Briefly on cookies
Cookies are small text file that are stored on the user's device and are used, for example, to ensure the technical functioning of website. Without them, it would be much more difficult to know that a user browsing the web is still the same user. Otherwise, the website would “forget” this information with each reload, which would make it difficult, for example, to add items to the shopping cart, which would be emptied each time the user moved to another page.
In addition, cookies can also be used for statistical and analytical purposes, specifically, for example, to measure traffic, track how users click through the pages of a website, and even how they move their mouse cursor around the page.
However, cookies are also widely used for marketing purposes, as they can be used to associate information about what a user is browsing and what they are likely to be interested in. He or she is then shown advertisements on various websites that correspond to the pages they visited in the past. So, if you were choosing a destination for your summer vacation, it is likely that you will be seeing offers from travel agencies or travel insurance on other sites.
Current legal framework
Changes from 2022
Impacts and practical recommendations
The amendment, once signed by the President, is expected to take effect on 1 January 2022, so it is advisable to start preparing for the change right now. It affects anyone in the Czech Republic who operates a website or mobile app and uses tools to track traffic or target ads, and its implementation could represent a fairly significant disruption to existing websites and impact online marketing.
In the context of screening individual tools used on the web, we also recommend addressing the issue of personal data transfers to countries outside the European Union or the European Economic Area, which are often closely linked to usage abovementioned web tools. Following the decision Schrems II ruled by the CJEU, this area is increasingly in the crosshairs of the Czech Data Protection Authority and foreign supervisory authorities. Non-profit organisations are also trying to initiate authorities’ activity, of which probably the most active, the Max Schrems’s nyob, has sent dozens of complaints against controllers and processors to supervisory authorities across the European Union.
The amendment to the ECA thus catches up with the European standard in approaching cookies, but this means a significant tightening of the previously benevolent rules. In this context, it is worth mentioning that in the future, both the ePrivacy Directive and the relevant provisions of the ECA should be replaced by the ePrivacy Regulation, which in its current proposal contains similar provisions but allows, for example, the use of certain cookies for statistical purposes without consent. However, the approval of this Regulation has already been postponed several times, and in the meantime the amended ECA must be followed in the Czech Republic.
By Michal Nulicek, Partner, Jan Tomisek, Managing Associate, and Filip Benes, Junior Lawyer, Rowan Legal