The General Data Protection Regulation (GDPR) has been enacted to enhance the data security and privacy protection of EU citizens. The impacts of the GDPR literally spring up in online services when visitors are asked to consent to the use of cookies. Responding to the cookie consent is often the first interaction that a visitor has with the service. Therefore, special attention should be paid to its user experience.

New Draft Guidelines for Cookies

The Finnish Transport and Communications Agency Traficom, in cooperation with the Office of the Data Protection Ombudsman, has prepared guidelines for service providers and end-users regarding cookie practices.

The guidelines directed at service providers detail how service providers should implement cookie practices and what users need to be informed about cookies and other similar technologies. The most essential points are briefly presented below:

• Consent must be obtained for storing and using non-essential cookies from the user’s device. Currently, a cookie banner is the most common way to seek consent. Contrary to previous interpretation, a valid consent for the use of cookies and other tracking technologies cannot be granted through browser settings.

• When requesting consent from the user, they must not be directed to accept the use of non-essential cookies. Refusing non-essential cookies must be as easy as accepting them. Users should not be manipulated into making choices, for instance through colour selection, or by making the refusal action less visible than the acceptance action.

• It must be possible to withdraw consent or change choices already made, and it should be as simple as possible for the user.

• The use of cookies and other tracking technologies cannot be justified by the legitimate interest of the data controller as per the GDPR.

The comment period for the draft guidelines ended on 9 August 2021, and Traficom has promised to publish the final guidelines by late summer. Major changes to the final versions are unlikely. Based on the draft guidelines, most Finnish online services will have to make at least minor adjustments to their cookie implementations.

Entering the Service via the Cookie Consent Box

With the new draft guidelines, very few online services will be able to avoid presenting a cookie consent box to the user upon entering the service.

Consent does not need to be asked for cookies necessary for the operation of the service. However, in such cases, for example, integrating the service with Google Analytics is impossible, as it is not considered necessary for operations. Nevertheless, leveraging analytics to measure service visitor numbers and support further development is a definite advantage for service maintainers.

An example of cookie consent that must be answered before using the service. By accepting only necessary cookies, no data about the user is collected for analytics, meaning that the user numbers visible in analytics do not reflect the actual user numbers. A colour-highlighted selection button does not comply with the new guidelines, but aligning the button’s appearance with the others suffices for a correction.

When users are forced to make a cookie choice, most users accept all cookies, enabling the use of analytics services.

The user’s consent is stored in the browser cookies, and during the next visit, the cookie consent is not unnecessarily shown to the user again. The solution is certainly compliant with the regulation, leaving no ambiguity about the user’s consent.

Many online services have managed the request for cookie consent commendably, but changing or withdrawing the consent afterwards is cumbersome. This is not compliant with the GDPR, as withdrawing consent should be as easy as granting it.

For example, in the K Group’s online service, cookie settings and consent can be modified via a link in the footer section. The implementation method is free as long as withdrawal or modification of consent is possible and it is as simple as possible for the user.

In the Crasman.fi service, cookie settings are accessible via a floating button on the page.

In the Crasman.fi service’s cookie settings, cookies are divided into different groups according to their purpose. The user can toggle the desired cookies on or off using the slider button in the top right corner.

What Next?

Explore Traficom’s current cookie guidelines. Check your online service's cookie practices against the new guidelines and adjust your service accordingly.