In its decision, the NCSC assessed that the following cookies can be considered necessary:
- Login cookies. These cookies can be considered necessary if it is clear to the user that they are logged into the service, and the user is offered an option to refuse identification when moving between different websites. However, in order for this exception to apply, the same cookies may not be used for other purposes (e.g.¸ for showing targeted advertising to the user) without the user’s consent.
- Input cookies. These cookies can be considered necessary to provide a service that the user has specifically requested. Such cookies enable, among other things, the use of a shopping cart and payment within the services.
- Cookies for remembering the consent choices.
- Information security cookies. These cookies are used, for example, to prevent misuse of the login services. In addition, the Finnish Administrative Court has concluded in its case law that third-party information security cookies, such as the hCaptcha anti-spam cookie, can be considered necessary.
Analytics cookies – necessary or not?
Analytics cookies, regardless of whether they are first-party or third-party cookies, cannot in principle be considered necessary. This is due to the fact that the website users are unlikely to use the service because they want their activities, such as their interests, to be tracked. Even if the use of analytics cookies indirectly improves the quality of services, users cannot be considered to “explicitly request” such analytics with sufficient clarity. Regardless of this main rule, even analytics cookies can be deemed necessary in certain situations.
Instead of focusing on how a cookie has been named or what features the user may consider nice to have, when assessing whether an analytics cookie is necessary, the main focus is on what the relevant user has explicitly requested.
In practice, this requirement sets a high threshold. For example, analytics cookies must not only be used to personalise the contents of a service, but the service provider must also have due reason to believe that users are aware that such personalisation requires information gathered through cookies. To add to this, the Court of Justice of the European Union has stated in its recent decision that, despite the fact that the services are free of charge, the users cannot reasonably expect that the service provider will process their personal data, without their consent, for the purposes of personalised advertising1.
The GDPR sets a high standard for consent – and the NCSC decision enforces that standard
The recitals of the GDPR also state that consent should not be regarded as freely given if the user has no genuine or free choice or is unable to refuse or withdraw consent without detriment. In its decision, the NCSC drew attention to an interesting issue between the language versions of the GDPR. Unlike other language versions, according to the Finnish version of the GDPR, the user must have an option to later refuse or withdraw consent. According to the NCSC, and considering that the Finnish version differs from other language versions, when reviewing whether or not consent was voluntary, the review should not focus only on the period after the consent was given. Because of this, website users must have the opportunity to refuse consent at the same time and in the same way as they can give their consent.
Therefore, consent cannot be considered duly informed if only the options “OK” and “Settings” are presented next to each other on the first level of a cookie banner. In other words, the cookie banner should not require two clicks to refuse the use of non-necessary cookies if, at the same time, it is possible to accept all cookies with only one click. Such two-click procedures have a significant impact on the behaviour of users visiting the website and are very likely to guide users to accept the use of all cookies. In addition, the NCSC considers that the expression “OK” used for accepting cookies on the first level of the cookie banner is not a clear indication of consent.
Since users are threatened by so-called click fatigue in an increasingly digitalised environment, the methods of obtaining consent must be evaluated very carefully. According to the NCSC, making it easier to accept all cookies than to refuse them is contrary to the GDPR’s requirement on the voluntariness of consent (i.e. that it must be as easy to withdraw as to give consent). When refusing consent is more difficult and takes more time than giving it, the service provider practically directs the users to give consent for more uses than they would necessarily otherwise do, in which case the user does not have a de facto freedom of choice.
Legitimate interest appears as the basis for using cookies on many website cookie banners. Although legitimate interest is one of the legal bases for the processing of personal data set out in the GDPR, ePrivacy legislation does not recognize it as a basis for using cookies themselves. Therefore, in its decision, the NCSC emphasises that a legitimate interest can never be the basis for using cookies.
According to the NCSC, presenting choices about legitimate interest in the cookie banner gives a misleading impression that cookies could be set and used based on legitimate interest. The NCSC considers that referring to a legitimate interest in the cookie banner and providing choices that allow the use of the legitimate interest make it difficult to give informed consent, as it is complicated and difficult for the users to understand the effects of the cookie choices they make.
Currently, the Finnish cookie legislation is set out in the Finnish Act on Electronic Communications Services which implements the ePrivacy Directive. Therefore, Finnish legislation is based on the same directive as all other EU member states’ ePrivacy laws. Despite sharing a common directive, the EU member states do not interpret the Directive in the same way, and many hope for a directly applicable binding ePrivacy regulation, similar to the GDPR, to iron out national differences. The European Commission issued a proposal for the ePrivacy Regulation already in 2017 and it was supposed to enter into force together with the GDPR. However, the Regulation is still in the EU’s legislative machinery and there is currently no certainty about its progress.
1Case C‑252/21 Meta Platforms and Others (Conditions générales d’utilisation d’un réseau social), ECLI:EU:C:2023:537