New Guidance on Cookies in Finland

The Finnish Transport and Communications Agency Traficom has published new cookie guidelines (in Finnish) for service providers earlier this week. The purpose of these new guidelines is to bring the previous guidelines in line with the requirements for consent under the GPDR, current practice of the Office of the Data Protection Ombudsman and new case law. The new guidance brings Finnish supervising authority’s approach more aligned with the regulatory guidance by other EU member states.

Traficom has together with the Office of the Data Protection Ombudsman drawn up the revised cookie guidelines for service providers. Whereas under the previous guidance Traficom considered it insufficient to obtain cookie consent through browser settings, under the new guidelines, the use of cookies must mainly be with the user’s active consent and cookies may not be stored on the user’s terminal equipment until the user has given his or her consent by affirmative action. Consent is not required if a service provider wants to set strictly necessary cookies.

Under the Finnish Act on Electronic Communications Services (implementing the EU e-privacy directive), the general condition for the storage and use of cookies (or other information describing the use of the service) is that the user has given consent. No cookies and trackers must be placed before prior consent from the user, besides those strictly necessary for the basic function of a website. This means that controller’s legitimate interest is not a valid legal basis to use cookies or similar tracking technologies.

The only exemption to the consent requirement is when the use of the cookies is “strictly necessary” for the operation of the site. Even then, storage and use are permitted only to the extent required by the service and must not restrict the protection of privacy more than is necessary. Outside the necessity exemption, consent is the only legal basis for setting cookies.

The storage and use of cookies and other similar data on users’ terminal equipment requires the user’s revocable consent and comprehensible and comprehensive information on the purpose of the storage or use.

The user’s consent must be requested, and the information related to cookies must be provided in a proper and timely manner when the user opens the service or arrives at the website. No cookies and trackers must be placed before receiving consent from the user.

For consent to be valid, it must meet the conditions for consent under the General Data Protection Regulation (GDPR). Consent should be given by a clear affirmative act establishing a freely given, specific informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to the user, by giving a statement of consent or by taking a clear act of consent.

Consent cannot be given by pre-ticked boxes, pre-selected slide-bars or omission of any action. In addition, refusal must be as easy as giving consent. Furthermore, simply visiting a site for the first time would not qualify as affirmative action, which means that loading other than strictly necessary cookies immediately on the first landing page would not be acceptable.

Both options to accept or decline cookies must be made visible and available to the user, and the decline option must not be hidden. Furthermore, the user should also be given options to make more specific choices regarding different types of cookies.

In terms of applications, obtaining separate consent before the application is installed on the device can be technically challenging. Service providers should therefore provide a description of application in the app store, be as transparent as possible about the purposes of data storage and use and about device permissions. After installing the application, at latest, the user should be allowed to control consent or make selections regarding other than strictly necessary cookies.

As previously stated, consent is not required to set strictly necessary cookies. Strictly necessary cookies are cookies that are necessary to provide the service. However, the use of cookies should be limited only to the extent required to provide the service.

Traficom’s guidelines provides useful information for the assessment on whether a cookie is “strictly necessary” or not. When assessing the necessity of cookie use, the purpose of the data collected and processed is crucial. Consent is not required if the cookie is used for the sole purpose of carrying out the transmission of a communication. Additionally, consent is not required if the cookie is strictly necessary for the service provider to provide a service explicitly requested by the user.

An example of this may be a user using an online store. To remember the contents of the shopping cart, cookies are necessary to provide the service explicitly requested by the user. Without this function, placing an order would not be possible. Cookies that enable the implementation of these types of functions that the user has explicitly requested, can be considered strictly necessary.

For the exception to apply, the cookie should directly enable or implement one or more of the following:

In accordance with the guidelines, the banner or other procedure for requesting consent should at least provide detailed information on the cookies and similar technologies that are being used and their type (e.g. the purpose of each cookie, what information is collected by the cookie and for what purpose and the validity period of each cookie). In addition, information on whether the information stored via cookies is shared with third parties, who these parties are and what information is transferred, should also be specified.

If you have any questions regarding these new guidelines, please feel free to contact any of Borenius’ attorneys listed in this alert or those with whom you usually work.