Two Regulators, One Cookie Banner
Finland takes an unusual approach to cookie regulation. Rather than placing all responsibility under a single data protection authority, Finnish law divides oversight between two bodies: the Finnish Transport and Communications Agency (Traficom) and the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto).
Traficom supervises the technical rules around cookies and similar tracking technologies under the Act on Electronic Communications Services (917/2014). The Data Protection Ombudsman handles the broader GDPR consent requirements that apply to any personal data processing triggered by those cookies.
If your website serves Finnish visitors, you must comply with both sets of rules simultaneously.
Section 205: Finland's ePrivacy Transposition
Section 205 of the Act on Electronic Communications Services (Laki sahkoisesta viestinnasta) is Finland's transposition of Article 5(3) of the ePrivacy Directive. It governs the storage of cookies and similar technologies on a user's device.
The rule is straightforward: storing or accessing information on a user's terminal equipment requires prior consent, unless the cookie is strictly necessary to provide a service the user has explicitly requested. Legitimate interest is not a valid legal basis under Section 205 - this is a point Traficom has made repeatedly in its guidance and enforcement decisions.
Strictly necessary cookies - such as session identifiers like PHPSESSID, authentication tokens, and load-balancing cookies - are exempt from the consent requirement. Traficom still recommends informing users about these cookies, even though consent is not legally required for them.
Traficom's Cookie Guidance in Practice
Traficom's National Cyber Security Centre (NCSC-FI) published updated cookie guidance clarifying what service providers must do. The guidance is not legally binding in itself, but Traficom has warned that deviating from it means assuming the risk of unlawful action.
The key requirements are:
Your cookie banner must specify each cookie's name, type, purpose, and validity period
You must disclose whether cookie data is shared with third parties
Consent must be opt-in - referring users to browser settings for managing cookies is not valid consent
Refusing non-essential cookies must be as easy as accepting them - no dark patterns
Consent records should be stored for five years to demonstrate compliance
That five-year retention period is notably longer than what most other EU member states recommend.
Cookie Categories Under Finnish Rules
Finnish regulators apply the standard EU approach to cookie categories, but enforcement decisions have shown they scrutinise categorisation closely. In the 2023-2024 enforcement cases, Traficom found that companies had incorrectly classified marketing and analytics cookies as "necessary" to avoid collecting consent.
| Category | Consent Required? | Examples |
|---|---|---|
| Strictly necessary | No | PHPSESSID, login tokens, CSRF tokens |
| Functional | Yes | pll_language, accessibility preferences |
| Analytics | Yes | _ga, _pk_id, _pk_ses |
| Marketing/Advertising | Yes | _fbp, _gcl_au, ad network pixels |
The Data Protection Ombudsman's Role
While Traficom covers the ePrivacy side, the Data Protection Ombudsman enforces the GDPR. When cookies process personal data - and most analytics and marketing cookies do - both regulatory frameworks apply at once.
The Deputy Data Protection Ombudsman issued a landmark decision in May 2020, ruling that instructing users to manage cookie preferences through browser settings does not constitute valid consent under the GDPR. This decision aligned Finnish practice with the Court of Justice of the EU's Planet49 ruling and made clear that cookie consent in Finland must meet the GDPR standard: freely given, specific, informed, and unambiguous.
The Ombudsman's Sanctions Board has imposed a total of 21 GDPR fines amounting to approximately 3.5 million euros since the regulation took effect. While not all of these relate to cookies specifically, the board has demonstrated willingness to act on consent violations.
Court Rulings That Shaped Finnish Cookie Law
Two Helsinki Administrative Court decisions from 2024 (cases 5845/2024 and 5846/2024) solidified the enforcement framework. Both cases involved appeals against Traficom decisions finding Section 205 violations.
In the first case, a Finnish media company was found to have placed non-essential cookies without proper consent on multiple websites. Traficom identified that the company's consent mechanism made it easier to accept all cookies than to reject them, and that several cookies had been misclassified as necessary.
The second case involved a Finnish telecommunications company that set chat-service cookies (_ltrp, _ltrs, _ltrsn) without user consent. The court upheld Traficom's position in both cases, ordering the companies to make non-essential cookies consent-based, allow refusal at the first interaction level, and provide clearer cookie information.
These rulings confirmed that Section 205 consent must be interpreted in line with GDPR standards.
How Finland Compares to Other Nordic Countries
Finland's dual-regulator model sets it apart from its Nordic neighbours. Sweden places all cookie oversight under the Swedish Authority for Privacy Protection (IMY). Denmark's Datatilsynet handles both ePrivacy and GDPR cookie matters. Estonia consolidates regulation under its Data Protection Inspectorate (AKI).
| Country | ePrivacy Authority | GDPR Authority | Key Cookie Law |
|---|---|---|---|
| Finland | Traficom | Data Protection Ombudsman | Act on Electronic Communications Services, s.205 |
| Sweden | IMY | IMY | Electronic Communications Act (LEK) |
| Denmark | Datatilsynet | Datatilsynet | Cookie Order (Cookiebekendtgorelsen) |
| Estonia | AKI | AKI | Electronic Communications Act |
The practical outcome for website owners is the same across all four countries: prior opt-in consent is required for non-essential cookies, and the consent standard aligns with the GDPR.
Compliance Checklist for Finnish Cookie Requirements
Use this checklist to verify your website meets Finnish cookie rules:
Audit your cookies - Run a full cookie scan to identify every cookie and tracker on your site, including those set by third-party scripts
Classify correctly - Only session-critical cookies qualify as strictly necessary; analytics and marketing cookies always need consent
Implement opt-in consent - Display a cookie banner that collects affirmative consent before any non-essential cookies fire
Equal accept and reject options - Rejecting cookies must be equally prominent and require the same number of clicks as accepting
Provide granular choices - Allow users to consent to individual cookie categories rather than forcing an all-or-nothing choice
Disclose cookie details - List each cookie's name, purpose, duration, and whether data is shared with third parties
Store consent records - Retain proof of consent for five years, as Traficom recommends
Enable easy withdrawal - Users must be able to revoke consent at any time, as simply as they gave it
Integrate Google Consent Mode - If you use Google services, configure Consent Mode v2 to respect user choices
Frequently Asked Questions
Does Finland require cookie consent for analytics cookies?
Yes. Under Section 205 of the Act on Electronic Communications Services, analytics cookies such as _ga or _pk_id require prior opt-in consent because they are not strictly necessary to deliver a service the user requested.
Who enforces cookie rules in Finland?
Traficom enforces the ePrivacy-related cookie rules under Section 205, while the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) enforces the GDPR. Both authorities may be involved if cookies process personal data.
Can I rely on browser settings for cookie consent in Finland?
No. The Deputy Data Protection Ombudsman ruled in 2020 that directing users to browser settings does not constitute valid consent. You must collect consent through an active opt-in mechanism on your website.
How long must I store cookie consent records in Finland?
Traficom recommends retaining consent records for five years to demonstrate that valid consent was obtained.
Is rejecting cookies allowed to require more clicks than accepting?
No. Both Traficom and the Helsinki Administrative Court have confirmed that refusing non-essential cookies must be as easy as accepting them. A reject option must appear at the same level as the accept button.
Do Finnish cookie rules apply to websites outside Finland?
If your website targets Finnish users or processes data of people in Finland, Finnish regulations and the GDPR apply regardless of where your servers or business are located.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of Finnish law.
