Earlier in June, the National Cyber Security Centre of the Finnish Transport and Communications Agency, which supervises the use of cookies in Finland, issued a detailed decision regarding website cookie practices. In its decision, the National Cyber Security Centre assessed the necessity of cookies, the structure of a cookie banner, the standards for the consent mechanism as well as the nature of legitimate interest in connection with cookies. We have compiled the main points of the decision into this D&I Alert.
Before taking a look at the decision itself, it is vital to note that the issued decision focuses solely on the use of cookies – and not on any resulting personal data processing. This is due to cookies and personal data processing being regulated by different laws: cookies by ePrivacy legislation and personal data processing by the General Data Protection Regulation (the “GDPR”) and other data protection laws.
As a result, in Finland, the authority of the National Cyber Security Centre (the “NCSC”) is limited solely to the use of cookies themselves and does not cover any resulting personal data processing. Then again, personal data processing resulting from the cookies is supervised by the Office of the Data Protection Ombudsman which does not have authority over cookie matters. In practice, this means that two different decisions can be issued regarding the same cookie practices by two different authorities, each decision focusing on different issues.
The necessity requirement as a basis for the use of cookies
As a general rule, a service provider may only use cookies if the user has given consent to such use. In addition, the user must be given comprehensive and complete information on why cookies are used (i.e., the purpose of use).
An exception to this general rule is the use of cookies that are necessary to provide a service which is explicitly requested by the user. The NCSC emphasises that, in such cases, the service provider must present a clear justification for why the cookies are necessary. This may entail, for example, explaining the circumstances which allow the service provider to rely on the exception instead of having to request user consent.
In its decision, the NCSC assessed that the following cookies can be considered necessary:
- Login cookies. These cookies can be considered necessary if it is clear to the user that they are logged into the service, and the user is offered an option to refuse identification when moving between different websites. However, in order for this exception to apply, the same cookies may not be used for other purposes (e.g.¸ for showing targeted advertising to the user) without the user’s consent.
- Input cookies. These cookies can be considered necessary to provide a service that the user has specifically requested. Such cookies enable, among other things, the use of a shopping cart and payment within the services.
- Cookies for remembering the consent choices.
- Information security cookies. These cookies are used, for example, to prevent misuse of the login services. In addition, the Finnish Administrative Court has concluded in its case law that third-party information security cookies, such as the hCaptcha anti-spam cookie, can be considered necessary.
Analytics cookies – necessary or not?
Analytics cookies, regardless of whether they are first-party or third-party cookies, cannot in principle be considered necessary. This is due to the fact that the website users are unlikely to use the service because they want their activities, such as their interests, to be tracked. Even if the use of analytics cookies indirectly improves the quality of services, users cannot be considered to “explicitly request” such analytics with sufficient clarity. Regardless of this main rule, even analytics cookies can be deemed necessary in certain situations.
Instead of focusing on how a cookie has been named or what features the user may consider nice to have, when assessing whether an analytics cookie is necessary, the main focus is on what the relevant user has explicitly requested.
In practice, this requirement sets a high threshold. For example, analytics cookies must not only be used to personalise the contents of a service, but the service provider must also have due reason to believe that users are aware that such personalisation requires information gathered through cookies. To add to this, the Court of Justice of the European Union has stated in its recent decision that, despite the fact that the services are free of charge, the users cannot reasonably expect that the service provider will process their personal data, without their consent, for the purposes of personalised advertising1.
The GDPR sets a high standard for consent – and the NCSC decision enforces that standard
As mentioned above, the GDPR does not regulate the use of cookies. However, the ePrivacy legislation requires that the consent given for the use of cookies must be in line with the GDPR. Under the GDPR, the request for consent must be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, and using clear and plain language. To fulfil these requirements, a cookie banner must clearly state which cookies are necessary and which use requires the user’s consent. The consent itself must be a freely given, specific, informed and unambiguous indication.
The recitals of the GDPR also state that consent should not be regarded as freely given if the user has no genuine or free choice or is unable to refuse or withdraw consent without detriment. In its decision, the NCSC drew attention to an interesting issue between the language versions of the GDPR. Unlike other language versions, according to the Finnish version of the GDPR, the user must have an option to later refuse or withdraw consent. According to the NCSC, and considering that the Finnish version differs from other language versions, when reviewing whether or not consent was voluntary, the review should not focus only on the period after the consent was given. Because of this, website users must have the opportunity to refuse consent at the same time and in the same way as they can give their consent.
Therefore, consent cannot be considered duly informed if only the options “OK” and “Settings” are presented next to each other on the first level of a cookie banner. In other words, the cookie banner should not require two clicks to refuse the use of non-necessary cookies if, at the same time, it is possible to accept all cookies with only one click. Such two-click procedures have a significant impact on the behaviour of users visiting the website and are very likely to guide users to accept the use of all cookies. In addition, the NCSC considers that the expression “OK” used for accepting cookies on the first level of the cookie banner is not a clear indication of consent.
Since users are threatened by so-called click fatigue in an increasingly digitalised environment, the methods of obtaining consent must be evaluated very carefully. According to the NCSC, making it easier to accept all cookies than to refuse them is contrary to the GDPR’s requirement on the voluntariness of consent (i.e. that it must be as easy to withdraw as to give consent). When refusing consent is more difficult and takes more time than giving it, the service provider practically directs the users to give consent for more uses than they would necessarily otherwise do, in which case the user does not have a de facto freedom of choice.
Cookie banners often also contain many different purposes for the use of cookies and pertain to a large number of different third-party cookie providers. In the NCSC’s opinion, such a large amount of information leads to the fact that it is difficult for users to get a clear picture of what their consent is actually being requested for. Therefore, it is very difficult for the users to understand the effects and consequences of the cookie choices they have made. To avoid this, users should not have to search for information in several different locations to understand the interaction between different cookies.
Legitimate interest may work for personal data processing, but not for the use of cookies
Legitimate interest appears as the basis for using cookies on many website cookie banners. Although legitimate interest is one of the legal bases for the processing of personal data set out in the GDPR, ePrivacy legislation does not recognize it as a basis for using cookies themselves. Therefore, in its decision, the NCSC emphasises that a legitimate interest can never be the basis for using cookies.
According to the NCSC, presenting choices about legitimate interest in the cookie banner gives a misleading impression that cookies could be set and used based on legitimate interest. The NCSC considers that referring to a legitimate interest in the cookie banner and providing choices that allow the use of the legitimate interest make it difficult to give informed consent, as it is complicated and difficult for the users to understand the effects of the cookie choices they make.
As a result, the NSCS finds that since a legitimate interest can never be the basis for using cookies, referring to it in the cookie banner is both unnecessary and misleading. Referring to legitimate interest in a cookie banner gives the user the impression that cookies will be used, and related further processing will take place, regardless of whether consent is given or not. According to the NCSC, the choices of legitimate interest in the cookie banner create the impression that the user should refuse cookies twice: first by denying consent and also by objecting to data processing based on legitimate interest.
Looking forward
Currently, the Finnish cookie legislation is set out in the Finnish Act on Electronic Communications Services which implements the ePrivacy Directive. Therefore, Finnish legislation is based on the same directive as all other EU member states’ ePrivacy laws. Despite sharing a common directive, the EU member states do not interpret the Directive in the same way, and many hope for a directly applicable binding ePrivacy regulation, similar to the GDPR, to iron out national differences. The European Commission issued a proposal for the ePrivacy Regulation already in 2017 and it was supposed to enter into force together with the GDPR. However, the Regulation is still in the EU’s legislative machinery and there is currently no certainty about its progress.
It should also be noted that the adequacy decision on transfers of personal data between the EU and the US, which was just approved by the European Commission, does not affect to the use of cookies or the consent mechanism, as the use of cookies is not regulated in the GDPR.
1Case C‑252/21 Meta Platforms and Others (Conditions générales d’utilisation d’un réseau social), ECLI:EU:C:2023:537
