The Personal Data Protection Office (PDPO) has issued rules for the use of cookie bars and for giving consent to the use of cookies, which is usually associated with the processing of personal data. Although the obligation to obtain consent with the use of certain types of cookies has been in place for more than a year, not all websites meet the required parameters.

Website administrators use two types of cookies, technical and non-technical. Technical cookies are necessary for the actual functioning of the website and do not require the consent of the website user. The obligation to inform about their use is maintained, however.

The situation is more complicated with non-technical cookies, which are used, among other things, to track traffic or analyse the preferences of their visitors for other, e.g. marketing purposes. Here, active consent of the website user with their use is already required. Website operators use a cookie bar for this purpose, where consent can be given simply by pressing the appropriate button. It is therefore only by granting it that non-technical cookies can be activated. This means that if you close the bar without further action, you have not given your consent. For the same reason, it is not possible to give general consent to the activation of cookies once for all websites in the browser; consent must be given separately for each website.

Many recommendations revolve around the form of the cookie bar. As an example of good practice, the PDPO cites the placement of buttons for granting and withholding consent in the same visual design in the first layer of the cookie bar. The colour of the buttons is not essential, but the visuals should be such that consent and refusal are equally easy to give.

The consent itself must be renewed from time to time, normally after 12 months in the case of prior consent and 6 months in the case of non-consent. This scope should be determined by the controller himself, taking into account the purpose, for which the personal data are processed, and the expectations of the users.

When it comes to informing users about the cookies used, everything is governed by the requirement of clarity and transparency. The information may be simplified for a better understanding of the issue. However, some cookie bars, for example, already have consent boxes for analytics and marketing cookies ticked when clicked, which clearly contravenes this requirement.

In addition to giving consent, the user should also be able to withdraw the consent given as easily, as he/she had given it. If consent is given via the cookie bar, it cannot be accepted that withdrawal of consent is only possible, for example, by telephone. Ideally, there should be an easily accessible button or link on the website to withdraw consent.

The cookie bar must also not prevent the visitor from interacting with the website and the sharing of its content must in no way be conditional on consent to non-technical cookies.

If you have any doubts regarding about the cookie bar settings on the websites you manage or the obligations associated with the storage of visitors’ personal data, we will be happy to review everything and recommend any adjustments.

Author: Veronika Odrobinová, Olga Králíčková