On 15 September 2021, the Chamber of Deputies outvoted the Senate and adopted an amendment to Act No. 127/2005 Coll., on Electronic Communications and on Amendments to Certain Related Acts (the Electronic Communications Act), as amended (hereinafter the “Electronic Communications Act”).
The amendment to the Electronic Communications Act brings significant changes, and in this article we would like to focus on the legal regulation of the use of cookies and the processing of personal data.
What are cookies?
Cookies are short text files that are stored when you visit a website and can be reloaded the next time you visit the site, so that the next visit to the same website can be easier and more useful for the user. The purpose of storing cookies is, for example, to create targeted advertising, track user behaviour, track the number of visitors to a page, remember ad settings, etc.
Cookies are used as a general term, but on websites we can also distinguish pixel tags, which allow to track the user’s device and personalise the website, as well as web beacons, fingerprinting and plug-ins.
Cookies are divided into technical or essential cookies, without which the website would not function, and other cookies, such as marketing or analytical cookies.
The user’s consent is not required for the use of technical cookies even under the opt-in principle, but the user’s consent will be required for the use of other cookies.
The above technologies are not only used on websites but are also found in mobile applications. It is therefore necessary to legally regulate the use of not only cookies but also other tracking tools, both on websites and in apps.
Current legislation on cookies
The Electronic Communications Act was previously based on the so-called opt-out principle and this legislation will apply until 31 December 2021. According to this legislation, storing files on a device or accessing information from a device is possible if the user is informed about it and is given the opportunity to refuse such processing. This means that the user’s passivity is sufficient to use cookies and cookies are used until the user refuses cookies or turns them off.
The Electronic Communications Act is based on the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (hereinafter the “ePrivacy Directive”) as amended until 2009, which was also based on the opt-out principle until then. Currently, the ePrivacy Directive requires user consent (opt-in) for the use of cookies unless one of two exceptions applies: (i) the sole purpose of the cookie is to transmit data, or (ii) the cookie is strictly necessary to provide the service.
Legal regulation of cookies after the amendment to the Electronic Communications Act
From 1 January 2022, the use of cookies will be based on the so-called opt-in principle. The opt-in principle means that storing files on a device or accessing information from a device is only possible if the user gives prior verifiable consent to the scope and purpose of such processing. In contrast to opt‑out, the user’s activity is therefore required and cookies (other than essential cookies, without which the website would not function) can only be used if the user agrees to their use.
The basis for giving consent to the processing of cookies should be the cookie banner (cookie window or bar), which informs the user about the existence of cookies and the need to give consent to use the website. The cookie banner should have several levels in which it is possible to select the purposes for which the user agrees to the processing of cookies and to whom the information can be passed on.
At the same time, it should be pointed out that the cookie banner must be really effectively set to respect the settings of the user’s choice and functionally create records (logs or other data) to prove the user’s information and especially to prove his active consent. Such solutions must not be designed in a fake way or, by their dimensions, features or visualisation, force the user to give the broadest possible consent or even make the use of the site conditional on consent.
Relationship to GDPR and consent rules
The amendment to the Electronic Communications Act deals with consent to the use of cookies and aims to protect users from interference in their private sphere, regardless of whether this interference relates to personal or other data.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “GDPR”) regulates the subsequent consent to further processing of personal data obtained through cookies as identifiers of a natural person. It is technically possible to process the website in such a way that obtaining consent to the use of cookies and obtaining consent to the subsequent processing of personal data are combined in a single step.
Consent to the use of cookies must comply with the requirements of the GDPR and must therefore be:
- free, in particular, it must be as easy to withdraw as to grant consent, it must be easy not to grant consent, and there must be no risk of fraud, coercion or other negative consequences if consent is not granted;
- specific, i.e. it must have a clearly defined scope, purpose and consequences;
- knowing and informed, whereby the information must be obtained in a clear and comprehensible manner; and
- explicit or unambiguous.
The amendment to the Electronic Communications Act provides that consent to the processing of cookies must be demonstrable. In practice, consent could be demonstrated during potential inspections by a technical solution for granting consent on websites. Keeping a record of consents is not necessary and not desirable for data protection reasons.
The information component of the consent is very important and care must be taken when informing the website user about the processing of their personal data via cookies.
How to apply the new cookies legislation
First, it is necessary to map the websites and applications that the person operates, as well as any cookies and other tracking tools that are used in their operation.
It is also necessary to decide which of the cookies used are key and desirable to use in the future and to categorise the reasons for their use.
Finally, it is necessary to identify any entities to which the data obtained from the cookies are transferred and to determine whether there is a transfer of personal data outside the European Union.
The initial assessment of the situation as described above should be followed by the treatment of the relationship with the persons to whom the cookie data is transferred, which may be, for example, controllers and processors. In particular, the transfer of data outside the European Union needs to be addressed.
Furthermore, it is desirable to select an appropriate technical solution for obtaining consent to cookies, which will depend on the complexity of the website and then adapt this technical solution to the specific needs of the operator and the website. An interesting solution is, for example, the Cookiebot service (https://www.cookiebot.com/en/).
It is then necessary to prepare the texts for obtaining consent and to create an information document on the processing of cookies, which will be referred to when giving consent.
For the sake of clarity, we recommend creating one comprehensive information document that contains both the cookie policy and information about the processing of personal data on the website.
What to avoid when creating a cookie banner – dark patterns
Dark patterns are settings that are intended to make it easier for the website operator to obtain consent for the use of cookies and are in most cases illegal.
Dark patterns include the following situations:
- it is not possible to reject cookies in the first query layer,
- a link to another page is placed instead of the option to reject cookies,
- the consent to use cookies is pre-ticked,
- a claim that cookies are processed for legitimate interest,
- inaccurate classification of cookies (for example, cookies are falsely marked as essential),
- difficult withdrawal of consent.
Conclusion
The amendment to the Electronic Communications Act will bring long-awaited changes in the area of cookies and bring the Czech legal system into line with European legislation.
As the amendment will come into force in the area of cookies from 1 January 2022, we recommend not to underestimate the preparation for the new legislation and to regulate the relationships regarding cookies with third parties in time, to solve the transfer of data abroad, to choose a suitable technical solution for the collection of cookie consent and to prepare the consent texts for websites.
If you have any questions regarding this issue or current legislation, please do not hesitate to contact us.
Mgr. Jakub Málek, partner – malek@plegal.cz
Kateřina Roučková, legal assistant – rouckova@plegal.cz
29. 10. 2021