General Data Protection Regulation (GDPR) has been enacted to enhance the security and privacy of EU citizens. The impact of GDPR is starkly visible in online services when visitors are asked for consent to the use of cookies. Responding to the cookie consent is often the first interaction a visitor has with a service, which is why extra attention should be paid to its user experience.

New draft guidelines for cookies

The Finnish Transport and Communications Agency Traficom, in collaboration with the Data Protection Ombudsman’s office, has prepared guidelines on cookie practices for service providers and end users.

The guidelines aimed at service providers detail how service providers must implement cookie practices and what information must be given to users about cookies and other similar technologies. The most essential key points are briefly presented below:

• Consent must be sought for storing and using data from the user’s device for cookies other than essential ones. Currently, a cookie banner is the most common way to request consent. Contrary to previous interpretation, a user cannot give valid consent to the use of cookies and other tracking technologies through browser settings.

• When requesting user consent, users should not be guided to accept the use of non-essential cookies. Refusing non-essential cookies must be just as easy as accepting them. Users should not be influenced to make choices through, for example, colour choices or by making the action that indicates refusal less visible than the action indicating consent.

• It must be possible to withdraw consent or change choices that have been made, and it must be as simple as possible for the user.

• The use of cookies and other tracking technologies cannot be justified by the data controller’s legitimate interest as per GDPR.

The commenting period for the draft guidelines ended on 9 August 2021, and Traficom has promised to publish the final guidelines by the end of summer. Significant changes to the final versions are unlikely. Based on the draft guidelines, most Finnish online services will need to make at least minor adjustments to their cookie implementations.

Entering the service through the cookie consent box

With the new draft guidelines, only a few online services can avoid showing the cookie consent box to users upon entering the service.

For cookies essential to the operation of a service, consent does not need to be sought. However, connecting the service to Google Analytics would be impossible as it's not considered essential for operation. Utilising analytics to measure visitor numbers and support ongoing development remains a crucial advantage for service operators.

An example of cookie consent response being mandatory before using the service. By accepting only mandatory cookies, no data is collected about the user for analytics, meaning the visitor numbers seen in analytics do not reflect actual user numbers. A button highlighted with colour is not in accordance with the new guidelines, but rectification requires unifying the button's appearance with other buttons.

When users are forced to make a cookie choice, most accept all cookies, thereby enabling the use of analytics services.

The consent given by the user is saved in the browser cookies, and the cookie consent is not needlessly displayed to the user again on their next visit. The solution is surely regulation-compliant, leaving no doubt about the user’s given consent.

Many online services have managed the request for cookie consent excellently, but changing or withdrawing consent afterwards can be cumbersome. This is not compliant with GDPR, as withdrawing consent should be as easy as giving it.

For example, K-Group’s online service allows users to modify cookie settings and cookie consent via a link in the footer section. The implementation is flexible, as long as withdrawal or modification of consent is possible and as simple as possible for the user.

The Crasman.fi service allows access to cookie settings through a floating button on the page.

In Crasman.fi service, cookies are divided into several groups according to their intended use. Users can toggle desired cookies on or off using the slider button in the top right corner.

What next?

Review Traficom's current cookie guidelines. Check the cookie practices of your online service against the new guidelines and adapt your service according to the new instructions.