Scope of application

The Guidelines are designed for service providers who use cookies and similar technologies on their websites and in their electronic communications services in order to store information on the user's terminal equipment, or use information on the user's terminal equipment. In particular, the Guidelines outline that service providers should consider at least the following when using cookies and similar technologies:

• what cookies or similar technologies are used or intended to be used on the website or service;
• the classification of the cookies that are in use, such as necessary and non-necessary, from the point of view of the service in question;
• how to provide users of the service with information about the cookies used in the service and their purposes in a clear and comprehensible form; and
• how to request properly users' consent to the use of non-necessary cookies and how users are given the opportunity to change their cookie choices and revoke their previous consent.

Definition of cookies

The Guidelines highlight that cookies are small text files that are stored on user's terminal equipment when accessing websites, whilst also making the following clarifications:

• cookies store information during the use of the website and between uses;
• cookies and similar technologies enable the functionalities that are typical to a modern website, such as logging in and maintaining a login while browsing the website, or even the shopping cart functions of online stores; and
• without the use of cookies, it would not be possible for websites or services to remember anything about their visitors, the choices they have made in the service, or the feeds they have provided there.

The Guidelines outline that websites and electronic communications-based services can collect a variety of information from their users, such as IP addresses, various device and ad identifiers, as well as information about which websites have been visited at any given time, what content has been used, or what products have been purchased. The Guidelines note that individually, such information may not yet constitute personal data about the visitor, but the more widely the information is collected and aggregated, the more likely it is that the information collected will be personal data. The Guidelines state that this is particularly likely when data is collected for profiling, targeting, and influencing purposes. In some cases, the information collected about the users of a website or electronic communication service may be so detailed that it constitutes sensitive personal data, for example, if it is possible to obtain information about a person's health. The processing of personal data must always take place in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In addition to the Information Society Code (917/2014)², the use of cookies must also comply with the GDPR, as applicable.

Conditions for the use of cookies

General consent requirement

The Guidelines outline that the general condition for the storage and use of cookies is that the user has given his or her consent. However, the Guidelines detail that consent is not required for so-called essential cookies, i.e., when:

• the sole purpose of storing and using the data is to enable the transmission of messages in communications networks; or
• the storage and use of data is necessary for the service provider to provide a service that the subscriber or user has specifically requested.

Legitimate interests

In addition, the Guidelines highlight that legitimate interest does not justify the storage and use of cookies or other data concerning the use of the service, but this must be based on the criteria set out in Section 205 of the Information Society Code. The Guidelines state that neither this provision, nor Article 5(3) of the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) ('the ePrivacy Directive'), recognise legitimate interest as a basis for the storage of cookies or other data concerning the use of the service on user's terminal equipment or their use. Hence, the Guidelines outline that legitimate interest is not a lawful basis for the use of cookie or similar tracking technologies.

Exceptions to requesting consent – necessary cookies

The Guidelines outline that it is not possible to say whether a cookie is necessary within the meaning of the law or on the basis of the type or name of a particular cookie, as a single cookie can carry out several different functionalities and it is also possible to use the same cookie for several different purposes. Therefore, the Guidelines outline that the purpose of the information collected and processed by cookies is crucial in assessing the necessity of a cookie.

In order to be covered by the exception relating to the transmission of a message, the sole purpose of the cookies must be to enable the message to be transmitted. If the cookie only assists, speeds up, or in some way regulates the basic conditions mentioned below, the exception is not applicable. Thus, in order for a cookie to be covered by this exception, the cookie should directly enable or carry out one or more of the following:

• transmit communications over the network, for example, by somehow identifying the relay points needed to route the message to its destination;
• ensure that the content of the message is delivered in the appropriate order; or
• detect message transmission errors or data loss.

In addition, the Guidelines state that a necessary cookie may also be one without which it would not be possible to technically implement a function within a website specifically requested by a user.

Examples of different types of cookies and guidelines for assessing the need for consent

Authentication cookies

The Guidelines outline that these types of cookies are used to identify a user when they login to a website or application. The Guidelines state that session-specific authentication cookies are more likely to be considered as part of the necessary set of cookies, because logging in to the service is in principle a measure that the user clearly chooses to perform and the data is not stored for a long time. In addition, placing a more persistent login cookie may, in some cases, serve usability and be the kind of service that the user requests, especially if the user is given the option to choose to store his or her credentials for a longer period of time. However, persistent login cookies cannot automatically be considered as essential cookies if it is not possible for the user to understand or assume that the login is maintained for a longer period of time.

User preferences

The Guidelines outline that, on the one hand, enabling and remembering language and layout choices while using the site serves the usability of the site that may be considered necessary to provide the requested service. However, on the other hand, making recommendations based on viewing history or site navigation may not necessarily be the kind of service that user has specifically requested, and therefore may be without consent.

User feeds

The Guidelines outline that such cookies may be related to, for example, remembering the contents of the user's shopping cart in the online store or remembering the contents of the forms he or she has filled in in the transaction service. These often involve an action taken by the user, in which case enabling the action to be taken can be considered as a service specifically requested by the user. Without such functions, placing orders or online transactions, for example, would not be possible, so cookies that enable the implementation of these types of functions can be considered necessary.

Targeted advertising and marketing

The Guidelines state that the use of cookies which make it possible to create a profile on the user and his or her interests, or which collect historical information about a user's activities on a website or on several websites, on the basis of which targeted advertising can be displayed, cannot in principle be considered necessary to provide a service specifically requested by the user, in which case consent should be requested for their use.

Security cookies

The Guidelines note that security-related cookies are intended to enable the secure transfer of information between a user or service, and that these cookies can be considered necessary for the secure use of the service, therefore consent does not have to be requested.

Social media cookies

The Guidelines note that websites may use plug-ins, tools, or plug-ins connected to social media platforms. If the inclusion of these plug-ins and tools on the website results in the storage of related cookies on the user's terminal equipment, even though the user does not use the features in question and/or is not a member of or logged in to the social media platform in question, then consent must be requested for these cookies.

Accessibility cookies

The Guidelines outline that when the sole purpose of cookies is to improve the accessibility of the website, for example, by enabling the use of descriptive interpretation or audio subtitles, they may be considered necessary. The use of these features is typically related to the service specifically requested by the user.

Analytical cookies

The Guidelines state that analytical cookies collect information, such as on how users visiting the website use the service, for example by storing unique sources of traffic (IP addresses), calculating page views, and measuring how the content or application of the website is used in various ways. The Guidelines, however, note that analytics cookies cannot be unambiguously considered from the user's point of view to be necessary to provide a service that the user has specifically requested, as the user is unlikely to use the service because he or she wants to be tracked, and most services are also able to operate even if analytics are not in use. On the other hand, the Guidelines outline that if analytics cookies are to be considered absolutely necessary for the provision of the service in question, the service provider must be able to provide clear reasons for the procedure and protect the user's privacy, for example, by ensuring that the data collected by the analytics is not shared with third parties or that an individual visitor is not identified from them. This is especially important if the service uses other types of cookies, and the information collected from these cookies would enable the user to be linked with the data collected from the analytics. If the above-mentioned matters can be taken care of at a sufficient level and the use of analytics can be justified as necessary for the provision of the service, consent does not need to be sought for the use of analytics. However, the Guidelines outline that if the above-mentioned matters cannot be taken care of at a sufficient level or the use of analytics cannot be justified as necessary for the provision of the service, consent should be sought for the use of analytics.

More detailed information is obtained from the terminal by active scanning

The Guidelines state that when the user opens the website, a request is sent from the user's terminal equipment to download the content from the server of the service provider. The server to which the request is sent always receives some information from the terminal equipment in connection with the request, such as the IP address from which the request comes. In this connection, the terminal equipment can also be asked to send more information about itself. If the collection and use of such information is aimed at more detailed profiling of the terminal equipment and thus the user, consent must be sought for the use of the technology.

Cookies enable real-time communication

The Guidelines state that the sites may use chat functions to enable real-time communication between the user and the service provider. To use the chat function, cookies may need to be set on the user's terminal equipment. If the main purpose of the site is not explicitly to provide a chat function, it is a so-called ancillary or supplementary service. Cookies related to these activities may not be stored on the user's terminal equipment until the user separately requests the service, i.e. opens a chat window. Where cookies are set only after the chat window has been opened and the operation of the chat service requires the use of cookies, in such a case the cookies may be considered necessary for the provision of the requested service and consent need not be requested.

Cookies related to cross-platform content

The Guidelines state that currently, the content of websites is often produced in such a way that some of the content used may be located somewhere other than the service provider's own service. Displaying or using this so-called embedded content may require the third party hosting the content to store its own cookies on the user's terminal equipment, in which case the user's information is transferred to a service provider other than the one whose website the user is on. Cookies related to third party content cannot, in principle, be considered as necessary cookies and must be consented to.

Cookies related to the display of content

The Guidelines outline that websites are generally associated with providing a variety of content. If the display of such content technically requires a cookie, it may be considered necessary. If the cookie is used for other purposes than the technical functionality, such as tracking what content the user has viewed, the cookie cannot be considered necessary.

Device location information

If the location data referred to in the Information Society Code is stored and/or read in some way using cookies, the user's consent must be sought.

Consent

Obtaining consent

The Guidelines outline that the service provider must ensure that the user's consent is requested, and that the information related to cookies is provided in a proper and timely manner when the user opens the service or accesses the website. Since the use of cookies, other than non-necessary cookies, requires user consent, care should be taken that cookies are not placed on the user's terminal equipment until he or she has made choices regarding the use of cookies. Consent must meet the conditions for consent under the GDPR in order to be valid. Consent must be an active expression of intent, so it cannot be given by silence, pre-ticked boxes, or omission of any action.

The Guidelines note also that, in addition to having the choice to accept or reject all non-necessary cookies, the user should also be given options to make more specific choices regarding different types of cookies. Hence, it must be ensured that it is possible for the user to control all non-necessary cookies used in the service, including cookies set by third parties. The Guidelines also outline that browser settings cannot be considered sufficient for consent, since the user may not have configured or been able to configure the settings to suit their preferences. Furthermore, browser settings cannot be considered as a sufficiently unique and active expression of intent when it comes to accepting different cookies that can be used to collect information for several purposes.

Withdrawing consent

The Guidelines highlight that service providers must ensure that withdrawal of consent and changes to the cookie settings have de facto effect. In the case of cookies, this means that performing this operation will delete or overwrite any data previously stored on the device.

Documenting consent

The Guidelines state that, when requesting consent for the storage and use of cookies, it is appropriate to record the choices made by the user so that there is no need to constantly request consent again as the user moves around different parts of the site. Saving the choices requested by the consent mechanism may require the site itself to place a cookie on the user's terminal equipment that remembers the choices made by the user.

The service provider must be able to subsequently demonstrate the obtained consent to the storage and use of cookies and other similar information. In order to demonstrate consent, it is necessary to record at least:

• the time at which consent was requested and obtained;
• how consent was requested;
• what information was given for consent; and
• the necessary identification of the person or device from which the consent was given.

Informing users

Users must be fully and clearly informed of non-necessary cookies and other uses or storage of data that require the user's consent when the user makes choices to give, not to give, or to withdraw consent. The Guidelines also recommend that users should be informed about cookies and other similar technologies and the use of the information obtained from them, even when they do not require consent by law. The banner or other procedure used to request consent should at least specify:

• the cookies and similar technologies that are used and their type, such as necessary, functional, personalisation, advertising, social media, and analytics, among other;
• the purpose of each cookie, for example, what information is collected by the cookie and for what purpose;
• the validity period of each cookie; and
• information on whether the data stored through cookies is shared with third parties, who these parties are, and what information is transferred.

In addition, the Guidelines highlight that when personal data is concerned, Article 13 of the GDPR on the content of information is also applicable.

Alexandra From Privacy Analyst
[email protected]

1. Available, only in Finnish, at: https://www.traficom.fi/sites/default/files/media/file/Ev%C3%A4steohjeistus_palveluntarjoajille.pdf
2. Available at: https://www.dataguidance.com/legal-research/information-society-code-9172014-undated