Finnish cookie guidelines explained

Blog
What are the rules for using cookies in Finland? And how do you collect consent for using them? Here's everything you need to know about the new Finnish rules on cookies.
Table of Contents

7 easy steps to comply with
the Finnish cookie guidelines:

The Finnish cookie saga is over

The Finnish cookie saga has finally come to an end.

After years of confusion, the Finnish Transport and Communications Agency (Traficom) has finally released guidelines for using cookies that leave no room for interpretation.

The guidelines are designed to clearly provide you – as a website or app owner – with instructions on how to collect valid consent for using cookies in Finland.

Although the guide is mainly about cookies, it is understood that the word “cookie” is an umbrella term for all types of technology that are designed to collect website visitors’ personal information and process it primarily for marketing purposes (e.g., fingerprinting, web beacons, pixels).

The rules for cookies and consent in Finland are now as following:

  • The Information Society Code (917/2014) requires you to inform your users of cookies and collect their consent.
  • Traficom defines consent (to cookies) as consent under the GDPR.
How to collect valid consent in Finland? Jump to answer!

Finnish Cookie Guidelines – what are the rules?

Who is it for? Anyone who owns or manages a website in Finland that uses cookies or other tracking technologies.

What must you do? Inform your website visitors of the cookies you use and collect a GDPR valid consent before using them.

There are two laws to be aware of when you use cookies or other tracking technologies on websites or apps in Finland.

  • Information Society Code (917/2014)
  • The General Data Protection Regulation (GDPR)

Information Society Code (917/2014)

The Finnish cookie rules originally come from Section 205 of the Information Society Code (917/2014).

It says:

“The service provider may save cookies or other data concerning the use of the service in the user’s terminal device, and use such data, if the user has given his or her consent thereto and the service provider gives the user comprehensible and complete information on the purposes of saving and using such data.”

What it really means is:

You must inform your users of cookies
and your user must give consent.

You do not need consent for

  • technically necessary cookies (those that are required to make your website work (shopping cart cookies, login cookies etc.).
  • accessing information the user has explicitly requested.

In Traficom’s updated cookie guidelines from 2021, they clearly state how you inform your users of cookies and how you collect a GDPR valid consent.

But what are the rules for consent under the GDPR? Let’s take a look.

The General Data Protection Regulation (GDPR)

The GDPR is all about data processing and how to handle your users’ personal information. 

Although the word “cookie” is mentioned only once, the GDPR concerns the data most cookies collect and process.  

When the cookies you use, collect your users’ personal information for further processing (by you or a third-party), you are required to collect valid consent

If you use tracking cookies, the rules for consent in the GDPR apply.

According to Article 4 (11) in the GDPR valid consent is: 

  • Freely given: Your visitor has to be able to accept or reject consent to cookies.
  • Specific: Consent must be granular. You may only ask for consent to one specific purpose at a time (statistics, marketing, functional cookies).
  • Informed: You must inform your visitors about which cookies you use; what data they collect; for what purpose; by whom; and for how long cookies are stored.
  • Unambiguous: Your visitor must actively give consent by clicking a box/button in your cookie consent pop-up.

'Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

This means:

If you use services like Google Analytics, Hotjar, or have a Facebook Pixel or LinkedIn Insight tag connected to your website, then you must inform your users of the cookies these services place through your website and collect and consent from your user before placing them.

The cookies these services use, collect your visitors’ personal information (IP-address, geolocation, device-ID etc.) which is used for further processing by third parties primarily for marketing purposes. Therefore, a GDPR consent is needed.

Finnish cookie guidelines – what is consent to cookies?

Here is the full list of how you can collect valid consent to cookies in Finland:

How do you collect valid consent to cookies using the Finnish cookie guidelines?

It is not difficult at all to collect valid consent to cookies in Finland.

And if you are worried about losing marketing data, there are solutions to obtain data from those users who reject cookies (legally).

Data and GDPR compliance? Answer is below the image.

First, let’s see how you can collect GDPR valid consent to cookies with the Finnish cookie guidelines in mind.

First, you need a professional cookie consent pop-up with a Consent Management Platform.

Why?

Because only a professional Consent Management Platform continuously scan your website for cookies and unwanted data transfers.

Your cookie pop-up and your cookie policy will then automatically contain the information about your cookies necessary to inform your users of cookies.

A good consent pop-up then presents this information to your website visitor who can now reject or accept cookies.

The pop-up also ensures that all consents are stored for 5 years as required by the GDPR and the Finnish Traficom.

Illustration of Cookie Information's GDPR compliant consent pop-up also compliant with Finnish cookie guidelines
Example of Cookie Information's GDPR compliant cookie consent pop-up. The pop-up informs the users of cookies, provides granular (specific) consent and a 'Decline' button next to the 'Accept' button. Consent is a easy to reject as to give, following GDPR standards.

Now, how to get data from the users that say no to cookies.

Using Google Consent Mode with a CMP (Consent Management Platform), you can collect valuable insights about your users’ behavior and conversions without collecting any personal data.

You can read more about Google Consent Mode here and how it is integrated with Cookie Information’s Consent Management Platform.

FAQ on cookies and consent in Finland

[Q] – We are not using cookies on our website!

[A] – Most websites use cookies. These are either technically necessary cookies used for making the website work (e.g., remember language preferences, login settings, shopping cart cookies), or cookies set through your website by some of the services you use like for example Google Analytics, Facebook, Instagram, LinkedIn, Hotjar etc.

Our website is not collecting – or processing – any personal data!

 Maybe not, but third-party services like Google Analytics, Facebook, Hotjar, Amazon are! If you use any third-party service which set cookies through your website, you are the Data Controller (according to the GDPR), so collecting valid consent using these cookies is your responsibility.

Can we use Google Analytics without consent?

No. Google Analytics is using multiple cookies that collect your visitors’ personal information which is used to provide you with insights into audience, acquisition and behaviour. That’s made possible with persistent cookies that track the user across your website. If you use Google Analytics, you should definitely collect valid GDPR consent to cookies.  

What are technically necessary cookies?

Technically necessary cookies are essential for your visitors to browse your website and use its features. That could be login features and shopping cart cookies (so the information is not lost when the visitor clicks away from a specific page). Technically necessary cookies are not Google Analytics. Unfortunately.

How do I know if my website is GDPR cookie compliant?

You have it checked. By a Consent Management Platform provider – like Cookie Information – which can easily and quickly assess whether your website uses cookies that are not collected consent for. Get a free compliance check here with Cookie Information. No strings attached.