Cookie consent in Finland should no longer be obtained through browser settings – decision by the Finnish DPA
The Finnish Deputy Data Protection Ombudsman has published a decision on the requirements for cookie consent, contradicting an earlier decision by the Finnish Transport and Communications agency Traficom. The focal point of both decisions was whether consent for use of non-essential cookies can be given via a website user’s browser settings.
The 14 May 2020 decision by the Finnish Deputy Data Protection Ombudsman (Data Protection Autority, DPA) ruled that instructing a website user to manage browser privacy settings does not constitute sufficiently active and explicit consent under the EU General Data Protection Regulation (GDPR, 2016/679), and further emphasized that rejecting non-essential cookies must be as easy for the website user as giving consent to cookies. This decision by the DPA differs from the views presented in the 24 April 2020 decision of the Finnish Transport and Communications Agency (Traficom).
The interpretation is in line with the October 2019 ruling of the Court of Justice of the European Union (CJEU) on cookie consent, in the case C‑673/17 (Planet49). In the ruling, the CJEU stated that consent must be given through an active measure, and deemed that a pre-checked tick-box does not indicate such active measure by an individual user. Whereas in the Planet49 ruling, the CJEU did not address the issue of what “freely given consent” means in the context of cookies, the DPA has now clarified that in Finland, such consent cannot be obtained through browser settings.
The DPA’s interpretation follows the European Data Protection Board’s updated guidelines on consent, which stress the active indication of choice in a valid consent, and mention that browser settings should be developed in line with the conditions for valid consent in the GDPR, emphasizing that a consent must be granular for each of the envisaged purposes and that the information provided should name the controllers.
The upcoming EU e-Privacy Regulation, which will replace the existing ePrivacy Directive, is expected to further specify cookie consent requirements and to unify practices in the EU member states. However, no agreement on the final text of the ePrivacy Regulation has yet been reached, with the most recent discussions taking place at the EU Council Working Party on Telecommunications and Information Society in March 2020.
In the absence of further legislation on the topic, the decision of the Finnish DPA remains the key source of interpretation regarding a valid consent for the use of non-essential cookies in Finland, and can be summarized as follows:
- Cookie consent must meet the GDPR requirements for consent, including the consent being a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
- Rejecting cookies must be as easy for the website user as giving consent to cookies.
- It is not sufficient to direct the website users to modify their browser settings to reject cookie usage.