In November 2021 new cookie and consent regulations came into effect in Finland. Finnish companies now have to review how they collect and store personal data and adapt according to the new regulations.
So, what are the new rules for using cookies in Finland? What proof do you need in order to demonstrate legally collected consent? How can you ensure compliance? In this article, we’ll tackle all these topics and more.
Summary :
- Regulation changes in Finland since 2021
- Scope of application of the Finnish data privacy law
- The compliance requirements of Finnish cookie law
- Different kinds of cookies under Finland's cookie law
- Informing users under the Finnish data privacy law
- How Didomi can help you navigate Finnish cookies and consent regulation
- Frequently Asked Questions (FAQ)
Regulation changes in Finland since 2021
Finland updated their cookies and consent regulations in 2021. The main changes came from Finland’s administrative court, which concluded that internet browser settings alone could no longer grant valid consent for the use of non-essential cookies.
The court also considered that the Finnish Transport and Communications Agency (Traficom) was the competent authority on cookie regulation and supervising the use of cookies. Traficom is also in charge of interpreting the definition of consent in questions relating to cookie usage.
Scope of application of the Finnish data privacy law
The updated regulation applies to companies that use cookies and similar technologies to store or access personal data stored on user devices when using websites or electronic communication services.
The guidelines also recommend that service providers think carefully about the following aspects of cookie usage:
- What cookies or technologies they rely on.
- How cookies can be classified into essential and non-essential cookies.
- Is key information about cookie usage and the purpose of their use being shown to users in a clear, easy-to-understand way?
- How does the service request consent for non-essential cookies?
- How does the service allow users to change their cookie settings or remove their consent?
Lastly, the regulations also outline how non-personal data can become personal data. On their own, information such as IP addresses, advertising ID, purchasing history, and details on when a website has been accessed don’t count as personal data.
However, if this type of information is collected extensively, especially for the purposes of profiling, targeting or influencing, it’s more likely to count as personal data.
The compliance requirements of Finnish cookie law
Here’s a quick breakdown of the key compliance requirements for Finnish cookie law:
- Consent required for non-essential cookies: You have to obtain the user’s consent to use any non-essential cookies. Whether a cookie or tracker is essential depends on the purpose of its use. An essential cookie is purely technical and must be present to provide the website's basic functionality. A non-essential cookie is used to analyze users behavior or to display advertisements using platforms such as Google Analytics, Tealium, Facebook or Taboola.
- No legitimate interest possible: The legitimate interest of a data controller as described in the GDPR guidelines doesn’t give a right to store cookies on a user’s device or use other tracking technologies.
- No setting cookies before consent is granted: User permission must be obtained before any non-essential cookies can be set.
- Consent form: To obtain consent, users should be provided with a clear, easy-to-understand form with options to accept all cookies, refuse all cookies or only accept essential cookies. Service providers should also offer a second, more detailed form with additional options.
- Opt-in only: Cookie banners aren’t allowed to include pre-ticked boxes or slide switches in the ‘on’ position. Users can only agree to accept cookies by deliberately asking to opt in.
- Scrolling isn’t consent: Simply scrolling down a form or page doesn’t count as consent. A user has to click on an option to accept cookies.
- Express consent only: GDPR states that only a freely given, specific, informed and unambiguous indication of a preference counts as consent. Silence, pre-ticked boxes or inactivity doesn’t count.
- Withdrawal of consent should be as easy as giving consent: This means that the process for removing consent should be just as uncomplicated as the process for giving consent.
- Proof of consent is required: These include the date and time when consent was requested and obtained, how consent was requested, what information was provided to request consent, and the credentials that identify who or from which device consent was given.
This last point is something you can manage with our Versions and Proofs feature. Check out our dedicated help center article to learn more:
{{versions-and-proof}}
Different kinds of cookies under Finland's cookie law
It’s also worth bearing in mind that cookies come in many different forms. Here’s a short, non-exhaustive list of the different kinds of cookies you should be aware of if you want to be compliant with Finnish cookie law:
- Authentication cookies: These are used to authenticate users when they log into sites or apps. They might be ‘session specific’, meaning that they’re used to grant access to secure areas of a site and maintain login. Session-specific cookies are more likely to be considered essential, whereas cookies enabling a permanent login might not be considered essential if the user isn’t informed that a long-term login is being maintained.
- Cookies related to user preferences: These cookies are used to remember preferences such as language choices, fonts or text size. These are considered essential, whereas cookies that enable site recommendations based on previous user interactions aren’t.
- Cookies related to user input: These cookies hold data such as the contents of an online shopping cart. They are considered essential because they enable actions that are necessary to provide a service.
- Advertising cookies: Advertising Cookies are used to collect data about the user from their device. This data is then used to display relevant advertisements towards the user. Examples of such cookies are from Facebook, Adroll, YouTube, Criteo and Hubspot.
- Cookies related to information security: These are used to keep data secure when it's being transmitted between a user and a service, for example an image recognition CAPTCHA. Because they support the safe use of a service, they’re considered essential cookies. No consent is required for information security cookies.
- Analytics cookies: These cookies are used to collect data on how visitors use a service, for example counting page views. Because it’s possible to run a service without the use of analytics, these cookies aren’t considered essential and require consent.
Informing users
Another important aspect of Finnish cookie and consent regulation is properly informing users about the use and storage of cookies. If a user chooses to grant, reject or withdraw consent, they should always be informed about usage and storage. Traficom also recommends informing users even when no consent is required.
Banners or pop-ups that request consent should at the very least include the following information:
- Whether cookies are being used, and if so what types are being used.
- The purpose of the cookies used.
- The validity period of the cookies used.
- An indication as to whether the data collected by any cookies is being shared with third parties.
How Didomi can help you navigate Finnish cookies and consent regulation
Whether you’re operating in Finland or anywhere else, effectively managing user privacy and cookie consent is key. But getting started can often feel overwhelming.
The good news is that you don’t have to do it all by yourself.
The Didomi Consent Management Platform (CMP) can help you become GDPR-compliant and create personalized privacy notices, increasing your opt-in rates and getting access to first-hand user data all while showing exemplary compliance and reducing legal risk.
Contact us for any queries about Finnish cookie law or for more information on our solutions.
{{talk-to-an-expert}}
Frequently Asked Questions (FAQ)
To whom do the updated Finnish regulations apply?
The updated regulations apply to organizations using cookies and similar technologies to store or access personal data on user devices during the use of websites or electronic communication services.
What are the key compliance requirements of the new Finnish cookie law?
Key requirements include:
- Obtaining user consent for non-essential cookies;
- Not setting cookies before consent is granted;
- Providing a clear consent form with options;
- Ensuring an opt-in only mechanism;
- Allowing easy withdrawal of consent;
- Maintaining proof of the consent obtained including details like date, time, and manner of consent.
What differentiates essential cookies from non-essential cookies?
Essential cookies are purely technical and necessary for the basic functionality of the website, like authentication cookies, user preference cookies, and user input cookies.
Non-essential cookies, like advertising and analytics cookies, are used for analyzing user behavior or displaying advertisements and require user consent.
How are companies required to inform users about cookie usage?
Companies should use consent banners or pop-ups to request consent, providing information on the use, purpose, validity period of cookies used, and whether the data collected is shared with third parties.
Users should be informed even when no consent is required, and should be made aware of how they can grant, reject, or withdraw consent.