Finnish Supervising Authority Updates Guidance on Cookies for Service Providers

Author: Axel Hård af Segerstad 

The Finnish Transport and Communications Agency (Traficom) recently updated its guidance for service providers (available only in Finnish) on storing cookies and other data regarding the use of services on users’ terminal devices. The new guidelines contain the supervising authority’s current view on lawful and acceptable cookie practices, which are now in line with the recent case law, statements of the Finnish Data Protection Ombudsman, as well as the General Data Protection Regulation (2016/679, GDPR). We have covered the previous case law and authorities’ varying reasoning in a previous blog post, which you can find here. This post will cover the key updates in the new guidelines.

The background to the updated guidelines is the two decisions issued by the Helsinki Administrative Court in the spring of 2021. The Administrative Court ruled that consent for the use of cookies referred to in Section 205 of the Electronic Communications Services Act (917/2014) must be interpreted in the same way as consent referred to in the GDPR. The Administrative Court stated that it is not possible to give a valid consent to the use of cookies that are not strictly necessary, through the settings of an internet browser. Consent obtained via the user’s browser settings cannot be considered a personal and informed consent.

When Is Consent for Cookies Required?

Pursuant to Section 205 of the Electronic Communications Services Act, the general principle for the storage and use of cookies or other information describing the use of the service is that the user has given its consent to such use. However, as an exception, consent is not required when strictly necessary cookies are used. Cookies are to be considered strictly necessary when they are used for the sole purpose of carrying out transmission of a communication or if the cookies are necessary to provide a service that a user has explicitly requested. In such situations, storage and use are permitted only to the extent required by the service and must not restrict protection of privacy more than is necessary.

Furthermore, it should also be noted that in accordance with Section 205 of the Electronic Communications Services Act and its underlying Article 5(3) of the EU ePrivacy Directive, a legitimate interest of a data controller is not recognised and is therefore not a valid legal ground for storing and using cookies or similar tracking technologies.

Assessing the Necessity of a Cookie

The law does not distinguish between the different types of cookies based on their technical or other characteristics, even though a single cookie can implement several different functionalities and it is possible to use the same cookie for several different purposes. Therefore, the purpose of the information collected and processed by cookies is crucial in assessing the necessity of a cookie.

In order to be covered by the exception relating to the transmission of a message, the sole purpose of the cookies must be to enable the transmission of the message. Therefore, in order for the exception to apply, the cookie should directly enable or implement at least one of the following:

• implement the transmission of a message through a network, by, for example, identifying the transmission points required for routing the message;
• ensure that the content of the message is delivered in an appropriate order; and/or
• detect errors or data losses occurring during the transmission of the message.

For example, if load balancing (technology that can be used to distribute incoming requests to a site to more than one back-end server) is implemented in such a way that it is necessary to store a cookie on the user's machine to ensure that the user's connections always end up on a specific server for the requested service to work properly, such a cookie can be considered to relate to message transmission and therefore be deemed necessary. Normally, third-party cookies are not required to transmit communications.

Consent in Accordance with the GDPR

According to Traficom’s guidelines, a service provider must ensure that a user's consent is requested in accordance with the provisions of the GDPR and that the information related to cookies is provided properly and in a timely manner when the user opens the service or arrives to the website. It should be as easy to give refusal as it is to give consent. Traficom’s guidelines state that consenting to the use of cookies that are not strictly necessary should not be easier than refusing to use them. This means that a banner or a pop-up window that opens on the site when the arriving to the service has to display consent and refusal as equally easy options.

Browser settings, on the other hand, cannot be considered a sufficient confirmation of consent because the user may not have configured or been able to configure the settings to suit their preferences. Also, browser settings cannot be considered a sufficiently unique and an active expression of intent when it comes to accepting different cookies that can be used to collect information for multiple uses.

Pursuant to the GDPR, it must be possible to withdraw consent at any time. Withdrawing the consent or changing the settings already made must be as simple as possible for the user. When consent is obtained electronically with just one mouse click, screen swipe, or keystroke, users must be able to refuse consent and withdraw consent with equal ease. In addition, the user must be able to withdraw their consent without inconvenience. This means, inter alia, that one should be able to withdraw consent free of charge or without artificially lowering the level of service. However, the withdrawal of consent, for example with regard to the use of personalisation cookies, may entail some deterioration in the level of service and the user experience.

What Information Must Be Provided when Cookies Are Used?

Cookies and any other use or storage of data that requires the user's consent must be fully and comprehensibly communicated to the user when the user makes choices to give, refuse, or withdraw the consent. According to Traficom’s guidance, the banner or other procedure for requesting consent must specify at least what cookies and similar technologies are used as well as their type, the purpose of each cookie, i.e., what information is collected by the cookie and for what purposes, the validity period of the cookie, and information on whether the information stored through cookies is shared with third parties, who these parties are, and what information is transferred. In addition to these, the banner may contain more detailed information or, for example, a link to more detailed information about the service's cookies or privacy policies. In addition, it should be noted that in the case of personal data, Article 13 of the GDPR on information will also apply.

What Do the Updated Guidelines Mean for Service Providers?

As Traficom is the supervising authority in Finland regarding the storage and use of cookies, their guidelines need to be followed on all Finnish websites. Evidently, service providers need to assess whether their current cookie practices are in line with the new guidelines with regards to, inter alia, how consent is obtained and what is the manner in which consent may be refused or withdrawn with equal ease and without lowering the level of the service’s usability.

If you have any questions relating to the new guidance, please feel free to reach out to us.