On 15 September 2021, the Chamber of Deputies outvoted the Senate and adopted an amendment to Act No. 127/2005 Coll., on Electronic Communications and on Amendments to Certain Related Acts (the Electronic Communications Act), as amended (hereinafter the “Electronic Communications Act”).
What are cookies?
Cookies are short text files that are stored when you visit a website and can be reloaded the next time you visit the site, so that the next visit to the same website can be easier and more useful for the user. The purpose of storing cookies is, for example, to create targeted advertising, track user behaviour, track the number of visitors to a page, remember ad settings, etc.
Cookies are used as a general term, but on websites we can also distinguish pixel tags, which allow to track the user’s device and personalise the website, as well as web beacons, fingerprinting and plug-ins.
Cookies are divided into technical or essential cookies, without which the website would not function, and other cookies, such as marketing or analytical cookies.
The user’s consent is not required for the use of technical cookies even under the opt-in principle, but the user’s consent will be required for the use of other cookies.
The above technologies are not only used on websites but are also found in mobile applications. It is therefore necessary to legally regulate the use of not only cookies but also other tracking tools, both on websites and in apps.
Current legislation on cookies
Legal regulation of cookies after the amendment to the Electronic Communications Act
The basis for giving consent to the processing of cookies should be the cookie banner (cookie window or bar), which informs the user about the existence of cookies and the need to give consent to use the website. The cookie banner should have several levels in which it is possible to select the purposes for which the user agrees to the processing of cookies and to whom the information can be passed on.
At the same time, it should be pointed out that the cookie banner must be really effectively set to respect the settings of the user’s choice and functionally create records (logs or other data) to prove the user’s information and especially to prove his active consent. Such solutions must not be designed in a fake way or, by their dimensions, features or visualisation, force the user to give the broadest possible consent or even make the use of the site conditional on consent.
Relationship to GDPR and consent rules
- free, in particular, it must be as easy to withdraw as to grant consent, it must be easy not to grant consent, and there must be no risk of fraud, coercion or other negative consequences if consent is not granted;
- specific, i.e. it must have a clearly defined scope, purpose and consequences;
- knowing and informed, whereby the information must be obtained in a clear and comprehensible manner; and
- explicit or unambiguous.
The amendment to the Electronic Communications Act provides that consent to the processing of cookies must be demonstrable. In practice, consent could be demonstrated during potential inspections by a technical solution for granting consent on websites. Keeping a record of consents is not necessary and not desirable for data protection reasons.
The information component of the consent is very important and care must be taken when informing the website user about the processing of their personal data via cookies.
How to apply the new cookies legislation
First, it is necessary to map the websites and applications that the person operates, as well as any cookies and other tracking tools that are used in their operation.
It is also necessary to decide which of the cookies used are key and desirable to use in the future and to categorise the reasons for their use.
Finally, it is necessary to identify any entities to which the data obtained from the cookies are transferred and to determine whether there is a transfer of personal data outside the European Union.
The initial assessment of the situation as described above should be followed by the treatment of the relationship with the persons to whom the cookie data is transferred, which may be, for example, controllers and processors. In particular, the transfer of data outside the European Union needs to be addressed.
Furthermore, it is desirable to select an appropriate technical solution for obtaining consent to cookies, which will depend on the complexity of the website and then adapt this technical solution to the specific needs of the operator and the website. An interesting solution is, for example, the Cookiebot service (https://www.cookiebot.com/en/).
It is then necessary to prepare the texts for obtaining consent and to create an information document on the processing of cookies, which will be referred to when giving consent.
What to avoid when creating a cookie banner – dark patterns
Dark patterns include the following situations:
- it is not possible to reject cookies in the first query layer,
- a link to another page is placed instead of the option to reject cookies,
- a claim that cookies are processed for legitimate interest,
- inaccurate classification of cookies (for example, cookies are falsely marked as essential),
- difficult withdrawal of consent.
The amendment to the Electronic Communications Act will bring long-awaited changes in the area of cookies and bring the Czech legal system into line with European legislation.
As the amendment will come into force in the area of cookies from 1 January 2022, we recommend not to underestimate the preparation for the new legislation and to regulate the relationships regarding cookies with third parties in time, to solve the transfer of data abroad, to choose a suitable technical solution for the collection of cookie consent and to prepare the consent texts for websites.
If you have any questions regarding this issue or current legislation, please do not hesitate to contact us.
Mgr. Jakub Málek, partner – firstname.lastname@example.org
Kateřina Roučková, legal assistant – email@example.com
29. 10. 2021