MyFondia VirtualLawyer
June 10, 2020

Now it’s clear – cookie practices renewed in Finland

Earlier this fall I wrote about the decision of the EU Court of Justice on the use of cookies in the so-called Planet 49 case. It stated that the consent regarding cookies cannot be validly given with a pre-signed box, but instead requires active measures taken by the user. Now the Court’s decision is put into practice in Finland as well.

In a recent decision, the Deputy Data Protection Ombudsman has outlined what the requirements of a consent given by taking active measures require from a cookie banner, and whether the consent to store cookies can still be validly given in the browser settings, as Traficom has so far instructed.

The Deputy Data Protection Ombudsman’s ruling concerned a complaint regarding a company’s cookie policies. The complainant found that in practice, he/she did not have the possibility to prohibit the use of cookies on the company’s website. The company had notified on the use of cookies in a cookie banner, in which it announced that by continuing the use of the website, the user accepts the use of cookies. It was stated in their privacy notice, that the user can prohibit the cookies stored and used by the cooperation partners of the controller separately on each of the partners’ websites. The privacy notice contained a list of a total of 11 partners, as well as links to their data protection websites and marketing choices.

In her decision, the Deputy Data Protection Ombudsman concluded that the cookie banner used by the company did not actually give the user a possibility to decline the storage of cookies. Furthermore, the procedure for withdrawal of the consent was considered not to comply with the requirements of the GDPR, since the controller required the user to visit each partner’s website listed in the notice separately to refuse the storage of cookies. Instead, the data subject should be able to give, refuse or withdraw his/her consent in the controller’s own service.

The Deputy Data Protection Ombudsman’s decision also took a stand on Traficom’s guidelines that have been applied in Finland so far, according to which consent could validly be given through the browser settings. In this regard, it was considered that referring to changing the browser settings could not be viewed as such active and explicit expression of intent required by the GDPR that giving a valid consent requires. The fact that the user does not change his/her browser settings or fails to take any measures does not mean that the user has given his/her consent to the storage and use of cookies.

As a result of the decision, the cookie practices followed so far now require critical reviewing. According to the Office of the Data Protection Ombudsman, they currently have dozens of similar cases pending. This indicates that the users have activated to intervene in the website administrators’ cookie practices. In the future, transparency is required in the use of cookies, so that the user can easily understand what cookies are used and in what context. Now, at the latest, is the time to check your own cookie policies to ensure that they meet the requirements of the law as the authorities have outlined.