Finnish Data Protection Ombudsman’s Statement on Cookie Consents Managed through Browser Settings

Authors: Emma Swahne (Associate) and Linda Björkenheim (Associate Trainee)

In her recent decision, the Finnish Deputy Data Protection Ombudsman (“Ombudsman”) states that a consent for cookies is considered freely given and specific in accordance with the General Data Protection Regulation ((EU) 2016/679, “GDPR”) only if the data subject is offered an equal chance to both accept and reject the cookies.

In the case in question, a company was collecting information through cookies and used it, inter alia, for targeted advertising and service personalisation. The company’s website had a pop-up banner informing visitors about the cookies. The banner stated that by continuing to use the website the user accepts the cookies and contained two alternative choices; the user could either consent to the use of cookies by pressing an “OK” button or alternatively choose to receive more information. No alternative to refuse the cookies was presented. Instead, by pressing the button offering more information, the data subject was redirected to the company’s privacy policy, which stated that cookies could be deactivated in the user’s browser settings. The Ombudsman found that the company’s method for obtaining cookie consent was not compliant with the GDPR.

Recently, the formalities related to cookie consents were also reviewed by the Court of Justice of the European Union in the so-called Planet49 case (C-673/17). In said case, the Court found a consent given by a pre-ticked box to be invalid as it cannot be ascertained whether or not the data subject has actively confirmed their consent. The decision of the Ombudsman emphasises the same requirement of active and specific indication as the Court, i.e. giving consent through the banner was not considered to meet the requirements of freely given consent, nor had refusing or withdrawing the consent been made as easy as giving it. Furthermore, telling users about the opportunity to disable the saving and use of cookies in their browser settings was not considered consistent with the active and specific indication of agreement required in order for a consent to be valid. The Ombudsman took the view that users cannot give valid consent as provided for in the GDPR by not changing their browser settings. Consequently, the company had not operated in compliance with the GDPR and was demanded to update its consent collection practice.

Interestingly, the reasoning of the Ombudsman’s decision differs from the Finnish Transport and Communications Agency’s (Traficom) take on consent collection regarding cookies (Traficom governs the rules on consent provided for in the ePrivacy Directive implemented into Finnish law, while the Ombudsman supervises compliance with the data protection law in general). According to Traficom, consent to the use of cookies can be obtained through the data subject’s browser settings. However, the Ombudsman’s decision remains unclear as to whether  the browser settings may be used to obtain consent provided that (i) the cookies are not activated prior to such acceptance and (ii) the acceptance and rejection of cookies through such settings are equally and easily accessible.

On a side note, the European Data Protection Board also recently updated its guidelines on cookie consent, stating that consent is freely given in accordance with the GDPR only if the data subject has been presented with a genuine choice. Going forward, companies will need to make sure that data subjects are offered an actual opportunity to refuse cookie usage without having to modify their browser settings.