The Finnish cookie saga is over
The Finnish cookie saga has finally come to an end.
After years of confusion, the Finnish Transport and Communications Agency (Traficom) has finally released guidelines for using cookies that leave no room for interpretation.
The guidelines are designed to clearly provide you – as a website or app owner – with instructions on how to collect valid consent for using cookies in Finland.
Although the guide is mainly about cookies, it is understood that the word “cookie” is an umbrella term for all types of technology that are designed to collect website visitors’ personal information and process it primarily for marketing purposes (e.g., fingerprinting, web beacons, pixels).
The rules for cookies and consent in Finland are now as following:
- The Information Society Code (917/2014) requires you to inform your users of cookies and collect their consent.
- Traficom defines consent (to cookies) as consent under the GDPR.
Finnish Cookie Guidelines – what are the rules?
What must you do? Inform your website visitors of the cookies you use and collect a GDPR valid consent before using them.
- Information Society Code (917/2014)
- The General Data Protection Regulation (GDPR)
Information Society Code (917/2014)
The Finnish cookie rules originally come from Section 205 of the Information Society Code (917/2014).
What it really means is:
You must inform your users of cookies and your user must give consent.
You do not need consent for
- technically necessary cookies (those that are required to make your website work (shopping cart cookies, login cookies etc.).
- accessing information the user has explicitly requested.
In Traficom’s updated cookie guidelines from 2021, they clearly state how you inform your users of cookies and how you collect a GDPR valid consent.
But what are the rules for consent under the GDPR? Let’s take a look.
The General Data Protection Regulation (GDPR)
The GDPR is all about data processing and how to handle your users’ personal information.
Although the word “cookie” is mentioned only once, the GDPR concerns the data most cookies collect and process.
When the cookies you use, collect your users’ personal information for further processing (by you or a third-party), you are required to collect valid consent.
If you use tracking cookies, the rules for consent in the GDPR apply.
According to Article 4 (11) in the GDPR valid consent is:
- Freely given: Your visitor has to be able to accept or reject consent to cookies.
- Specific: Consent must be granular. You may only ask for consent to one specific purpose at a time (statistics, marketing, functional cookies).
- Informed: You must inform your visitors about which cookies you use; what data they collect; for what purpose; by whom; and for how long cookies are stored.
- Unambiguous: Your visitor must actively give consent by clicking a box/button in your cookie consent pop-up.
If you use services like Google Analytics, Hotjar, or have a Facebook Pixel or LinkedIn Insight tag connected to your website, then you must inform your users of the cookies these services place through your website and collect and consent from your user before placing them.
The cookies these services use, collect your visitors’ personal information (IP-address, geolocation, device-ID etc.) which is used for further processing by third parties primarily for marketing purposes. Therefore, a GDPR consent is needed.
Finnish cookie guidelines – what is consent to cookies?
Here is the full list of how you can collect valid consent to cookies in Finland:
Consent cannot be given by:
- silence, i.e., through pre-ticked checkboxes or through inactivity.
- having only one option (to accept).
- interacting with the website (swiping, scrolling or just using the site/app).
- asking users to reject consent through browser settings.
How do you collect valid consent to cookies using the Finnish cookie guidelines?
It is not difficult at all to collect valid consent to cookies in Finland.
And if you are worried about losing marketing data, there are solutions to obtain data from those users who reject cookies (legally).
Data and GDPR compliance? Answer is below the image.
First, let’s see how you can collect GDPR valid consent to cookies with the Finnish cookie guidelines in mind.
First, you need a professional cookie consent pop-up with a Consent Management Platform.
Because only a professional Consent Management Platform continuously scan your website for cookies and unwanted data transfers.
A good consent pop-up then presents this information to your website visitor who can now reject or accept cookies.
The pop-up also ensures that all consents are stored for 5 years as required by the GDPR and the Finnish Traficom.
Now, how to get data from the users that say no to cookies.
Using Google Consent Mode with a CMP (Consent Management Platform), you can collect valuable insights about your users’ behavior and conversions without collecting any personal data.
You can read more about Google Consent Mode here and how it is integrated with Cookie Information’s Consent Management Platform.
FAQ on cookies and consent in Finland
[Q] – We are not using cookies on our website!
Our website is not collecting – or processing – any personal data!
Maybe not, but third-party services like Google Analytics, Facebook, Hotjar, Amazon are! If you use any third-party service which set cookies through your website, you are the Data Controller (according to the GDPR), so collecting valid consent using these cookies is your responsibility.
Can we use Google Analytics without consent?
No. Google Analytics is using multiple cookies that collect your visitors’ personal information which is used to provide you with insights into audience, acquisition and behaviour. That’s made possible with persistent cookies that track the user across your website. If you use Google Analytics, you should definitely collect valid GDPR consent to cookies.
What are technically necessary cookies?
Technically necessary cookies are essential for your visitors to browse your website and use its features. That could be login features and shopping cart cookies (so the information is not lost when the visitor clicks away from a specific page). Technically necessary cookies are not Google Analytics. Unfortunately.
How do I know if my website is GDPR cookie compliant?