When visiting almost any Czech website, small files called cookies are stored in our browsers to identify visitors to the website. Cookies are then used to process the visitor’s personal data. With effect from 1 January 2022, an amendment to the Act on Electronic Communications came into force, which makes it mandatory for website operators to store cookies only with active consent from the visitors.

The main types of cookies are functional, marketing, analytical and preference cookies. Basic cookies, i.e. functional cookies, are responsible for the basic functions of the website (e.g. storing items in the e-shop basket, remembering the last article read, etc.). They are necessary for proper functioning of the website. Marketing cookies are used to target ads better (for example remarketing, i.e. reaching a user, who has already visited your website, on a different channel through a paid ad) and to personalize them). Analytical cookies allow tracking visits to websites and applications, as well as tracking how many users have clicked on a link on a website or used one of its features. Typically, these are visitor-rate statistics like Google Analytics. Preference cookies allow your website to remember the given user’s preferences and to adapt to him/her. This ensures comfortable use of the site that remembers language, currency and other user preferences.

The processing of personal data of website visitors is regulated within the European Union by the Directive on privacy and electronic communications, which requires website operators to obtain consent from website visitors to use cookies (the so-called opt-in principle). The only exceptions are functional cookies that are necessary for the proper functioning of the website.

In the Czech law, however, the requirement for consent was not formulated precisely and was often interpreted by website operators and professionals as an opt-out principle, i.e. “what I do not explicitly refuse, I get”. With the approval of the amendment to the Electronic Communications Act, any ambiguity is removed with effect from 1 January 2022 – website administrators can only collect personal data of visitors to these websites on the basis of their demonstrable consent (opt-in principle). 

Thus, as of 1 January 2022, the user’s explicit and informed consent is required for cookies to be collected. Upon arriving at the website, the users should be asked what exactly can be collected about them. Subsequently, they must be able to actively choose what information they provide about their activity on the website via cookies. If they choose nothing, only functional cookies, i.e. cookies necessary to ensure the technical functions of the website, can be collected. 

The European Data Protection Board allows the possibility to obtain consent through browser settings, provided that the consent meets the requirements of the General Regulation. According to the board, consent must be free, specific, informed and unambiguous. The user must be able to simply refuse or withdraw consent without any detriment to the user, e.g. that the content of the website is not displayed without consent. At the same time, the user must be provided with accurate and complete information in a clear and comprehensible manner on all relevant issues, such as the nature of the data processed, the purposes of the processing, the recipients, to whom the data may be transferred, or the rights of the data subject. 

Consent should also be structured and granted for each of the intended purposes. The board accentuates here that inaction by the data subject does not constitute unambiguous consent. Therefore, a statement to the effect of “by remaining on the website you consent to the storage of cookies” cannot be considered consent in accordance with the General Regulation.

If you are interested in this topic or you are currently working on cookies for your website, do not hesitate to contact us, we will be happy to help.

Author: Veronika Odrobinová