On Thursday 14 May 2020, the Finnish Deputy Data Protection Ombudsman (the “Ombudsman”) issued a significant new order set to force many Finnish companies to update the way they obtain users’ consent to cookies on their websites. The Ombudsman took the explicit view that the fact that a website user continues browsing with the possibility to restrict cookies separately in browser settings was not sufficient to constitute valid consent to cookies.
The past few years have seen abundant debate on what constitutes valid consent to cookies with interpretations varying across EU member states. The so-called Planet49 judgement of the European Court of Justice (“ECJ”) on 1 October 2019 conclusively confirmed that consent to cookies must fulfil the criteria set out for consent in the GDPR underlining that cookie consent must be active, freely given and specific. Accordingly, consent by pre-ticked boxes did not make the cut.
The lax Finnish view – Browser settings
Although consent is required, Finnish regulators have traditionally taken the view that website providers may rely on users’ browser settings as consent, whereby the user is merely informed that cookies are used and that cookies can be blocked by changing browser settings. Surprisingly, the Finnish telecoms regulator, Traficom upheld this view despite the ECJ explicitly precluding pre-ticked boxes – after all, what are default browser settings if not pre-ticked boxes? Cookie rules will be harmonised in the near future by the EU’s new ePrivacy Regulation and Traficom is, supposedly, avoiding passing new guidelines before the new rules to avoid companies having to reassess their practices repeatedly. It is also evident that average Finnish website users have not considered browser settings problematic since, alternatively, numerous cookie policies and banners popping up during browsing are typically experienced as a nuisance. Furthermore, in general, it could be questioned, how efficiently and feasibly cookie consent requirements regulate privacy in the internet. Unsurprisingly, relying on users’ browser settings has remained common practice on Finnish websites.
The Ombudsman has stepped in
- Stating that the user consented to cookies by continuing browsing did not constitute freely given consent;
- Failure to change browser settings to block cookies did not meet the threshold for active and specific consent;
- Having to alter browser settings to block cookies meant that withdrawing consent was not as easy as giving consent as required by the GDPR.
With the potentially robust sanction mechanism granted by the GDPR, the opinion of the data protection authority will – for the first time in this field of regulation – steamroll over Traficom’s view. As the risk of GDPR fines looms over every organisation not complying with consent requirements, we are now seeing how powerful the European Data Protection regime and the respective enforcement powers of the national data protection authorities actually are in comparison with the traditional feeble sanction mechanisms laid down in national law.
The Ombudsman’s order demonstrates that all companies relying on the ‘you may block cookies by changing browser settings’ mechanism must take swift action to amend their practices. Feasible solutions include cookie banners allowing users to separately tick the types of cookies they are willing to allow. It is useful to note that the European Data Protection Board has recently stated in their updated consent guidelines that so-called cookie walls blocking website content until cookies are accepted do not meet the requirements of freely given consent.
Organisations that have already aligned their cookie practices with the common European model are not in need of adopting new practices. As the matter is now in the focus of the authorities, reassessing existing practices is, in any case, recommendable.
We frequently advise our clients in carrying out compliant cookie practices on their websites. We are happy to discuss any questions you may have.