What are Finland DPA Cookie Guidelines?

In Finland, cookie guidelines have been issued by Traficom - the competent authority on matters related to cookie regulation and supervision of the use of cookies. Even though Traficom is not the official supervisory authority in Finland, it collaborates with the Finnish DPA - the Data Protection Ombudsman and takes into consideration views of the Finnish DPA in its guidelines.

What is Finland DPA?

The Office of the Data Protection Ombudsman is a national supervisory authority in Finland that supervises compliance with data protection legislation. The Data Protection Ombudsman imposes administrative fines under the General Data Protection Regulation and issues statements on significant questions related to the application of the legislation governing the processing of personal data.

The Finnish DPA carries out the following duties:

supervising compliance with data protection legislation and other laws concerning the processing of personal data;
promoting awareness of the risks, rules, safeguards, obligations and rights related to the processing of personal data;
carrying out investigations and inspections;
imposing administrative sanctions for violations of the General Data Protection Regulation;
receiving reports of personal data breaches; and
other functions in connection with the data protection laws in Finland.

Finnish Transport and Communications Agency (Traficom)

In Finland, the Finnish Transport and Communications Agency (Traficom), which is an authority distinct from the Data Protection Ombudsman, also plays an active role when it comes to the use of cookies.

Traficom was established by merging the Finnish Transport Safety Agency (Trafi), the Finnish Communications Regulatory Authority (FICORA), and certain functions of the Finnish Transport Agency. It is the authority in license, registration, and approval matters concerning traffic and communications safety and security.

What is the difference between the Data Protection Ombudsman and Traficom?

The Data Protection Ombudsman is the official DPA in Finland which means that it is the supervisory body that monitors compliance with the data protection laws in general.

On the other hand, Traficom is the authority responsible for monitoring and ensuring the confidentiality of electronic communications. It is also the competent authority on matters related to cookie regulation and supervision of the use of cookies.

In April 2020, Traficom published a ruling that declared it possible to give consent to cookies through browser settings. However, a month later, in May 2020, the Finnish DPA, the Data Protection Ombudsman, issued a decision that contradicted the ruling made by the Traficom.

The background of the decision of the Finnish DPA concerned a case where a company was collecting information through the use of cookies and used this information for several purposes, including targeted advertising and service personalization. The website of the company provided users with a pop-up banner informing them about the cookies. The pop-up banner indicated that by continuing to use the website, the user consents to the use of cookies and gave the user two options: consent to the use of cookies by selecting an “OK” button or choose to obtain additional information. There was no option for refusing the cookies. When clicking the button offering additional information, the user was redirected to the privacy policy page of the company which included information that cookies could be deactivated through the browser settings. The company's method for collecting cookie consent was determined to violate the GDPR, according to the Ombudsman. The Ombudsman stated that consent for cookies is considered freely given and specific under the GDPR only if the data subject is given an equal chance to both accept and reject the cookies.

In May 2021, Traficom changed its cookie guidelines to reflect the decision of the Ombudsman.

The Requirements of Traficom Guidelines

The cookie guidelines of Traficom set out requirements for website operators and mobile application operators. The guidelines also cover similar tracking technologies, including session and local storage, tracking pixels, web beacons, tags, and fingerprinting technologies.

1. Non-essential cookies require prior consent.

Requesting consent from users is not required for placing essential cookies on users’ devices. For example, when 1) the sole purpose of storing and using the data is to enable the transmission of messages in communications networks, or 2) the storage and use of the data is necessary for the service provider to provide a service that the subscriber or user has specifically requested.

2. Legitimate interest cannot be a ground for cookie usage.

Legitimate interest does not authorize the storing or use of cookies. Section 205 of the Finnish Act on Electronic Communications Services (917/2014) and its underlying Article 5(3) of the ePrivacy Directive do not recognize legitimate interest as a basis for storing or using cookies on users’ devices.

3. Consent must be freely given, specific, informed, and unambiguous.

In order to be valid, consent must fulfill the conditions laid down in the GDPR - freely given, specific, informed, and unambiguous. Consent must be an active expression indicating the data subject’s wish. Silence, pre-ticked boxes, or inactivity (i.e., scrolling, swiping) should not constitute consent.

4. Rejecting cookies must be as easy for the user as it is to give consent.

Refusing to give consent must be as uncomplicated as granting consent. For example, if an “Accept or Allow all” selection is offered for granting consent for all non-essential cookies on the cookie banner, a similar option to continue using the service only with essential cookies (i.e., “Accept only essential cookies” button) or to withdraw consent for non-essential cookies should also be offered.

5. Withdrawing cookies must be as easy as giving consent.

According to the GDPR, users must be able to withdraw their consent at any time. Withdrawing consent or changing settings set earlier by a user must be as simple for the user as giving consent. For example, if consent is obtained through a single mouse click, screen swipe, or button press, users must be able to refuse or withdraw consent just as easily.

6. Pre-ticked boxes are not lawful.

Cookie banners may not include pre-ticked boxes or pre-selected slide bars for non-essential cookies. Therefore, non-essential cookies may not be turned on by the website by default, and the user must explicitly agree to their use by clicking on them (opt-in).

7. Consent cannot be bundled into the Terms of the website.

The general terms and conditions of the website cannot be a method to obtain consent. Obtaining consent must be a separate action containing a freely given, informed, specific and unambiguous expression of will.

8. Provide information about the cookies.

Users must be informed of the use and storage of cookies comprehensively and understandably. This information must be provided when the user makes the decision on granting, rejecting, or withdrawing consent.

It is also recommended to inform users of cookies even when only essential cookies are used, and no consent is legally required.

Cookie banners should, at minimum, specify the following:

whether cookies are used;
The types of cookies are used (i.e., essential, functional, personalization, advertising, social media, analytics, others);
the purpose of each cookie (i.e., what data is collected with the cookie and for what purpose);
the validity period of each cookie;
information on whether data collected through cookies is shared with third parties, who the third parties are, and what data is transmitted.

In addition to this, the cookie banner may include more specific information or a link to more specific information relating to the cookies or privacy policy of the website.

9. Cookie walls are not allowed.

The mechanism used to request consent (i.e., a cookie banner) should not disproportionately disrupt or prevent the user from accessing the website. If the user continues to access the website without making the choices concerning cookies, the website must only use essential cookies by default. Therefore, it is inappropriate to use the acceptance of non-essential cookies as a precondition for accessing the website, as the consent cannot be considered voluntary (freely given) in this case.

10. Referring to browser settings for rejecting cookies is not lawful.

Browser settings cannot be considered sufficient indications of consent. This is because the user may not be able to configure the settings according to their preferences. Besides, configuring browser settings cannot be considered a sufficiently individualizing and active expression of will for the purpose of accepting cookies that can be used to collect data for a variety of purposes.

11. Consent must be demonstrable.

When requesting consent for placing cookies, it is appropriate to save the user’s choices to ensure that consent does not need to be constantly requested while the user navigates the website (“consent fatigue” must be avoided). Saving the choices made through the cookie banner may require the page to store a cookie that remembers the user’s choices on the user's device.

The website operator must later be able to prove that they have requested and obtained consent for placing cookies on the user’s device. To prove consent, at least the following data must be stored:

date and time when consent was requested and obtained
how consent was requested
what information was provided to request consent, and
the credentials that identify by whom and or from which device consent was given

Secure Privacy comes packed with enterprise-level features that will help you fully comply with Finland Traficom cookie guidelines and the GDPR cookie guidelines.

The main features are:

Advanced ongoing website scanning which allows you to see all of the cookies on your website
Cookie consent banners that are highly customizable and stylish, with a universal preference center for users to opt-in and opt-out of the cookies and other tracking technologies
Unique cross-domain consent capability that allows your users to manage their cookie preferences across different domains in a single step
A privacy policy generator that automates the creation of your cookie notice in order to meet GDPR disclosure requirements
Over 70 languages supported
Real-time logs and consents tracking to ensure you maintain records of the consent you receive from users in case CNIL requests it
A future-proof GDPR compliance solution that is also compliant with CCPA in California and LGPD in Brazil.

Book a call today if you would like more information about Secure Privacy and GDPR Cookie Consent compliance, or if you would like our data protection expert to perform a quick 'check-up' of your website, cookie consent banner, or cookie policy.

Schedule a call to learn more