuania to date, and the regulator reported around 1,408 complaints in 2024 — roughly 15% more than the year before. Rising complaint volumes increase the chance that a poorly configured cookie banner is examined.
The most common failure is technical, not textual: trackers that fire before the visitor interacts with the banner. A polished consent notice does not help if analytics or advertising cookies are already set on first load. This is why an objective, evidence-based pre-consent scan — checking what actually executes in the browser before any choice is made — is the practical first step to demonstrating Article 73(4) compliance.
Storing information or gaining access to information already stored in the terminal equipment of a subscriber or actual user is permitted only on the condition that the subscriber or actual user, having been provided with clear and comprehensive information in accordance with the GDPR, including about the purposes of processing, has given consent.
Cookies are governed by Article 73(4) of the Law on Electronic Communications (Elektroninių ryšių įstatymas, No. IX-2135), Lithuania's transposition of the EU ePrivacy Directive, applied alongside the GDPR and the ADTAI.
The State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI), at https://vdai.lrv.lt, enforces personal-data rules and has published cookie FAQs stating that consent — not legitimate interest — is required for non-essential cookies.
VDAI imposed Lithuania's largest fine, €2,385,276, on Vinted UAB in 2024 and made cookie compliance a planned-inspection priority from 2022, underlining that consent practices are actively supervised.
CookieSentry scans your live site and flags every cookie and tracker that fires before consent — the failure VDAI is most likely to act on — and names the source so you can fix it. It also generates GDPR documents localized to Lithuania's requirements, so your policies match the rules VDAI applies. It is not a consent banner — keep your banner and add the audit and evidence layer on top.
The Law on Electronic Communications (Elektroninių ryšių įstatymas, No. IX-2135), which transposes the EU ePrivacy Directive. Article 73(4) requires informed consent before storing or accessing information on a user's terminal equipment. It applies together with the GDPR and the Law on Legal Protection of Personal Data (ADTAI).
The State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI), https://vdai.lrv.lt, is the supervisory authority for personal-data matters, including cookies that process personal data. The Communications Regulatory Authority (RRT) oversees the broader electronic-communications framework.
No. VDAI cookie guidance is explicit that legitimate interest under GDPR Article 6(1)(f) is not a valid basis for non-essential cookies. You need consent that is freely given, specific, informed and unambiguous, with rejecting as easy as accepting and no pre-ticked boxes.
CookieSentry loads your site like a real visitor and detects cookies and trackers that fire before consent — the most common breach of Article 73(4) — naming each source and producing exportable PDF evidence. It also generates GDPR documents localized to national requirements. You keep your existing banner; CookieSentry adds the pre-consent audit and documentation.
Operating across the EU? The rules differ by market — check the country that applies to you.
Run a free CookieSentry scan on your live pages, catch cookies firing before consent, and export evidence mapped to Lithuania's rules — no signup required.
Run a free scan →Last reviewed 2026-06-14. General information on Lithuania cookie rules, not legal advice; verify current requirements with VDAI or qualified counsel.