Sun, Sep
66 New Articles

Stricter Rules for Cookies in the Czech Republic from 2022

Stricter Rules for Cookies in the Czech Republic from 2022

Czech Republic
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The Czech Chamber of Deputies approved an amendment to Act No. 127/2005 Coll., on Electronic Communications (hereinafter referred to as the “ECA”), after the Czech Senate returned it earlier. The purpose of this amendment is primarily to harmonise Czech legislation with the European Electronic Communications Code. However, the amendment will also affect other areas that are not directly related to the Code. One of the most significant changes will affect anyone who operates a website or mobile application and uses statistical, analytical or advertising tools. The change is to move from the current opt-out principle for the use of cookies and similar tracking technologies to an active user consent regime, the so-called opt-in regime.

Briefly on cookies

Cookies are small text file that are stored on the user's device and are used, for example, to ensure the technical functioning of website. Without them, it would be much more difficult to know that a user browsing the web is still the same user. Otherwise, the website would “forget” this information with each reload, which would make it difficult, for example, to add items to the shopping cart, which would be emptied each time the user moved to another page.

In addition, cookies can also be used for statistical and analytical purposes, specifically, for example, to measure traffic, track how users click through the pages of a website, and even how they move their mouse cursor around the page.

However, cookies are also widely used for marketing purposes, as they can be used to associate information about what a user is browsing and what they are likely to be interested in. He or she is then shown advertisements on various websites that correspond to the pages they visited in the past. So, if you were choosing a destination for your summer vacation, it is likely that you will be seeing offers from travel agencies or travel insurance on other sites.

Current legal framework

The legal regulation of cookies is contained in Section 89(3) of the ECA and is based on the European ePrivacy Directive. However, it does not apply only to the use of cookies but applies generally to any technology that can store data on or read information from user's device. The most typical example is cookies stored on the user's device. Other technologies such as web beacons, tracking pixels or web trackers use, for example, a 'device fingerprint', which does not store any data on the user's device, but identifies the user by reading data such as the operating system, screen resolution, browser label or language setting from the user's device. As the legal framework does not differ for these technologies, we will include them under the term cookies in the following section of this article for simplicity.

According to the current wording of the ECA, the owner of a website or mobile application is obliged to "inform subscribers or users in advance of the scope and purpose of their processing in a demonstrable manner". As a result of this legislation, websites in the Czech Republic display so-called cookie bars that warn about the use of cookies, sometimes those information are provided in the footer of the website or are available on a separate subpage as a cookie policy.

However, the website owner is also obliged to offer users "the possibility to refuse such processing". We refer to this as an opt-out regime and it consists in the fact that the use of cookies. Therefore, the measurement of traffic and tracking of the user's movements on the website is possible until the user expresses his or her disagreement. According to the draft recommendation of the Czech Office for Personal Data Protection, it is possible to express consent with the use of cookies, and in our opinion also to express possible opt-out, through the settings of the web browser. In simple terms, if you do not want cookies to be used on the website you are viewing, change settings of your browser.

It should be added that this regime is not in line with the amended wording of the ePrivacy Directive, which has abandoned the opt-out regime since 2009 and introduced the obligation to obtain user’s active consent to the use of cookies. Now, the Czech legislator reacts belatedly to this amendment of the directive by amending the ECA.

Changes from 2022

The forthcoming amendment to the ECA introduces the obligation to obtain the user's prior provable active consent to the scope and purpose of processing for the use of cookies from 1 January 2022. We are talking here about the opt-in regime, where the use of cookies can only be activated on the basis of an active act (consent) of the user. Cookies cannot be used before consent is given.

There are several exceptions to the need for consent to use cookies, but these are defined quite narrowly. These include situations where the use of cookies is necessary for technical storage or for the provision of a service that is provided at the user's request, i.e. it is not an ancillary service that is not requested by the user. The fact that cookies are necessary for the provision of a service means, among other things, that the use of cookies is limited in time to the provision of the service in question. The line between when cookies are necessary for the provision of a service and when they are no longer necessary may be unclear in some cases and will depend on the nature of the service provided. However, statistical and analytical tools do not generally fall within the exceptions.

As it follows from the above-described changes introduced by the amendment to the ECA, the passivity of the user will not be desirable in most cases from 2022, or certainly not sufficient, but on the contrary, it will be necessary to obtain the active consent to the use of cookies. Until this consent is granted, it will not be possible to store cookies or activate other technologies, unless one of the exceptions applies.

In addition, consent to the use of cookies should be of the quality required by the GDPR. In particular, there is a requirement for voluntary consent, which should not be enforced by blocking access to the website or otherwise making it difficult to use the website in order to force the user to give consent. Consent should be informed, i.e. it should be clear what its content is and what the data collected will be used for. Today's often very general formulations of 'I agree to the use of cookies' in the Czech Republic will no longer be sufficient. Similarly, consent should be expressed by an unambiguous expression of will, and this should put an end to the current practice whereby consent is given, for example, by continuing to browse a website - this does not constitute an unambiguous act by the user to consent to the use of cookies. It is also the case that giving consent should be as simple as withdrawing it.

Impacts and practical recommendations

The amendment, once signed by the President, is expected to take effect on 1 January 2022, so it is advisable to start preparing for the change right now. It affects anyone in the Czech Republic who operates a website or mobile app and uses tools to track traffic or target ads, and its implementation could represent a fairly significant disruption to existing websites and impact online marketing.

The first step to do is to identify all the tools used on websites that use cookies or other similar technologies and to find out what they are used for. Based on this, it is then necessary to decide whether it is necessary to obtain user consent. If so, existing cookie bars will need to be modified from opt-out to opt-in mode. At the same time, the correct storage period for each cookie needs to be set. Various solutions are available on the market that promise to meet the requirements of the new legislation. However, attention should be paid to its specific settings. Even the best tool may not ensure compliance with the new legislation if, for example, it is set up in such a way as to enforce consent.

In order to comply with the GDPR's requirement to provide informed consent, website and mobile app owners will also need to create cookie policy containing a clear description of what each cookie is used for and make this policy easily accessible to users.

In the context of screening individual tools used on the web, we also recommend addressing the issue of personal data transfers to countries outside the European Union or the European Economic Area, which are often closely linked to usage abovementioned web tools. Following the decision Schrems II ruled by the CJEU, this area is increasingly in the crosshairs of the Czech Data Protection Authority and foreign supervisory authorities. Non-profit organisations are also trying to initiate authorities’ activity, of which probably the most active, the Max Schrems’s nyob, has sent dozens of complaints against controllers and processors to supervisory authorities across the European Union.

The amendment to the ECA thus catches up with the European standard in approaching cookies, but this means a significant tightening of the previously benevolent rules. In this context, it is worth mentioning that in the future, both the ePrivacy Directive and the relevant provisions of the ECA should be replaced by the ePrivacy Regulation[9], which in its current proposal contains similar provisions but allows, for example, the use of certain cookies for statistical purposes without consent. However, the approval of this Regulation has already been postponed several times, and in the meantime the amended ECA must be followed in the Czech Republic.

By Michal Nulicek, Partner, Jan Tomisek, Managing Associate, and Filip Benes, Junior Lawyer, Rowan Legal