IDC Names Securiti a Worldwide Leader in Data Privacy

View

Cookie and Consent Practices in Finland

By Anas Baig | Reviewed By Maria Khan
Published August 6, 2021

Listen to the content

On 13 July 2021, the Finnish Transport and Communications Agency (Traficom) released a consultation on the Draft Guidance on the Use of Web Cookies (Guidance). Traficom allows the public to comment on draft Guidance before their final publication. The comment and response period ends on 9 August 2021.

This article provides an overview of the Guidance that will help service providers implement legally compliant cookie consent solutions on their websites.

The Guidance applies to service providers that use cookies as well as other similar tracking technologies that allow reading and storing of the user’s data such as a built-in storage mechanism in HTML5, Flash player, tracking pixels, web beacons and various tags, and fingerprinting technologies.

Let’s look into some of the key points highlighted by Traficom in this Guidance:

The use of non-essential cookies requires user’s consent:

All non-essential cookies and similar tracking technologies require the consent of the user.

Examples of such cookies are:

  • Long-term cookies related to personalisation
  • Authentication-related long-term cookies
  • Development and analytics cookies
  • Cookies related to targeted advertisements and marketing
  • Specific data acquired from a terminal device via active scanning
  • Cookies related to social media platforms
  • Cookies enabling real-time communication
  • Cookies related to cross-media content
  • The processing of location data

The user’s consent is not needed for the use of essential cookies or other corresponding technologies. Essential cookies are those whose sole purpose of storing and using data is to carry out the transmission of a communication over an electronic communications network or the storage and use of data is strictly necessary for the service provider to provide a service that the subscriber or service user has specifically requested. These cookies implement the transmission of a message through a network by identifying the transmission points required for routing the message, ensure the transmission of the message’s content to the destination in an appropriate order or detect errors or data losses occurring during the transmission of the message. Third-party cookies are generally not considered essential as they are not required to transmit messages.

The following are examples of cookies considered to be essential to provide a requested service:

  • Cookies related to the user’s input (for example, cookies to remember the content of a user’s shopping cart in an online store)
  • Short-term cookies related to authentication
  • Cookies related to information security (to ensure the safe transmission of data or identify possible or attempted misuses of the service by monitoring the amount of successive login attempts)
  • Cookies related to presenting content (for example, flash technology-based content)
  • Cookies related to the user’s preferences regarding language, appearance, and accessibility while visiting the site, such as font or text size
  • Cookies related to accessibility (for example, enabling the use of audio description or voice subtitling)
  • Cookies related to the site layout

Even in the case of the use of essential cookies, users must be adequately informed about them and their use is allowed only to the extent necessary to provide the service.

Consent to the use of non-essential cookies must be freely given, specific, informed and unambiguous. Non-essential cookies cannot be turned on in the service or site by default and the user must separately agree to their use by clicking on them (opt-in).

The following are not valid indications of consent:

  • Browser settings cannot be considered sufficient indications of consent
  • General terms and conditions of the service, accepting them or continuing to use the service are not considered valid indications of consent
  • The use of pre-ticked boxes or slide switches in the on position is not valid consent

Withdrawal of consent:

Users must be able to withdraw their consent at any time without any detriment. Withdrawing consent must be as simple and easy as accepting cookies. For example, if consent was requested using a cookie preference center, the user should be able to easily reinvoke the preference center again at any time to change their cookie preferences by clicking on an icon visible on the page.

Demonstration of consent:

The service provider must be able to demonstrate that they have requested consent to store and use cookies and comparable data. For this purpose, the following must at least be stored:

  • The moment when consent was requested and obtained
  • How consent was requested
  • What information was provided to request consent
  • The necessary identification data with regard to who gave consent
  • Specific storage periods for personal data

However, no more data is allowed to be stored than is necessary to prove the obtaining of consent. Additionally, service providers must be able to justify the storage times of personal data since personal data can only be stored for the duration necessary for the purposes of its processing.

Informing users and consent banners:

Users must be informed comprehensively and understandably of the use of cookies or other data that require the user’s consent. For this purpose, cookie consent banners should specify the following:

  • The cookies and similar technologies used as well as their type (for example, the following classifications may be used: essential, functional, personalisation, advertisement, social media-related, analytics and measuring, others)
  • The purpose of each cookie, i.e. what data is collected with the cookie and for what purpose
  • The validity period of each cookie
  • Information on whether data is shared with third parties via the cookies, who these parties are, and what data is transmitted
  • A link to specific information concerning the service’s cookies or privacy policy

Service providers must comply with Article 13 of the GDPR concerning information to be provided to data subjects. In addition, the layout of the consent banner must be as neutral as possible. This means service providers must use equal font sizes and colors for accept and reject commands so that users are not misguided by consent banner design choices.

How Securiti can help?

Securiti’s Cookie Consent Management Solution enables organizations to build cookie consent notices in accordance with the applicable legal requirements. It can help you comply with the Finnish Guidance on cookies with the help of the following features:

  • Periodic scanning of websites
  • Configurable preference center
  • Auto-blocking of non-essential cookies
  • Dynamic consent refresh
  • Granular consent records and reporting

Ask for a DEMO to understand how Securiti can help you comply with Finland’s Guidance on Cookies and other similar tracking technologies, GDPR and a whole host of other global privacy laws and regulations, with ease.

Privacy Center
Fully Functional In Minutes

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere.

 

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Share


More Stories that May Interest You

Follow