The Finnish Transport and Communications Agency, Traficom, has published new cookie guidelines for both website users (in Finnish) and service providers (in Finnish) in September 2021. The guidelines also apply to other tracking technologies similar to cookies, such as tracking pixels and cookies stored through mobile applications. The aim of the guidelines is, in particular, to clarify practices related to consent.
The service provider must pay attention to at least the following matters on its website if cookies are used:
- Necessary cookies and other cookies: the distinction is important because the use of non-essential cookies requires the user’s consent
- Obtaining valid consent from the user: no pre-ticked checkboxes, declining cookies should be as easy as giving consent
- Withdrawal of consent: the user must be able to withdraw consent
User must be informed about cookies
Users must be clearly and transparently informed about cookies stored on their terminal device, such as a mobile phone or tablet. At least the type of cookie, the purpose of use and the time of operation must be stated. Although this notification obligation does not apply to so-called necessary cookies by law, it is nevertheless good to inform users about them. With regard to informing, it should be remembered that if the cookies used on the website are changed, the informing must also be updated. This ensures that the informing stays up to date. If so-called third-party cookies are used, this must also be communicated to the user clearly and transparently enough.
Necessary and other cookies
By law, consent is not required for so-called necessary cookies. Cookies can be classified as necessary cookies for example in the following cases:
- if the sole purpose of the storage or use of the data is to carry out the transmission of a message on communication networks, or
- the storage and use of data are necessary for the service provider to provide a service explicitly requested by the subscriber or service user.
Necessary cookies are e.g. cookies related to data security and session-specific authentication, and cookies that enable the storage of the contents of the shopping cart. Thus far, analytics cookies have not been considered necessary, so consent is required to store them.
Withdrawal of consent must be easy
If the user so wishes, he or she must be able to withdraw the given consent. Withdrawal of consent or change of cookie selections already made should be easy for the user. If the consent was originally requested with a banner, for example, the banner should reappear easily by clicking a link, so that the cookie settings can be changed at any time.
The service provider must ensure that the withdrawal of consent and changes to the cookie settings have an effective effect on the processing of the data and that such cookie data is deleted. After a user withdraws their consent, the data about that user must be deleted or overwritten from the device.
How to proceed in the future?
Service providers should, in particular, take into account that the user’s consent to the storage of cookies should be properly requested and easily withdrawn. The challenge may be that the cookie legislation is complied with at the expense of site availability.
How to strike a balance between site usability and legal requirements? We are happy to help with matters related to data protection and cookies!
Markus Myhrberg, Partner, email@example.com, tel. +358 40 505 5343
Erika Leinonen, Counsel, firstname.lastname@example.org, tel. +358 45 7820 0310
Laura Ranki, Associate, email@example.com, tel. +358 40 777 2572