Finnish Supervising Authority Updates Guidance on Cookies for Service Providers
2 November 2021
Author: Axel Hård af Segerstad
The Finnish Transport and Communications Agency (Traficom) recently updated its guidance for service providers (available only in Finnish) on storing cookies and other data regarding the use of services on users’ terminal devices. The new guidelines contain the supervising authority’s current view on lawful and acceptable cookie practices, which are now in line with the recent case law, statements of the Finnish Data Protection Ombudsman, as well as the General Data Protection Regulation (2016/679, GDPR). We have covered the previous case law and authorities’ varying reasoning in a previous blog post, which you can find here. This post will cover the key updates in the new guidelines.
When Is Consent for Cookies Required?
Furthermore, it should also be noted that in accordance with Section 205 of the Electronic Communications Services Act and its underlying Article 5(3) of the EU ePrivacy Directive, a legitimate interest of a data controller is not recognised and is therefore not a valid legal ground for storing and using cookies or similar tracking technologies.
Assessing the Necessity of a Cookie
The law does not distinguish between the different types of cookies based on their technical or other characteristics, even though a single cookie can implement several different functionalities and it is possible to use the same cookie for several different purposes. Therefore, the purpose of the information collected and processed by cookies is crucial in assessing the necessity of a cookie.
In order to be covered by the exception relating to the transmission of a message, the sole purpose of the cookies must be to enable the transmission of the message. Therefore, in order for the exception to apply, the cookie should directly enable or implement at least one of the following:
- implement the transmission of a message through a network, by, for example, identifying the transmission points required for routing the message;
- ensure that the content of the message is delivered in an appropriate order; and/or
- detect errors or data losses occurring during the transmission of the message.
For example, if load balancing (technology that can be used to distribute incoming requests to a site to more than one back-end server) is implemented in such a way that it is necessary to store a cookie on the user's machine to ensure that the user's connections always end up on a specific server for the requested service to work properly, such a cookie can be considered to relate to message transmission and therefore be deemed necessary. Normally, third-party cookies are not required to transmit communications.
Consent in Accordance with the GDPR
Browser settings, on the other hand, cannot be considered a sufficient confirmation of consent because the user may not have configured or been able to configure the settings to suit their preferences. Also, browser settings cannot be considered a sufficiently unique and an active expression of intent when it comes to accepting different cookies that can be used to collect information for multiple uses.
Pursuant to the GDPR, it must be possible to withdraw consent at any time. Withdrawing the consent or changing the settings already made must be as simple as possible for the user. When consent is obtained electronically with just one mouse click, screen swipe, or keystroke, users must be able to refuse consent and withdraw consent with equal ease. In addition, the user must be able to withdraw their consent without inconvenience. This means, inter alia, that one should be able to withdraw consent free of charge or without artificially lowering the level of service. However, the withdrawal of consent, for example with regard to the use of personalisation cookies, may entail some deterioration in the level of service and the user experience.
What Information Must Be Provided when Cookies Are Used?
Cookies and any other use or storage of data that requires the user's consent must be fully and comprehensibly communicated to the user when the user makes choices to give, refuse, or withdraw the consent. According to Traficom’s guidance, the banner or other procedure for requesting consent must specify at least what cookies and similar technologies are used as well as their type, the purpose of each cookie, i.e., what information is collected by the cookie and for what purposes, the validity period of the cookie, and information on whether the information stored through cookies is shared with third parties, who these parties are, and what information is transferred. In addition to these, the banner may contain more detailed information or, for example, a link to more detailed information about the service's cookies or privacy policies. In addition, it should be noted that in the case of personal data, Article 13 of the GDPR on information will also apply.
What Do the Updated Guidelines Mean for Service Providers?
If you have any questions relating to the new guidance, please feel free to reach out to us.