Valikko

Deputy Data Protection Ombudsman orders company to change the way it requests consent for the use of cookies

15.5.2020 13.49 | Published in English on 19.5.2020 at 14.27
Press release

The Deputy Data Protection Ombudsman has ordered a company to change the way in which it asks for the user’s consent for the use of cookies. The person who filed the complaint with the Office of the Data Protection Ombudsman felt that they did not have a reasonable opportunity to refuse the cookies. The company used cookies on its website for purposes such as targeted advertising.

The company against which the complaint was made stated that it uses cookies to collect data for itself and for third parties, for example on the use of its services and the IP addresses of users. According to the company, the cookies were used for purposes such as personalising services and targeting advertisements.

Cookies are small text files that are saved on users’ devices when they visit a website. Cookies can be used to ensure the site’s technical functionality and targeted marketing, among other things. 

The company communicated the use of cookies with a pop-up window appearing on its website, i.e. a cookie banner. The notification stated that the user accepts the cookies by continuing to use the website. Choosing the Additional Information button instead of the OK button opened the controller’s privacy statement. In the statement, users were told that they could block the cookies by changing their browser settings. Furthermore, the privacy statement indicated that users could block the cookies of the controller’s partners individually on the websites of these partners.

In her ruling, the Deputy Data Protection Ombudsman found that the controller’s method for obtaining the consent required for the use of cookies was not compliant with the General Data Protection Regulation (GDPR). Giving consent through the banner was not considered to meet the requirements of freely given consent, nor had refusing or withdrawing the consent been made as easy as giving it. Telling users about the opportunity to disable the saving and use of cookies in their browser settings was not considered consistent with the active and specific indication of agreement required by valid consent. The Deputy Data Protection Ombudsman took the view that users cannot give the consent provided for in the GDPR by not changing their browser settings.

For consent to meet the requirements set in the GDPR, users must have the opportunity to choose whether to accept or reject the terms offered. Consent can be given in a variety of ways, as long as it clearly indicates that the data subject accepts the proposal for the processing of their personal data. Valid consent cannot be given through silence, pre-ticked boxes or inactivity. Refusing and withdrawing consent must be as easy as giving it.

The Deputy Data Protection Ombudsman ordered the controller to bring its practices for obtaining consent into compliance with the GDPR. The Deputy Data Protection Ombudsman’s decision can be appealed in the administrative courts and is not final.

Consent must meet the requirements of the GDPR

In its judgment in case Planet49 in October 2019, the Court of Justice of the European Union stated that the prerequisites concerning consent in the Directive on Privacy and Electronic Communication and the GDPR must be read in conjunction.  The Directive on Privacy and Electronic Communication stipulates that saving data on the terminal devices of users is only permitted if the users have given their consent for saving the data. This does not prevent the technical saving of data or the use of cookies if it is necessary for providing the service. However, cookies used for purposes such as targeted marketing still require consent.

The requirements for consent set in the Directive on Privacy and Electronic Communication have been implemented in Finland in the Information Society Code enforced by the Finnish Transport and Communications Agency Traficom. The GDPR’s provisions on consent do not include a national margin of manoeuvre, meaning that they are applied by the Member States as they are. In Finland, compliance with the GDPR is enforced by the Data Protection Ombudsman.

Dozens of similar cases are currently being processed by the Office of the Data Protection Ombudsman and will be resolved in line with the ruling now given.

The European Data Protection Board published updated guidelines on consent as the basis of processing personal data

The European Data Protection Board adopted an updated version of the guidelines on consent on 4 May. No major changes were made to the guidelines, but questions on cookies and ways of asking for the data subject’s consent are illustrated with new examples. The guidelines are in line with the Deputy Data Protection Ombudsman’s ruling.

The European Data Protection Board is responsible for the uniform application of the EU General Data Protection Regulation in the European Union. The Data Protection Ombudsman represents Finland on the European Data Protection Board.

Deputy Data Protection Ombudsman’s decision on giving consent for cookies in Finlex (in Finnish)

Guidelines of the European Data Protection Board: Guidelines 5/2020 on consent under Regulation 2016/679

More information:
Deputy Data Protection Ombudsman Anu Talus, anu.talus(at)om.fi