Insights | May 20, 2020

Cookie consent in Finland should no longer be obtained through browser settings – decision by the Finnish DPA

The Finnish Deputy Data Protection Ombudsman has published a decision on the requirements for cookie consent, contradicting an earlier decision by the Finnish Transport and Communications agency Traficom. The focal point of both decisions was whether consent for use of non-essential cookies can be given via a website user’s browser settings.

The 14 May 2020 decision by the Finnish Deputy Data Protection Ombudsman (Data Protection Autority, DPA) ruled that instructing a website user to manage browser privacy settings does not constitute sufficiently active and explicit consent under the EU General Data Protection Regulation (GDPR, 2016/679), and further emphasized that rejecting non-essential cookies must be as easy for the website user as giving consent to cookies. This decision by the DPA differs from the views presented in the 24 April 2020 decision of the Finnish Transport and Communications Agency (Traficom).

The interpretation is in line with the October 2019 ruling of the Court of Justice of the European Union (CJEU) on cookie consent, in the case C‑673/17 (Planet49). In the ruling, the CJEU stated that consent must be given through an active measure, and deemed that a pre-checked tick-box does not indicate such active measure by an individual user. Whereas in the Planet49 ruling, the CJEU did not address the issue of what “freely given consent” means in the context of cookies, the DPA has now clarified that in Finland, such consent cannot be obtained through browser settings.

The DPA instructed a company, acting as the data controller, to change the way it requests a website user’s consent for the use of non-essential cookies, after an individual filed a complaint stating that they had no opportunity to reject the use of cookies on the company’s website. The company used cookies on its website to gather data for itself and third parties regarding e.g. service use and IP addresses for the purpose of personalizing services and targeted marketing. A cookie banner on the website informed that by continuing to the site, the user accepts cookies, or alternatively has the possibility to reject cookies in the browser settings. The DPA stated that such consent does not fulfil the requirements of the GDPR, and that inactivity regarding browser settings, i.e. not rejecting cookies in the browser settings, does not constitute a valid consent. However, the DPA did not issue monetary sanctions to the data controller, referring to the ambiguous legal status of the question after the application of the GDPR had commenced.

The DPA’s interpretation follows the European Data Protection Board’s updated guidelines on consent, which stress the active indication of choice in a valid consent, and mention that browser settings should be developed in line with the conditions for valid consent in the GDPR, emphasizing that a consent must be granular for each of the envisaged purposes and that the information provided should name the controllers.

This development marks an end to the prior Finnish cookie consent practices, according to which a consent for cookies could be given through browser settings. The Traficom’s decision of 24 April 2020 reflected this earlier line of interpretation, based on the national cookie legislation transposing the EU Directive on Privacy and Electronic Communications (ePrivacy Directive, 2002/58/EC). Currently, the 2002 e-Privacy Directive requires that a person being tracked must have “given his or her consent” to the use of cookies, and a similar provision is included in the Finnish Act on Electronic Communication Services (917/2014, as amended).

The upcoming EU e-Privacy Regulation, which will replace the existing ePrivacy Directive, is expected to further specify cookie consent requirements and to unify practices in the EU member states. However, no agreement on the final text of the ePrivacy Regulation has yet been reached, with the most recent discussions taking place at the EU Council Working Party on Telecommunications and Information Society in March 2020.

In the absence of further legislation on the topic, the decision of the Finnish DPA remains the key source of interpretation regarding a valid consent for the use of non-essential cookies in Finland, and can be summarized as follows:

  • Cookie consent must meet the GDPR requirements for consent, including the consent being a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  • Rejecting cookies must be as easy for the website user as giving consent to cookies.
  • Silence, pre-ticked boxes or inactivity cannot constitute a valid consent for use of cookies.
  • It is not sufficient to direct the website users to modify their browser settings to reject cookie usage.