This document lists every cookie that may be stored on a visitor's device when using the system, the purpose of each cookie, its storage duration, and the consent category it belongs to.
A separate Lithuanian-language version of this document is available at (here).
Consent categories
The system asks for consent in three categories. Visitors can accept all, reject non-essential, or choose individually via the cookie consent banner. The choice is remembered for 12 months and can be re-opened from the page footer.
| Category | Required | Description |
|---|---|---|
| Necessary | Yes | Required for the site to function (session, security, consent state). Cannot be disabled. |
| Functional | No | Optional features that improve usability and personalization. |
| Analytics | No | Help us understand how visitors use the site so we can improve it. |
If the visitor has not yet made a choice, only Necessary cookies are loaded. Analytics scripts are blocked at the browser level (via the script-blocking layer) until consent is granted.
Cookies set by this system
Necessary cookies
| Cookie | Provider | Purpose | Lifetime | Type |
|---|---|---|---|---|
cookieConsent | This site | Stores the visitor's cookie consent choices per category as JSON. | 12 months | First-party |
SSESS<hash> / SESS<hash> | Drupal (CMS) | Maintains an authenticated session for users who log in to the CMS or admin areas. Not set for anonymous portal visitors. | Up to 23 days | First-party |
XSRF-TOKEN / CSRF token | Drupal | CSRF protection for authenticated form submissions and API calls. Issued only when a session is active. | Session | First-party |
Analytics cookies
These cookies are loaded only after the visitor accepts the Analytics category. The exact set depends on the analytics scripts configured by the administrator. The system supports Google Analytics / Google Tag Manager out of the box.
| Cookie | Provider | Purpose | Lifetime | Type |
|---|---|---|---|---|
_ga | Google Analytics | Distinguishes unique visitors. | 2 years | Third-party |
_ga_<container-id> | Google Analytics (GA4) | Persists session state for the GA4 property. | 2 years | Third-party |
_gid | Google Analytics | Distinguishes visitors over a 24-hour window. | 24 hours | Third-party |
_gat_gtag_<property-id> | Google Analytics | Throttles request rate to the analytics endpoint. | 1 minute | Third-party |
_gac_<property-id> | Google Ads (linked) | Stores campaign attribution information for conversions imported into Google Ads. | 90 days | Third-party |
How consent is enforced technically
- On first page load, the browser reads the
cookieConsentcookie. If absent or invalid, the consent banner is shown and only Necessary cookies are written. - Analytics scripts are wrapped in a script-blocking layer (
yett) and are not executed until the Analytics category is accepted. - When the visitor saves their choice,
cookieConsentis written and the page is refreshed so blocked scripts can initialize. - The visitor can change their choice at any time by re-opening the consent banner from the footer.
Visitor rights
Under the GDPR, visitors can:
- Withdraw consent at any time via the consent banner.
- Request a data export via
POST /api/gdpr/export(authenticated users). - Request data deletion via
POST /api/gdpr/forget(authenticated users). - Update consent records via
POST /api/gdpr/consent(authenticated users).
Maintenance
This document must be updated whenever:
- A new cookie is set by the application.
- An administrator adds, removes, or changes tracking scripts in the CMS cluster settings (
tracking_scripts.head_start,head_end,body_start,body_end). - A new GDPR consent category is added in
mm_gdpr.settings.yml.