Cookie bar compliance in the Czech Republic: call for alignment!

The Czech regulation regarding cookies (§ 89(3) of Act No. 127/2005 Sb. on Electronic Communications) has been recently updated in order to ensure the full alignment with the consent requirement of the ePrivacy Directive (Directive 2002/58/EC), to be read in conjunction with the GDPR. 

Prior to the change, the consent requirement was not precisely formulated, leading to interpretations on the part of website operators still steeped in a mere opt-out perspective and hence resulting in violations of the law in practice. 

As of the 1st of January 2022, with the entry into force of the amendment to the Electronic Communications Act (Amendment Act No. 374/2021 Sb.), the ambiguities have been (finally) resolved and now the law expressly mandates that operators may store data or gain access to data stored in visitors’ devices based on their previous, verifiable and positive consent regarding the scope and the purpose of their processing.

Excluded from the so called opt-in requirement are solely technical cookies which are necessary for the transmission via electronic communications networks or operation of the websites, applications or other information society services. 

The consent also needs to meet all requirements of the GDPR and the local personal data processing law (Act No. 110/2019 Sb.). In particular, it should be free, specific, informed and unambiguous besides, of course, demonstrable. 

In view of the recalled change in legislation, the Czech DPA (Úřad pro ochranu osobních údajů – ÚOOÚ) anticipated the intention to focus its supervisory activity in 2022, amongst others, on the compliance with the new cookie regulation in its control plan. 

The consequent findings of a first preliminary monitoring activity by the DPA (ÚOOÚ) showed a considerable number of shortcomings, that, as a result, violate the protection of personal data such as:

Regardless, at least in this initial implementation phase, the DPA gave operators space to adapt to the changes, by contacting administrators seeking for redress. In line with this approach a set of FAQ’s was published in order to guide operators to correctly implement the changes, also in line with the relevant EDPB guidelines on consent under GDPR (05/2020). 

It is highly doubtful that the DPA will maintain this leniency further and hence consequences in terms of (financial) sanctions are to be expected in the course of the control activities in the coming year. As a consequence, website operators are called upon to ensure compliance.

As a basic tool for obtaining consent, cookie banners (a "pop-up" bar and the associated technical system) are usually used in practice. To guarantee compliance, the banner needs to give users a simple and clear option to choose whether or not to consent to the relevant category of cookies, without any limitation of the availability of the content of the website. User activity is required (e.g. by clicking on the consent button), whereas the simple scrolling or the pre-set consent in the browser (pre-clicked boxes) do not meet the requirement. 

Moreover, the data subject must be provided with sufficient and comprehensible information about the purpose of the processing for which the personal data is intended, who will process them, for how long and if the data will be transferred to other subjects or to third countries. 

Finally, the technical system should record such consent or withdrawal of consent (creating a log or other data record) in order to demonstrate compliance with the above-mentioned requirements successively. The logging of data on the use of cookies is necessary to ensure that the legal obligations are fulfilled.