IT-IP LAW NEWS

Regulation of Cookie banners in the Czech Republic



Indirizzo copiato

In March 2023 the Czech Data Protection Office issued a guidance on “best practice” with regard to using cookie banners on one’s website page

Pubblicato il 19 set 2023

Lenka Čížková

LL.M. Attorney



linee guida cookie garante privacy

As of 1 January 2022, an amendment to the Electronic Communications Act (Act No. 127/2005 Coll.) became effective, which significantly changed the rules which Czech website operators have to follow in relation to cookies. Subsequently the Czech Data Protection Office issued at its webpage a guidance (which includes also answers to FAQs).

What are the changes about?

Until 31 December 2021, the legal regulation of cookies in the Czech Republic was based on the so-called opt-out principle, i.e. storing cookies on the device and accessing information from the device was possible on the condition that the user was informed thereabout and at the same time was given the opportunity to refuse such processing. Until 31 December 2021, the website operator was thus only obliged to inform the user to what extent and for what purposes cookies were collected, which was regularly done through cookie banners, information in the footer of the page or information on a separate page on the website.

    With the new amendment to the Electronic Communications Act, however, the collection of cookies is based on the so-called opt-in principle, i.e. on the opposite principle to the one that applied until the end of 2021. This change makes it mandatory for website operators to obtain prior consent from users to collect cookies, and without such consent, cookies cannot be collected from the users.

    Guidance by the Czech Data Protection Office

    To that end in March 2023 the Czech Data Protection Office issued a guidance on “best practice” with regard to using cookie banners on one’s website page. From the guidance and published FAQs the following pointers can be summarized:

    • As the use of cookies, through which the website operator monitors or directs the user’s behaviour on the website, generally constitutes the processing of personal data, primarily it is necessary to clearly define the purpose of the cookies in order to correctly determine the legal basis for their processing.
    • Based on the purpose the relevant types of cookies can be distinguished, i.e.
      • technical cookies” which are necessary for the actual operation of the website and which do not require the user’s consent, or
      • non-technical cookies” which are designed to track traffic, analyse the preferences of visitors, e.g. for marketing purposes, etc. and which require the user’s consent,
    • Despite the type of cookies (technical or non-technical), still the information obligation towards the users have to be complied with by the website operator. This includes a clear identification of the data controller, the purpose and legal basis for the use of cookies, any legitimate interests, the recipient of the personal data, the intention to transfer the personal data to a third country or an international organisation and the contact details of the Data Protection Officer (if applicable). Furthermore, the data subjects (users)have to be informed about the period of storage of personal data, the rights of access, rectification, erasure, portability and objection to processing, the possibility to withdraw consent at any time and to lodge a complaint with the supervisory authority. It should also indicate whether the provision of personal data is a legal or contractual requirement or a requirement to be included in a contract, and whether automated decision-making, including profiling, takes place. This information obligation must be fulfilled in an accessible and comprehensible manner using plain language. Therefore, the requirement of an accessible and comprehensible manner cannot be considered to be met if e.g.:
      • the user has to access the information in a complicated way by ‘clicking’ through a number of pages or
      • if the information on the website in the Czech language (i.e. intended for Czech-speaking visitors) about the processing of personal data through cookies is not also published in the Czech language. In other words the information targeted at Czech users shall be (always) in the Czech language.
    • If a website uses only technical cookies and not non-technical cookies, there is no need to introduce a “cookie banner” (i.e. an application that contains information about the cookies used and which allows the user to give or refuse consent), but it is still necessary to comply with the information obligation towards data subjects (as described above) by placing a link with a document containing the prescribed information in a visible place on the website.
    • In case of non-technical cookies a consent via the cookie banner is required, in which case the button for granting the consent must be placed within the cookie banner to opt-out of non-technical cookies so that any consent is given without coercion and the user is not influenced in his/her choice (i.e. it should be as easy to opt-out as to opt-in). A cookie banner setup that meets this requirement shall place the consent and non-consent buttons on the same layer of the cookie banner and, as an example of good practice, the non-consent button shall be placed on the first layer of the cookie banner (on a par with consent and with a comparable visual design). In this context a pre-set consent in the browser cannot be considered as legitimate consent and active user action (e.g. clicking on the consent button) is required.
    • The cookie banner shall further bear an appropriate design in terms of readability and accessibility of the content of the website (in particular, documents relating to information to be disclosed to data subjects and the exercise of their rights). The cookie banner may not prevent interaction with the website even if the visitor has not yet chosen any of the options regarding consent to cookies. Therefore, if the banner is located in the middle of the browser window, it should contain an element to easily close the bar without selecting a specific response.
    • Non-technical cookies can only be activated after consent has been given. If the data subject has not actively consented to the cookies (i.e. if he or she has either selected the “opt-out” option, or if he/ she has closed the bar by clicking on the button provided for this purpose, or if he/she has “done nothing”), it is necessary to leave the non-technical cookies deactivated.
    • With regard to the consent/non-consent button, the design and colour of the buttons should be chosen in such a way that the data subject is free to decide whether or not to give consent. For example, the ‘I agree’ button should not be significantly larger or more colourful than the ‘I refuse’ button. If the opt-out button is less visible or identifiable, it could be overlooked by the data subject and the consent given would not be considered free. At the same time, the colours of the buttons should be chosen to respect the generally accepted meaning of these colours.
    • The period for which consent is granted, as well as the period for the re-display of the cookie banner in the event of refusal to give consent, must be determined by the controller in the light of the purpose for which the personal data are processed and, at the same time, the expectations of the data subjects. In general, 12 months shall be considered as a reasonable period for which consent to the use of cookies has been given. If the user has refused to give consent, consent should not be required again for at least 6 months from the last time the cookie banner was viewed. This period may be shorter if:
    • one or more of the processing circumstances have changed significantly, i.e. there is a completely new setting of the cookie banner and/or the purposes of the processing, or a change where it can be assumed that a user who refused to give consent would be able to give it again (e.g. a significant reduction in the number of controllers and processors etc.),
      • the web operator is unable to keep track of the previous consent/non-consent (e.g. the user has deleted cookies stored on his/her device).
    • As consent to the processing of personal data through cookies is granted for a specific purpose and to specific subjects (controllers), a change to individual cookies cannot be considered a significant change to the processing. In this context, it should be noted that if there is a significant change to the processing which would also affect users who have previously consented to the processing of personal data, it will be necessary to reapply for consent towards these user in relation to this new processing.

    The Czech Data Protection Office regularly amends the already published FAQs in order to further address most frequent queries/issues raised by the website operators.

    Controls executed by the Czech Data Protection Office

    After first 6 months of this new legislation the Czech Data Protection Office summarized in its press release (i.e. in June 2022) the main shortcomings identified during inspections being:

    • Use of non-technical cookies without consent
    • Disproportionately long validity of cookies in relation to their purpose
    • Absence of an option for expressing non-consent with the use of non-technical cookies in the first layer of the cookie banner
    • Poor or incorrect categorisation of cookies
    • Absence of information on the specific cookies used
    • Difference in the visibility of the buttons for agreeing and disagreeing to the use of non-technical cookies
    • Information about cookies in a foreign language
    • Cookie banner makes it difficult or impossible to read the website

    The Chairman of the Czech Authority declared that in the first half of the year (i.e. until 30 June 2022), it gave operators time to adapt to the new legislation. But after that date, on the Authority’s own initiative, they are monitoring compliance and approaching data controllers who are in breach of the legislation in this area to take remedial action. If this is not done, sanctions of primarily financial nature will follow.

    From the recently released Annual Report of the Data Protection Office for the year 2022, the Office stated that “as to date 39 in-depth analyses of cookies have been carried out by 24 data controllers, 13 infringement proceedings have been initiated for a total of CZK 1 384 000 (i.e. 60,000€) and one proceedings has been finally terminated with a fine of CZK 26 000 (i.e.1,130€). The in-depth analyses examine the consent settings and the fulfilment of the information obligation, as well as the behaviour of cookies used on individual websites, or whether they behave in the way declared by the controller.”  

    Based on the above therefore rather „symbolic fines“ have obviously been imposed so far, but since the legislation becomes more and more established, stricter approach from the Authority can be expected. Thus from the legal perspective it is the highest time to adapt to the new legislation, if not already done.

    EU Stories - La coesione innova l'Italia

    Tutti
    Iniziative
    Analisi
    Iniziative
    Parte la campagna di comunicazione COINS
    Analisi
    La politica di coesione europea: motore della transizione digitale in Italia
    Politiche UE
    Il dibattito sul futuro della Politica di Coesione
    Mobilità Sostenibile
    L’impatto dei fondi di coesione sul territorio: un’esperienza di monitoraggio civico
    Iniziative
    Digital transformation, l’Emilia-Romagna rilancia sulle comunità tematiche
    Politche ue
    Fondi Coesione 2021-27: la “capacitazione amministrativa” aiuta a spenderli bene
    Finanziamenti
    Da BEI e Banca Sella 200 milioni di euro per sostenere l’innovazione di PMI e Mid-cap italiane
    Analisi
    Politiche di coesione Ue, il bilancio: cosa ci dice la relazione 2024
    Politiche UE
    Innovazione locale con i fondi di coesione: progetti di successo in Italia
    Iniziative
    Parte la campagna di comunicazione COINS
    Analisi
    La politica di coesione europea: motore della transizione digitale in Italia
    Politiche UE
    Il dibattito sul futuro della Politica di Coesione
    Mobilità Sostenibile
    L’impatto dei fondi di coesione sul territorio: un’esperienza di monitoraggio civico
    Iniziative
    Digital transformation, l’Emilia-Romagna rilancia sulle comunità tematiche
    Politche ue
    Fondi Coesione 2021-27: la “capacitazione amministrativa” aiuta a spenderli bene
    Finanziamenti
    Da BEI e Banca Sella 200 milioni di euro per sostenere l’innovazione di PMI e Mid-cap italiane
    Analisi
    Politiche di coesione Ue, il bilancio: cosa ci dice la relazione 2024
    Politiche UE
    Innovazione locale con i fondi di coesione: progetti di successo in Italia

    Articoli correlati

    Articolo 1 di 4