Cookies

Prior consent

As a consequence of the amendments to the ePrivacy Directive, consent is needed for the use of cookies unless the cookie is strictly necessary for the provision of a service to that subscriber or user. There is no exact wording for consent to be “prior” to the use of a cookie, but the draft documentation of the ECS makes it clear that consent will have to be obtained beforehand. Specifically Section 205 of the ECS (available in English https://www.finlex.fi/fi/laki/kaannokset/2014/en20140917.pdf): The service provider may save cookies or other data concerning the use of the service in the user’s terminal device, and use such data, if the user has given his or her consent thereto and the service provider gives the user comprehensible and complete information on the purposes of saving or using such data.

 

The use of browser settings as a means to obtain consent have been mentioned as means to obtain consent in the draft documents of the legislation. If the user has not set their browser to reject cookies by default, they are consenting to their use. Because of the CJEU’s decision in Planet49 (C-673/17) on cookie practices, the Finnish Transport and Communications Agency & National Cyber Security Center (TRAFICOM) specified its cookie guidelines on giving consent and providing users with information on the duration of the operation of cookies and third-party access to cookies. According to the more detailed guidance, users can still give their consent to the use of cookies by using browser settings.

 

Website users must be provided with clear and comprehensive information about cookies and the purposes of saving or using user data. Users must also be given information on at least how long the cookies are used and whether third parties may have access to the cookies. Storing and using information collected by cookies require the user’s consent. Informing users on data collected by cookies and allowing them to refuse the storage of cookies must be implemented in the most user-friendly manner possible.

 

Finland interprets the ePrivacy Directive so that users can give their consent to store cookies on their terminal equipment, for example, by using the appropriate settings of a browser or other application.

Cookie banners are not required, but they are starting to be used on Finnish websites. In Finland, providing information about cookies or giving consent to their storage does not require a pop-up window. Consent can be requested by using any preferred method (e.g. browser/application setting or pop-up window) as long as it is not requested by using a pre-ticked checkbox. The use of cookies and the related practices must also be indicated on a website in such a manner that a user can obtain additional information about them.

The only notable difference from the ePrivacy Directive is a clarification that data may only be stored and/or accessed to the extent required for the service provided, and that it may not limit privacy any more than absolutely necessary.