Cookie Compliance still under the radar of the Czech DPA

​published on 24 March 2023 | reading time approx. 3 minutes

Despite considerable informative campaigns and a first more cautious approach on part of the controlling authorities,  non-compliance with the statutory requirements on the use of non-technical cookies in respect of the digital rights of users is still quite widespread in the Czech digital environment.

Notoriously, the topic of the use of cookies represents an overlap between the General Data Protection Regulation ("GDPR") and the ePrivacy Directive (2002/58 CE). 

As a result, website operators are confronted with the challenge to arrange the cookie-settings on their websites not only in compliance with the principles of data protection, but also to meet the requirements of the national implementation of the e-Privacy directive.

In the Czech Republic the legal requirements for the use of cookies were updated at the beginning of 2022, in order to fully comply with the consent requirement  of both the GDPR and the ePrivacy Directive. 

The results of the first inspection activity of the Czech data protection authority  (“DPA”) have revealed a considerable number of deficiencies. 

These findings lead the Czech DPA to publish guidelines on cookie-compliance. Recently the guidelines were updated once again, to reflect further discrepancies emerged during the control activities of the DPA.

Recent developments by the EDP on consent and on non-compliant settings of the cookie-banners  were specifically taken into account in the framework of the update of the guidelines.

Based on the updated guidelines a valid consent must entail a number of characteristics in order to be compliant with the statutory requirements.

First of all, the DPA clarifies that active user activity is required and that pre-set consent and implicit consent by scrolling is not sufficient.

Moreover, the consent, once given, can be revoked by the data subjects at any time. Accordingly, data controllers need to technically enable users to change their mind about their initial consent (for example through a button on the cookie banner).

The DPA also identified certain manipulative settings, to be avoided in order to allow the data subjects to freely decide whether to give consent or not. 

For example, the colours of the buttons “accept all” and “reject all” should be designed in such way, that the user is not influenced in his or her choice. 

Moreover, the size of the consent button should not be significantly and the process for refusal of the consent should not comparatively harder than the one for agreeing with the use of cookies.

Another important aspect is the identification of a reasonable time for the storage of the consent to the processing of personal data via cookies and of the moment in time when the consent needs to be requested again in case of refusal. 

According to the Czech DPA 12 months can be considered a reasonable period of time to consider a consent to be validly granted, whereas the user should not be required to give consent again for at least 6 months after the refusal. 

A shorter period of time for a new request for consent can be considered the circumstances of the processing changed significantly (such as the successive exclusion of extra-EU data transfers).

In general, the period during which consent to the processing of personal data via cookies is validly granted, as well as the period for re-displaying the cookie bar in case of refusal should be determined by the controller, taking into account the purpose for which personal data is processed and the expectations of the subjects data. 

The re-display of the cookie bar should not interfere with the user's use of the website, meaning that the user should not be "stalked" into giving consent.