What are Finland DPA Cookie Guidelines?
We will explore the requirements of the Finland DPA Cookie Guidelines. Here are the key takeaways
What is Finland DPA?
The Office of the Data Protection Ombudsman is a national supervisory authority in Finland that supervises compliance with data protection legislation. The Data Protection Ombudsman imposes administrative fines under the General Data Protection Regulation and issues statements on significant questions related to the application of the legislation governing the processing of personal data.
The Finnish DPA carries out the following duties:
- supervising compliance with data protection legislation and other laws concerning the processing of personal data;
- promoting awareness of the risks, rules, safeguards, obligations and rights related to the processing of personal data;
- carrying out investigations and inspections;
- imposing administrative sanctions for violations of the General Data Protection Regulation;
- receiving reports of personal data breaches; and
- other functions in connection with the data protection laws in Finland.
Finnish Transport and Communications Agency (Traficom)
Traficom was established by merging the Finnish Transport Safety Agency (Trafi), the Finnish Communications Regulatory Authority (FICORA), and certain functions of the Finnish Transport Agency. It is the authority in license, registration, and approval matters concerning traffic and communications safety and security.
What is the difference between the Data Protection Ombudsman and Traficom?
The Data Protection Ombudsman is the official DPA in Finland which means that it is the supervisory body that monitors compliance with the data protection laws in general.
What are the Traficom Cookie Guidelines?
In April 2020, Traficom published a ruling that declared it possible to give consent to cookies through browser settings. However, a month later, in May 2020, the Finnish DPA, the Data Protection Ombudsman, issued a decision that contradicted the ruling made by the Traficom.
In May 2021, Traficom changed its cookie guidelines to reflect the decision of the Ombudsman.
The Requirements of Traficom Guidelines
The cookie guidelines of Traficom set out requirements for website operators and mobile application operators. The guidelines also cover similar tracking technologies, including session and local storage, tracking pixels, web beacons, tags, and fingerprinting technologies.
1. Non-essential cookies require prior consent.
Requesting consent from users is not required for placing essential cookies on users’ devices. For example, when 1) the sole purpose of storing and using the data is to enable the transmission of messages in communications networks, or 2) the storage and use of the data is necessary for the service provider to provide a service that the subscriber or user has specifically requested.
2. Legitimate interest cannot be a ground for cookie usage.
3. Consent must be freely given, specific, informed, and unambiguous.
In order to be valid, consent must fulfill the conditions laid down in the GDPR - freely given, specific, informed, and unambiguous. Consent must be an active expression indicating the data subject’s wish. Silence, pre-ticked boxes, or inactivity (i.e., scrolling, swiping) should not constitute consent.
4. Rejecting cookies must be as easy for the user as it is to give consent.
Refusing to give consent must be as uncomplicated as granting consent. For example, if an “Accept or Allow all” selection is offered for granting consent for all non-essential cookies on the cookie banner, a similar option to continue using the service only with essential cookies (i.e., “Accept only essential cookies” button) or to withdraw consent for non-essential cookies should also be offered.
5. Withdrawing cookies must be as easy as giving consent.
According to the GDPR, users must be able to withdraw their consent at any time. Withdrawing consent or changing settings set earlier by a user must be as simple for the user as giving consent. For example, if consent is obtained through a single mouse click, screen swipe, or button press, users must be able to refuse or withdraw consent just as easily.
6. Pre-ticked boxes are not lawful.
Cookie banners may not include pre-ticked boxes or pre-selected slide bars for non-essential cookies. Therefore, non-essential cookies may not be turned on by the website by default, and the user must explicitly agree to their use by clicking on them (opt-in).
7. Consent cannot be bundled into the Terms of the website.
The general terms and conditions of the website cannot be a method to obtain consent. Obtaining consent must be a separate action containing a freely given, informed, specific and unambiguous expression of will.
8. Provide information about the cookies.
Users must be informed of the use and storage of cookies comprehensively and understandably. This information must be provided when the user makes the decision on granting, rejecting, or withdrawing consent.
It is also recommended to inform users of cookies even when only essential cookies are used, and no consent is legally required.
Cookie banners should, at minimum, specify the following:
- whether cookies are used;
- The types of cookies are used (i.e., essential, functional, personalization, advertising, social media, analytics, others);
- the purpose of each cookie (i.e., what data is collected with the cookie and for what purpose);
- the validity period of each cookie;
- information on whether data collected through cookies is shared with third parties, who the third parties are, and what data is transmitted.
9. Cookie walls are not allowed.
The mechanism used to request consent (i.e., a cookie banner) should not disproportionately disrupt or prevent the user from accessing the website. If the user continues to access the website without making the choices concerning cookies, the website must only use essential cookies by default. Therefore, it is inappropriate to use the acceptance of non-essential cookies as a precondition for accessing the website, as the consent cannot be considered voluntary (freely given) in this case.
10. Referring to browser settings for rejecting cookies is not lawful.
Browser settings cannot be considered sufficient indications of consent. This is because the user may not be able to configure the settings according to their preferences. Besides, configuring browser settings cannot be considered a sufficiently individualizing and active expression of will for the purpose of accepting cookies that can be used to collect data for a variety of purposes.
11. Consent must be demonstrable.
When requesting consent for placing cookies, it is appropriate to save the user’s choices to ensure that consent does not need to be constantly requested while the user navigates the website (“consent fatigue” must be avoided). Saving the choices made through the cookie banner may require the page to store a cookie that remembers the user’s choices on the user's device.
The website operator must later be able to prove that they have requested and obtained consent for placing cookies on the user’s device. To prove consent, at least the following data must be stored:
- date and time when consent was requested and obtained
- how consent was requested
- what information was provided to request consent, and
- the credentials that identify by whom and or from which device consent was given
How Secure Can Privacy Help You Comply With Finland DPA Cookie Guidelines?
Secure Privacy comes packed with enterprise-level features that will help you fully comply with Finland Traficom cookie guidelines and the GDPR cookie guidelines.
The main features are:
- Advanced ongoing website scanning which allows you to see all of the cookies on your website
- Cookie consent banners that are highly customizable and stylish, with a universal preference center for users to opt-in and opt-out of the cookies and other tracking technologies
- Unique cross-domain consent capability that allows your users to manage their cookie preferences across different domains in a single step
- Over 70 languages supported
- Real-time logs and consents tracking to ensure you maintain records of the consent you receive from users in case CNIL requests it
- A future-proof GDPR compliance solution that is also compliant with CCPA in California and LGPD in Brazil.
EU Digital Markets Act (DMA): What Businesses Must Know
Explore the European Union's Digital Markets Act (DMA) and its impact on tech giants, gatekeepers, and SMEs. Uncover key provisions, designated companies, and the relevance of compliance for small to medium-sized enterprises.
- Europe GDPR
- Data Protection
The Complete Guide to WordPress GDPR Compliance: Make Your Wordpress Site is Compliant
Learn about the General Data Protection Regulation (GDPR) and its significance for WordPress websites. Discover essential steps, potential consequences of non-compliance, and effective cookie management strategies to ensure GDPR compliance.
- Europe GDPR
Understanding the Utah Consumer Privacy Act (UCPA): A Comprehensive Overview of the New Consumer Privacy Law
Learn about the Utah Consumer Privacy Act (UCPA), its impact on businesses operating in Utah or targeting Utah customers, compliance requirements, consumer rights, data security measures, and penalties for non-compliance.