Cookie and Consent Practices in Finland

On 13 July 2021, the Finnish Transport and Communications Agency (Traficom) released a consultation on the Draft Guidance on the Use of Web Cookies (Guidance). Traficom allows the public to comment on draft Guidance before their final publication. The comment and response period ends on 9 August 2021.

This article provides an overview of the Guidance that will help service providers implement legally compliant cookie consent solutions on their websites.

The Guidance applies to service providers that use cookies as well as other similar tracking technologies that allow reading and storing of the user’s data such as a built-in storage mechanism in HTML5, Flash player, tracking pixels, web beacons and various tags, and fingerprinting technologies.

Let’s look into some of the key points highlighted by Traficom in this Guidance:

Consent must be freely given, specific, informed and unambiguous:

Consent to the use of non-essential cookies must be freely given, specific, informed and unambiguous. Non-essential cookies cannot be turned on in the service or site by default and the user must separately agree to their use by clicking on them (opt-in).

The following are not valid indications of consent:

• Browser settings cannot be considered sufficient indications of consent
• General terms and conditions of the service, accepting them or continuing to use the service are not considered valid indications of consent
• The use of pre-ticked boxes or slide switches in the on position is not valid consent

Withdrawal of consent:

Users must be able to withdraw their consent at any time without any detriment. Withdrawing consent must be as simple and easy as accepting cookies. For example, if consent was requested using a cookie preference center, the user should be able to easily reinvoke the preference center again at any time to change their cookie preferences by clicking on an icon visible on the page.

Demonstration of consent:

The service provider must be able to demonstrate that they have requested consent to store and use cookies and comparable data. For this purpose, the following must at least be stored:

• The moment when consent was requested and obtained
• How consent was requested
• What information was provided to request consent
• The necessary identification data with regard to who gave consent
• Specific storage periods for personal data

However, no more data is allowed to be stored than is necessary to prove the obtaining of consent. Additionally, service providers must be able to justify the storage times of personal data since personal data can only be stored for the duration necessary for the purposes of its processing.

Informing users and consent banners:

Users must be informed comprehensively and understandably of the use of cookies or other data that require the user’s consent. For this purpose, cookie consent banners should specify the following:

• The cookies and similar technologies used as well as their type (for example, the following classifications may be used: essential, functional, personalisation, advertisement, social media-related, analytics and measuring, others)
• The purpose of each cookie, i.e. what data is collected with the cookie and for what purpose
• The validity period of each cookie
• Information on whether data is shared with third parties via the cookies, who these parties are, and what data is transmitted
• A link to specific information concerning the service’s cookies or privacy policy

Service providers must comply with Article 13 of the GDPR concerning information to be provided to data subjects. In addition, the layout of the consent banner must be as neutral as possible. This means service providers must use equal font sizes and colors for accept and reject commands so that users are not misguided by consent banner design choices.