Recent court rulings emphasise cookie legislation enforcement in Finland

news
11 Nov 2024
Category
Insights

Recent court rulings in Finland have underscored the strict enforcement of cookie law. These rulings clarify the obligations that companies must comply with regarding cookie consent and transparency and reiterate the need for compliance to avoid legal repercussions. Our data protection experts Joeli Niva and Tetti Kunnas summarise some of recent court rulings below.

1 Court ruling for a Finnish media company

The Finnish Transport and Communications Agency (Traficom) investigated cookie practices of a Finnish media company on several of its websites, finding multiple areas of non-compliance regarding the Finnish Act on Electronic Communications Services (917/2014). Helsinki Administrative Court’s decision 5845/2024 concerned the company’s appeal against a ruling from Traficom regarding cookies and data protection issues. 

Traficom's decision, issued on 8 June 2023, stated that company's current cookie practices on its websites violated the Finnish Act on Electronic Communications Services, Section 205. This was because user’s consent was not properly obtained for the use of cookies and similar technologies, which are necessary for the delivery of personalised content delivery and certain types of analytics. Additionally, it was concluded that the mechanism for managing consents made it easier to accept all cookies than to reject them, not meeting the consent requirements stipulated by both the Act on Electronic Communications Services and the EU's General Data Protection Regulation (GDPR).

The company argued that its personalised content delivery cookies and certain analytics cookies were necessary to provide the service requested by users. However, Traficom stated these cookies were not essential to the provision of the service explicitly requested by the users, and that the company was required to obtain explicit consent from the users.

The company also disputed the classification of certain cookies as non-essential and argued that some necessary cookies had been misclassified. They also claimed that Traficom’s interpretation and application of the law went beyond its scope, in particular as regards the necessity and handling of certain web requests.

The Administrative Court supported Traficom’s assessments and required the company to make several changes, including:

  1. Making non-essential cookies and similar technologies consent based.
  2. Adapting the consent management tool to allow users to reject non-essential cookies at the first level.
  3. Providing clearer information to users about cookies.
  4. Informing users that cookies are not placed based on legitimate interest.
  5. Reducing the duration of certain cookies and analytics tools.
  6. Ensure that users can effectively withdraw their consent to cookies.

The company appealed for adjustments to the deadlines for compliance and the interpretation of the duration of opt-out cookies, which were partially granted by the court, extending the deadline for the company to provide evidence of corrective action to three months after the final decision.

In summary, the decision requires the company to revise its cookie practices to comply with user consent requirements and transparency obligations under the applicable data protection laws.

2 Court ruling for a Finnish telecommunications company

Helsinki Administrative Court’s decision 5846/2024 concerned an appeal by a Finnish telecommunications company against the Finnish Transport and Communications Agency (Traficom) concerning cookies and data protection issues. The appeal concerned Traficom's decision, which found that the company had violated Section 205(1) of the Act on Electronic Communications Services by placing cookies on user’s devices without proper consent. In addition, Traficom had found that the company’s consent management mechanism made it easier to accept all cookies than to reject them, which did not comply with the requirements of the General Data Protection Regulation (GDPR).

Traficom had ordered several changes, including:

  1. Adjusting the functionality of certain chat service cookies (_ltrp, _ltrs, and _ltrsn) so that they are not set on the user’s device until the user explicitly requests the chat service or consents to the use of these cookies.
  2. Modify the consent management mechanism on the company’s website to ensure that users can refuse non-essential cookies at the first level of the mechanism.

During the court proceedings, the company argued that the chat service’s cookies were essential for communication and that the consent management mechanism provided genuine user choice. However, the court agreed with Traficom, stating that the cookies were not necessary before the user explicitly requested the chat service and that the current consent management did not comply with the GDPR's voluntary consent requirements. As a result, the court dismissed the company’s appeal and extended the deadline for the implementation of corrective actions by three months from the date the decision becomes final.

Key points from the judgments

  • Obtaining proper consent: Both companies’ websites did not properly obtain user consent for non-essential cookies. The consent mechanism made it easier for users to accept all cookies, contrary to the requirements for voluntary consent under both Finnish law and the GDPR.
  • Non-essential cookies: Some cookies categorised as "necessary” did not meet the criteria for necessary cookies. Cookies for personalised content and analytics require user consent as they are not essential for the service requested by the user.
  • Misleading cookie information: Information provided to users about the use of cookies was found to be insufficient and misleading, preventing users from making informed choices.
  • Effective withdrawal of consent:  Websites did not allow users to effectively withdraw consent, as required by the GDPR.

Actions required for compliance

  1. Consent to non-essential cookies: Ensure that non-essential cookies are only enabled with explicit user consent.
  2. Improved consent mechanism: The consent mechanism must allow users to easily opt out of non-essential cookies from the first interaction screen.
  3. Shorten cookie lifetime: The lifetime of certain cookies, including those used for video analytics and third-party advertising, should not be unnecessary long.
  4. Effective opt-out: Ensure that users can effectively withdraw consent, which affect all cookies and similar technologies.

Implications for businesses

These decisions highlight the importance of strict compliance with the cookie law in Finland. Companies should:

  • Review and update their cookie policies: Regularly review and update cookie policies to ensure compliance with both Finnish and EU law.
  • Ensure voluntary consent: Ensure that consent is freely given, explicit, and as easy to withdraw as it is to give.
  • Transparency: Provide clear and comprehensive information about the use of cookies to users.

Conclusion

The recent court decisions serve as an important reminder for businesses operating in Finland to prioritise user consent and transparency in their cookie policies. Compliance not only avoids legal consequences, but also builds user trust and improves data protection practices.

If you feel that your company’s privacy policy or cookie compliance needs updating, or if you are unsure whether you meet all the compliance requirements, don’t hesitate to contact us.