New guidelines on the use of cookies clarify the practices for giving consent

The Finnish Transport and Communications Agency, Traficom, has published new cookie guidelines for both website users (in Finnish) and service providers (in Finnish) in September 2021. The guidelines also apply to other tracking technologies similar to cookies, such as tracking pixels and cookies stored through mobile applications.  The aim of the guidelines is, in particular, to clarify practices related to consent.

The service provider must pay attention to at least the following matters on its website if cookies are used:

  • Informing: users must be informed about the use of cookies
  • Necessary cookies and other cookies: the distinction is important because the use of non-essential cookies requires the user’s consent
  • Obtaining valid consent from the user: no pre-ticked checkboxes, declining cookies should be as easy as giving consent
  • Withdrawal of consent: the user must be able to withdraw consent

User must be informed about cookies

Users must be clearly and transparently informed about cookies stored on their terminal device, such as a mobile phone or tablet. At least the type of cookie, the purpose of use and the time of operation must be stated. Although this notification obligation does not apply to so-called necessary cookies by law, it is nevertheless good to inform users about them. With regard to informing, it should be remembered that if the cookies used on the website are changed, the informing must also be updated. This ensures that the informing stays up to date. If so-called third-party cookies are used, this must also be communicated to the user clearly and transparently enough.

Necessary and other cookies

By law, consent is not required for so-called necessary cookies. Cookies can be classified as necessary cookies for example in the following cases:

  • if the sole purpose of the storage or use of the data is to carry out the transmission of a message on communication networks, or
  • the storage and use of data are necessary for the service provider to provide a service explicitly requested by the subscriber or service user.

Necessary cookies are e.g. cookies related to data security and session-specific authentication, and cookies that enable the storage of the contents of the shopping cart. Thus far, analytics cookies have not been considered necessary, so consent is required to store them.

User’s consent must be obtained for the use of cookies

The use of non-essential cookies requires the user’s consent. Consent must be a freely given, specific, informed and unambiguous indication of the user’s wishes by which the user agrees to the storage of cookies on his or her terminal device. Separate consents must also be obtained for the use of cookies stored for different purposes in order for the requirement of specific consent to be fulfilled. Consent must be an active action by the user, meaning that for example pre-ticked boxes or the statement that “by continuing to browse the site you accept the use of cookies” do not meet the requirement for valid consent. In addition, clicking “OK” in connection with a cookie notification is not a sufficient way to get user approval for storing cookies.

Withdrawal of consent must be easy

If the user so wishes, he or she must be able to withdraw the given consent. Withdrawal of consent or change of cookie selections already made should be easy for the user. If the consent was originally requested with a banner, for example, the banner should reappear easily by clicking a link, so that the cookie settings can be changed at any time.

The service provider must ensure that the withdrawal of consent and changes to the cookie settings have an effective effect on the processing of the data and that such cookie data is deleted. After a user withdraws their consent, the data about that user must be deleted or overwritten from the device.

How to proceed in the future?

Service providers should, in particular, take into account that the user’s consent to the storage of cookies should be properly requested and easily withdrawn. The challenge may be that the cookie legislation is complied with at the expense of site availability.

How to strike a balance between site usability and legal requirements? We are happy to help with matters related to data protection and cookies!

Contact us:
Markus Myhrberg, Partner, [email protected],  tel. +358 40 505 5343
Erika Leinonen, Counsel, [email protected], tel. +358 45 7820 0310
Laura Ranki, Associate, [email protected], tel. +358 40 777 2572