Cookies

Cookies are small text files stored stored on your terminal equipment, such as a computers, tablets or smartphones, when you browse websites. Cookies contain character strings that enable functions to be performed and contain information on how you have interacted with websites. The purpose of cookies is not to harm your device, nor do they read other information from your equipment’s hard drive or spread viruses. Data can be stored in cookies while you use online services or visit websites, and also in between visits.

Cookies and similar technologies provide various functionalities common to modern websites. Cookies are used widely in both public-sector and commercial websites. They are a key component of safe, efficient and user-friendly functioning of services based on electronic communication.

Cookies and similar technologies can be classified by their validity period, origin and purpose.

Validity

• Session cookies are stored on your device only for the duration of the individual session when you use a website or a service. They are deleted when the browser is closed. Session cookies can be used, for example, to enable purchases in online stores, or to enable functions that require the website to remember short-term information on user actions.
• Permanent or stored cookies are stored on your device for a longer time—until the period of validity defined for each cookie has passed or until you remove them. These cookies can be used, for example, to store preferences regarding a site’s visual appearance, to remember your language selection or to store your login credentials. Stored cookies can be used to determine whether you have accessed the website before, or to collect information on which sections and which contents of the website you have accessed and how.

Origin

• First-party cookies are set directly by the site you are visiting or by the domain of the organisation that owns the site.
• Third-party cookies are set by someone else – not the owner of the site or the service currently accessed.

Purpose

• Essential cookies enable core functions that are required to use the sites, such as logging in to the secure sections of the sites, remembering the content of users’ shopping carts in online stores, automatic filling of forms, or improved information security. Essential cookies are typically set by the first party and are only stored for the duration of the session. The law does not require consent to be requested for essential cookies, but informing the user is recommended.
• Functional cookies are used to increase and improve the functionality of the website, but they are not absolutely necessary for using the site.
• Preference or personalisation cookies allow, for example, language settings, font size selections and login credentials to be stored between sessions. These cookies also make it possible to track which pages and which contents you have accessed and to display content based on your earlier objects of interest.
• Analytics cookies are used to collect data on how the sites are used, for example, by counting unique traffic sources and page views, by measuring the loading times of different pages, and by tracking how users navigate within the website.
• Social media cookies typically allow content on various social media platforms to be displayed, liked and shared, and are often related to social media logins and commenting features.
• Marketing cookies are often used to collect data on your interests based on online behaviour. They can also be used to present targeted ads that match your interests based on your behaviour.

Website and mobile application providers who want to store cookies on your device and read your cookie data are required to provide you with a clear and understandable description of the types of cookies or similar technologies that they use. They are also required to specify the purpose and the validity period of the cookies, and must request your consent for storing and accessing the data.

According to the law, consent is not required for essential cookies when the following conditions are met:

• The sole purpose of storing or using cookies is to transmit messages in communications networks, or
• The storage and use of cookies is necessary for the service provider to provide a service that the subscriber or user has specifically requested.

Even with these cookies, service providers are recommended to provide similar descriptions as with non-essential cookies.

As specified in law, consent refers to any freely given, specific, informed and unambiguous indication of a data subject's wishes by which they, by a statement or a clear affirmative action, signify agreement to the processing of personal data relating to them.

How consent is requested and managed is the responsibility of the service provider.  Typically, consent is requested using a dialogue box (banner) that contains choices and is presented to you when you first access a website. For the consent request to be considered appropriate, the request should include at least the following items:

• The use of cookies and similar technologies is described clearly and thoroughly.
• The mechanism specifies the different types of cookies or other technologies that are used by the website or the service, including their purpose and period of validity.
• The mechanism informs you about whether third parties have access to and are allowed to process the cookie data.

You should read the cookie banners on each site carefully and choose what data you allow to be stored on your devices and what information can be collected from them. Service providers cannot assume consent for storing non-essential cookies by simply instructing you to change your browser settings or by stating that “by continuing the use of this site/service, you accept the use of cookies”.

The installation of a mobile application typically requires you to take action. The access privileges that a mobile application requires are usually specified in the application store in the information section of the application page. It is advisable to read this section before downloading and installing any applications. If the use of a mobile application entails cookies, the user should be informed of the cookies and consent should be requested for non-essential cookies, if used. The user should also be offered the opportunity to make choices concerning these after the application has been installed (at the latest).

The method that is used for requesting consent must feature a simple option for rejecting non-essential cookies. For example, if a cookie banner is used for requesting consent, the banner must not include any pre-ticked boxes indicating consent or any slide switches in the “ON” position for any non-essential cookies. In other words, you must be able to freely choose whether you consent to the use of non-essential cookies.

Withdrawing consent or changing the cookie settings set previously must be as simple and easy as possible for the user. The manner of withdrawing consent should be similar or comparable to the method by which consent was originally requested. For example, if consent was requested using a banner, the banner that is used for editing the cookie settings afterwards should be easy to access again by clicking on an icon or a link on the website.

The service provider is also responsible for ensuring that withdrawal of consent or modification of cookie settings on a website has an actual impact, i.e. that the procedure actually removes or overwrites the data that was previously stored.

Chapter 205 of the Act on Electronic Communications Services (917/2014) sets out provisions on cookies and other data stored on user devices. It should be noted that the data controller’s legitimate interest as defined in the EU General Data Protection Regulation (GDPR) does not grant permission for the storing of cookies on user devices. This means that legitimate interest is not a valid ground for the use of cookies or similar tracking technologies.

In addition to the cookie controls on individual websites, cookie settings can be configured in the privacy settings of modern web browsers and in the application settings of mobile applications.

Session-specific cookies are automatically deleted when the browser is closed. The simplest way to manage long-term cookies stored on the device is usually through the browser settings. All long-term cookies can usually be deleted with a single action, or they can be configured to be deleted every time the browser is closed. In some browsers, it is possible to remove long-term cookies of individual websites.

• Browsers may be set to reject all third-party cookies by default.
• Some browsers allow site-specific settings for accepting or rejecting cookies.
• Most browsers also allow the use of cookies to be prevented entirely. However, it should be noted that if all cookies are rejected, site contents and functions that you might want to use may stop working. This is because the implementation of some site functions may be based on the essential cookies mentioned above.
• The use of a private (incognito) browsing mode. This browsing mode prevents the search history, other site information and permanent cookies from being stored on your device. In some browsers, the private browsing mode also prevents the use of third-party cookies entirely. Cookies and site data are stored in the cache of the browser for the duration of the session, and the data is deleted when exiting incognito mode. It should be noted that incognito mode does not prevent all data from being exposed to the service provider. The service provider may still be able to see, for example, the IP address from which the connection is made.

If you encounter a website or an application that has a suspicious cookie policy or is clearly infringing the law, you should first contact the service provider in question and inform them about the matter. Service providers are generally pleased to receive feedback from their customers and often change their services based on their feedback. When contacting the provider of a website or application, you may refer to the guidelines published for service providers by Traficom: 

If the service provider does not respond to your feedback or does not take action, or if the service provider’s answer is inappropriate, you can file a complaint to the Finnish Transport and Communications Agency (Traficom). The complaint can be drafted in free form, for example, by using Traficom’s service forms. The complaint should include at least the following information:

• The website or application in question. The entire address of the website and name of the service provider are always necessary information. Please note that Traficom acts as the competent authority for Finland, meaning that it supervises service providers that are established and operating in Finland.
• When the issue was found (at least the date).
• A brief description of how you think the service provider operates improperly.
• Your contact information for further processing of the issue by Traficom and for potential requests for more information. Giving your contact information is voluntary, but by not giving your contact information may make the processing and the resolution of your complaint more difficult or limit the options available.

Traficom may also request additional information concerning your device or request a copy of your communications with the service provider to perform a technical or other inspection of the matter.

Traficom may examine the complaint in a written procedure in accordance with the Administrative Procedure Act (434/2003). This means that after receiving your complaint, Traficom will request a statement concerning the matter from the service provider and issue a decision after hearing the parties concerned.

Administrative matters typically take several months to process by Traficom. It is possible to lodge an appeal against Traficom’s decisions. Appeals are made to the Administrative Court.

If Traficom finds that the service provider has acted unlawfully, it may notify the service provider of the matter and require them to remedy the defect or neglect within a reasonable period of time. Conditional fines, threat of termination of the service provider's operations or threat of correcting the matter at the service provider's expense may also be used to support the obligation. However, Traficom does not have the powers to give administrative sanctions such as the imposition of fines for unlawful procedure on the service provider for their cookie policy.

It should also be noted that the competent authority in matters related to the processing of personal data is the Office of the Data Protection Ombudsman, not Traficom.