Articles

The latest cookie guideline in five minutes

By Venla Kiminki

In September 2021, the Finnish Transport and Communications Agency Traficom published an updated version of its cookie guideline. So what should you know about cookies in the first place, and what has changed with the recent update? This article presents the key points in plain terms.

Neljä sydämenmuotoista piparia ja keksinmuruja

It is quite safe to assume that every one of us comes across cookies daily when browsing online services. However, while it used to be customary to just inform visitors of cookies with a banner popping up at the top of the page, all except essential cookies now require the visitor’s consent. This is one consequence of Traficom’s new cookie guideline discussed in this article.

Cookies are text files less than 4 kB in size

Neljä sydämenmuotoista piparia ja keksinmuruja

To make sure everybody is on board, let’s summarize first what cookies are.

Technically, cookies are small files at most 4 kilobytes in size that contain strings, i.e., sequences of characters. When you visit an online service, these files are saved on your device to enable the strictly necessary functions of the website, such as logging in, staying logged in, and remembering the items in your shopping cart in online stores. In a way, these necessary cookies can be thought of as a waiter. The waiter will write down your order, possible allergies, and table number.

Cookies are stored on your device for the duration of the session or longer if necessary. When revisiting the same website, your device will send the long-term cookie data to the website so that it can associate you with your previous visits, for example.

Traficom’s guideline also covers technologies similar to cookies and technologies that produce cookies. One example of these is the HTML storage mechanism, which saves visitor data from the website to the visitor’s device like cookies but can store data in non-string forms, as JavaScript primitives or objects that are also larger in size (up to 5 MB). Technologies considered similar to cookies include tracking pixels, web beacons, tags, and fingerprinting technology.

For the sake of clarity, this article refers to all of these comparable technologies as cookies.

The use of non-essential cookies always require consent

Broadly, there are two kinds of cookies: Cookies that are necessary for the website’s functioning and cookies that store information about the visitor for marketing and other purposes. Necessary cookies can be used without the visitor’s consent, whereas consent is mandatory for all other cookies.

The difference between necessary and non-essential cookies is not as straightforward as one might imagine. Permanent login cookies, for example, can be considered necessary only if the visitor can clearly understand that their login will be maintained for a longer period (the “stay logged in” option) and this has a clear function for the usability of the site. For example, a permanent login cookie can improve the user experience of services like Facebook because you do not have to log in every time after closing the browser. Traficom’s cookie guideline for service providers contains many good rules of thumb on the differences between necessary and non-essential cookies, which you can read more about in Section 3.3 of the cookie guideline.

“In principle, the storing of cookies and comparable data on user devices and the use of this data requires the cancellable consent of the user, as well as understandable and comprehensive information concerning the purpose of the storage and use of data.”

Traficom

Consent must be an active and voluntary decision

While it used to be customary to just inform the visitor of the use of non-essential cookies passively, now their use always requires consent. A notification such as “By using our website, you consent to our cookie policy” is no longer sufficient. Instead, the visitor must always be able to actively decide on a voluntary basis if they allow the collection of their data – in practice, they have to tick a box (which must be empty by default). The website must also make it clear to the visitor what giving one’s consent will mean in practice.

This kind of banner is no longer valid to use. The visitor must be asked for their consent for using non-essential cookies.

Most often, websites request consent with a banner. The new guideline also comments on the properties of the banner, stating most importantly that the cookie banner or other mechanism used to request consent must not prevent the visitor from accessing the website. In other words, the banner must not hide the website’s content, and the visitor has to be able to browse the site without giving consent for cookies.

The visitor can’t access the site without answering the cookie banner first. On top of that, the banner strongly guides the visitor to accept all cookies on the service provider’s this and other websites.

The visitor must be able to choose which data is collected during their visit and whether non-essential data is collected at all. In addition, refusing to give consent must be as easy as granting it, meaning that granting and refusing consent must have equal value as alternatives. In other words, the refusal option must not be hidden or made otherwise less visible. Manipulating the visitor with choices of color, for example, is also forbidden.

Granting and refusing consent are not equal options with this cookie banner, as the user is persuaded to give their consent with a differently-colored button.

The consent for cookies must also be documented outside the visitor’s device. Obligatory documented information includes the date and time of the consent, what information was provided to request it, and the strictly necessary credentials for associating the consent with the device in question.

The visitor must also be able to cancel their consent for non-essential cookies at any time and as easily as it was to grant it. It is also forbidden to penalize the visitor by artificially lowering the quality of the service, for example, if they refuse consent for cookies when using the online service for the first time or cancel their consent later on.

Cookies must be categorized and explained

Nowadays, cookies must be categorized, and the visitor must also be able to choose cookie categories they want to allow or reject. A common way to affect these is to list the categories on the cookie banner’s cookie settings.

The online service must provide brief descriptions of the cookies and categorize them while also providing more information about them in the privacy policy, for example.

This website provides a good example of how asking for consent is done according to the cookie guideline. Both options – granting and refusing consent – are equal to each other, and the website can be used without answering the cookie banner.

By opening the cookie settings, the cookies are here categorized precisely and specified with detail. It is easy to see what kind of cookies the website uses, why, and how long the personal data is stored.

Every online service has to arrange their own cookie management

Digital communication applications and websites can collect identifiable data on their visitors, such as IP addresses. They may also track their visitors within the online service and from one online service to another – and even collect data on the online services the visitor has accessed before first visiting the online service in question. By combining visitor data from various sources, it is possible to create rather detailed visitor profiles that can be used for purposes such as targeted marketing. Therefore, the use of cookies is also subject to the Data Protection Act, the Act on Electronic Communications Services, and the GDPR, as applicable.

Traficom’s guideline only explains what should be taken into account in cookie management – it does not comment on how cookie management of online services should be implemented. Every holder of an online service is responsible for ensuring that it collects visitor data according to data protection regulations and the cookie guideline.

There are several cookie management systems on the market. When selecting the preferred system, it is advisable to take into account factors such as the country in which the cookie register is being stored. This determines, among others, the legislations that must be adhered to in storing and using the data in the cookie register. It is also advisable to take a careful look at the accessibility and customizability of the cookie banner and any other features of the cookie management system. An ideal cookie banner follows the guidelines, is easy to use, accessible, and fits well with the website’s visuals.

Are there any options beyond cookies?

As cookies now always require the visitor’s consent, it is only natural that more and more visitors are refusing the use of cookies. In addition, cookie banners do not actually improve a website’s general appearance, which also generates interest in cookieless options.

Cookies are crucial for purposes such as retargeting advertising, where advertising is targeted to a website’s former visitors, identifying a returning visitor, or tracking a visitor for the duration of several sessions. The latter features make it possible to sort visitors into new and returning ones, attribute goals and purchases to a campaign even if the visitor is converted only during their second visit, and track a group of visitors who accessed the site during a specific period of time. As was already mentioned, cookies enable storing the IP address of visitors who have given their consent, enabling functions such as more accurate location reporting.

However, website analytics can also be conducted anonymously without cookies. Of course, the accuracy of analytics will suffer compared to a situation where all the website visitors accept the use of cookies. However, as this can no longer be assumed, the accuracy of analytics will suffer in any case because a portion of the visitors will always stay under the radar. The upside is that conducting analytics anonymously without cookies can yield basic data more extensively than when requesting consent for cookies.

One application that is gaining popularity and is excellent for cookieless analytics is Matomo Analytics. In Matomo’s cookieless analytics, only the latest website visit feeds data for tracking goals, multi-attribution and cohort reports are not in use, and the accuracy of location reporting varies. In addition, Matomo’s cookieless analytics cannot obtain totally accurate data on unique, new, and returning visitors, days since the last visit, numbers of user-specific visits, and days to conversion. However, Matomo’s anonymous cookieless tracking can provide data on how the visitors use the website, among other things, and this data can be used to produce valuable information without the need to identify visitors.

When all the service’s traffic is processed anonymously and without cookies, all the visitor data collected from the site has equal value. This makes the analysis itself easier – even while it is also true that previously, more data could be collected without requesting consent and it was possible to profile both single visitors and visitor groups of an online service more accurately.

Summarizing the cookie policy

In Finland, the confidentiality of electronic communications is regulated by Traficom. Parties managing online services should follow its cookie guideline to better ensure that their cookie practices comply with the legal requirements. While the guideline provides instructions on the legitimate use of cookies, it “is not legally binding as such. However, it defines the view of the supervisory authority on lawful and acceptable cookie policies. By deviating from them, service providers assume the risk of potentially unlawful action.”

Traficom’s updated cookie guideline, which is valid from 13 September 2021, is based on sources such as the resolutions of the Helsinki Administrative Court on 8 April 2021 (link’s content in Finnish), which state that consent for the use of cookies must be interpreted in the same way as the consent referred to in the GDPR.

By always following the most up-to-date instructions, you can ensure that the collection and processing of personal data in your online services comply with the latest legislation and judicial views. By doing this, you can avoid the possible sanctions of breaking the law and guarantee the ethical processing of personal data.

When creating the cookie banner, it is also advisable to keep its accessibility and ease of use in mind. You should not think of the cookie banner as a necessary evil either: while requesting consent for using cookies is mandatory and the guideline dictates certain criteria for the appearance and content of the banner, it can still be presented with distinctive copy and an aesthetic that is in line with the company’s brand.

The key points to remember from the updated cookie guideline:

  1. Non-essential cookies always require consent.
  2. Giving consent for the use of cookies must be as easy as refusing it – manipulating the choice even with buttons of different colors, for example, is forbidden.
  3. The consent must be a voluntary and active decision.
  4. The cookie banner must not prevent the visitor from browsing the website either.
  5. The visitor must also be able to cancel their consent at any time, and this must be as easy as it was to give it.
  6. Cookies must be categorized and explained.
  7. The personal data stored in the cookie register must have legitimate storage periods which are pre-determined and also documented.

Sweet tooth aching for more cookies?

If you’re unsure about the state of your website’s cookie policy or you would like to hear more about going cookieless, don’t hesitate to contact us!

Consent*