Cookie Consent Guidelines: Ireland, Greece and Finland

In 2020, after EDPB’s updated guidelines on cookie consent, the national regulators in Spain, Italy, France, and Germany published updated rules on the use of cookies and similar tracking technologies.

The new guidelines published by various DPAs provide clarity and examples of the EDPB guidelines. It is part of a growing trend among the EU member states towards stricter enforcement of the GDPR, especially due to the increasing regulatory discrepancies by businesses. Regulators have imposed huge GDPR fines on major tech companies like Google, Amazon, and Twitter for cookie violations in recent times. 

This is where guidelines issued by the national regulators come to play an important role in helping businesses comply with not just the broader GDPR rules, but also the state-level data protection laws.

You can read detailed summaries of the cookie guidelines released by respective Data Protection Authorities (DPA) here:

Spanish AEPD Cookie Consent Guidelines

Italian DPA’s Cookie Consent Guidelines

French CNIL Cookie Consent Guidelines

German DSK’s Cookie Consent Guidelines

This blog will look into the guidelines of Ireland, Greece, and Finland.  

In 2020, Irish Data Protection Commission (DPC) published their findings and revised cookie guidelines after they carried examined popular websites in Ireland and their use of cookies and similar technologies. 

Key takeaways from the DPC’s new cookie consent guidelines include:

• Non-necessary cookies and similar technologies  (local storage objects or “flash” cookies, SDKs, pixel trackers, social buttons,  device fingerprinting technologies, etc) should not be set on the landing page of the website or app.
• Analytics cookies require consent. Websites should provide clear information about such cookies in their privacy policy and include a user-friendly mechanism to opt out of the use of analytic cookies.
• However, unlike first-party analytics cookies, third-party cookies are considered a greater privacy risk for users and therefore are likely to be a priority for any formal enforcement.
• Consent cannot be “bundled” for multiple purposes i.e. the cookie banner or pop-up should outline specific purposes for which the cookies are used. 
• The use of pre-checked boxes, sliders, or other tools set to ‘ON’ by default to signal a user’s consent is not allowed
• The user must be able to withdraw consent as easily as they gave it and you must not ‘bundle’ consent for cookies with consent for other purposes, or with terms and conditions for a contract for other services you provide.
• Implied consent is unacceptable i.e. users’ continued use of your website – either through clicking, scrolling does not qualify as consent to set cookies
• Users should be able to change their cookie preferences at any time, via a cookie button (or a “radio button”) available on each web page, so they can change their consent at any time
• If a cookie is used to store a record that a user has given consent to the use of cookies, this cookie should have a lifespan of six months. Like the French CNIL, the DPC suggests that user consent should be renewed in six months. 

The Hellenic Data Protection Authority (HDPA) published cookie guidelines. The guideline seeks to help businesses to adapt to the requirements of GDPR and the ePrivacy Directive. 

The cookie consent guidelines state that:

• Continued browning or scrolling through a website and pre-ticked boxes cannot be considered as affirmative consent given by users.
• Prior user consent is necessary before placing cookies or tracker, including advertising and web analytics cookies.
• The user must be able to accept or decline the use of cookies with the same number of actions (clicks) and from the same level i.e. all buttons should be of the same size, tone, and color.
• Cookie walls are not valid consent as users should not be subject to accepting cookies to access the service or functionalities of the website.
• Only strictly necessary cookies that are essential for the functioning of a website or the delivery of service as requested by the user are exempt from the prior consent

The cookie consent guidelines refer to the followings actions as unlawful:

• Using cookie walls that deny users access to the website without active consent using ‘Accept All’, ‘I Agree’ buttons.
• The option to deny the use of cookies is given at a second level i.e. the user has to take more actions like clicking on ‘more information’ or ‘settings’ hyperlink.
• User’s inaction regarding the cookie banner i.e scrolling or closing the cookie pop-up as an indication of consent.
• Emphasizing the size or color of the ‘Accept’ button over the ‘Reject’ button. For instance, large or bold ‘Accept’ buttons that nudge the user to choose it.
• Denying users the option to change cookie preferences easily or that cookie setting can only be changed through web browser settings.
• Displaying the cookie notices again in short intervals after the user rejects the use of cookies whereas the same is not applied when the user consents.

In 2020, the Finnish Data Protection Authority ruled that asking users to manage cookies via browser privacy settings does not constitute sufficiently active and explicit consent under the GDPR.

• Consent cannot be given by silence i.e. through pre-ticked boxes or inactivity regarding the consent banner/pop-up.
• Cookie notices have to be clear and concise and should not be disruptive to the use of the service or the website.
• Data subjects have to be offered a genuine choice concerning accepting or declining cookies.
• Asking users to disable the use of cookies in their browser settings is not valid consent.
• The option to reject cookies must be as easy for the user as it is to give consent to cookies.

Interestingly the DPA’s decision differs from the Finnish Transport and Communications Agency’s (Traficom)which is the governing body for consent as provided in the ePrivacy Directive, under Finnish law. The DPA is a supervisory body that checks compliance with the data protection law in general). 

According to Traficom, consent to the use of cookies can be obtained through the data subject’s browser settings. Meanwhile, The DPA’s decision followed the EDPB guidelines which state that consent is freely given per the GDPR only if the data subject is provided a genuine choice.

As the data protection agencies in Europe move in one direction to define and clarify the rules set by the GDPR and EDPB, businesses should move in the right direction — compliance.

• Deploy cookie consent banners with clear information, including a cookie audit table that states the category of cookies and their purpose.
• Give users a granular option to enable/disable the use of specific categories of cookies.
• Ensure that the color and layout of the ‘Accept’ and ‘Reject’ buttons are displayed at the same level.
• Link your privacy/cookie policy on the cookie banner.
• Display dynamic cookie banner to users in different geolocations so that users can access cookie banners in the language they understand.
• Record user consent for proof of consent and to demonstrate compliance, in case it’s necessary.
• Place a ‘revisit’ consent widget on the website so users can withdraw/modify their cookie preferences at any time, as noted by the Irish DPC.
• Remember the cookie settings and preferences of a user, so that banners are not displayed each visit.
• Display a detailed cookie policy with a description of what cookies are, how they are used on your website, and how users can disable them.
• Display a privacy policy with how data is collected from users and how and why it is used, including a link to your cookie policy.

You can do all this and much more with CookieYes — a cookie consent solution that will help you achieve GDPR compliance. If your website has visitors from the US, you can also enable CCPA compliance.

You can add highly customizable cookie banners, audit the cookies used on your website with automated scanning, automatically block third-party cookies, manage cookie settings, and record user consent all in a single dashboard.

CookieYes supports auto-translation of cookie banners in multiple languages including English, French, Spanish, Irish Portuguese, Swedish German, Finnish, Danish, Turkish, etc.

With CookieYes, you don’t have to look further for GDPR compliance.

You can also generate a cookie as well as a privacy policy in just a few steps.

Try CookieYes for free!