Edible cookies aside, Christmas came early for Czech’s rising pool of privacy-conscious consumers.

 

On 1st January 2022, the Czech Republic moved to align data privacy regulations with European (per the GDPR) norms to fortify its policy, presenting an added layer of protection to privacy rights.

 

Until the amended Electronic Communications Act (ECA) came into force, consent collection was not required for Czech website owners. Now, the alignment of the ECA with the EU’s General Data Protection Regulation (GDPR) and ePrivacy directive has paved the way for a far less intrusive ‘opt-in’ culture that places the burden of obtaining consent on businesses rather than on the users. 

 

This article gives you the lowdown on essential elements of the new Czech Cookie Act and how to stay compliant.


Summary

 

 

 

Cookie consent and Czech's Cookie Laws

 

Cookie consent simply refers to a user’s decision to allow or refuse the collection of their personal data by cookies. ECA mandates businesses to inform users about their cookies.

 

Most Czech companies use cookie banners either on the headers or footers of their web pages to display information regarding the purpose of the data to be collected or a standalone page educating users about their cookie policy.

 

To date, the laws regulating data protection in the Czech Republic include the Electronic Act (now aligned with the ePrivacy Directive), the General Data Protection Regulation (GDPR), which applies to all member states within the EU, and The Czech Act No.110/2019 on Personal Data Processing; the piece of legislation responsible for aligning extant data protection laws with the GDPR).

 

A quick glance at the 1st January 2022 Czech Cookie Act

 

Didomi - Czech republic

 

Enacted by way of an amendment to the ECA (the Electronic Communications Act) in compliance with the ePrivacy Directive, the amended law addresses salient aspects of cookie consent. Chief among these changes is a legal obligation on websites to obtain consent before collecting data by way of an opt-in to store or access cookies unless they are: 

 

  • Of a purely technical nature; 
  • Used to transmit information over an electronic communications network; 
  • Instrumental in providing a service on the request of web users. (“Technical” cookies, also known as “essential”  cookies)

The Office for Personal Data Protection maintains that businesses must — without reservation — comply with the Electronic Communications Act as it relates to the storing and accessing of cookies and the GDPR (once it’s established that the processing of cookies or related information by businesses may amount to processing of personal data)

 

It’s worth going over the required elements in cookie consent that render it legally valid. We’ve highlighted some below:

 

Scope of the law

Per the amended ECA, websites or mobile app owners that deploy non-essential trackers must obtain consent. It’s not a requirement for essential trackers, given that such trackers are integral to providing the web service. But this exception applies only to the extent necessary to provide the said service. 

 

Users must be well-informed in a way that is void of ambiguity

Website owners are not permitted to set cookies before the web user grants consent.  The consent notice should be in the standard format (“accept all/refuse all” or “only accept” essential cookies), in a more user-friendly format, and worded in plain, simple language.

 

Positive action is also required for users to validly consent. Following this logic, equivocal wordings like, “By browsing this website, you hereby agree to the use of cookies” are now considered insufficient to legally obtain consent.

 

"Opt-in" replaces "Opt out"

Mirroring the GDPR, the “opt-in” option is now the legally recognized mechanism to obtain consent by law, which presents a shift from the previous “opt-out” approach.

 

Quality of Consent 

The decision to consent must not be unduly influenced. Thus, the common practice of giving users access to the website or any other parts thereof that should be freely accessible is illegal. Similarly, cookie walls that limit user access once they do not “opt-in” are outlawed. 

 

Plus, if a user scrolls to other parts of the website, it will not constitute an expression of consent and shouldn’t be treated as such. Consent must be granted expressly granted, not impliedly. 

 

What’s more, Proof of issuance of consent given must include the specific date and time when the user’s consent was requested and obtained, how the consent was requested, all information that was provided to request consent, and the credentials that stipulate by whom and or from which device the consent was given.

 

Flexible choice architecture

Web users should be able to withdraw their consent just as easily as they grant it. Thus, if a single click on the “accept” button/URL is required to issue consent, then a single click on the “withdraw consent” button/URL must be sufficient to withdraw the same.

 

This means interacting with users over email or phone to fill in requests is outlawed. 

 

Specificity

Separate consents must be obtained for each purpose of processing. Thus, if the personal data obtained is for analytic purposes, the business must obtain specific consent for this purpose. The same is true of data obtained to collate user preferences and data marketing purposes. 

 

How have the 2022 regulations affected cookie consent: what has changed?

 

The old ECA addressed a broad range of technologies that track or store user information: device fingerprints, web beacons, tracking pixels, and cookies. But, there was no obligation for website owners to obtain consent to deploy these technologies to collect data on users. 

 

Mobile app and website owners were obligated to provide users with in-depth information about cookies. Most Czech companies complied by displaying banners with information about how cookies were collected and providing an ‘opt-out’ option for users who didn’t want to have their information tracked. But they didn’t — according to the legal fine print of GDPR laws — actually seek the consent of web users. 

 

Until January 1st, 2022, businesses could rely on the “opt-out” mechanism, i.e., they could collect data from users until they opted out. Following the amendment of the ECA, all laws regarding tracking technologies in Czech compel compliance with the “opt-in” principle, which means collecting data from only consenting users.

 

The transition into an opt-in mechanism puts web users back in control of their privacy and re-allocates responsibility of privacy protection to the rightful custodians — businesses.  

 

Scope of Application: What are the implications for businesses?

 

The ECA now stacking up to the European standard means firmer, stricter rules for user data protection. The approved amendments to the Acts 127/2005 Coll. on Electronic Commissions have a wide scope of application as it co-exists with the Czech Act No.110/2019 on Personal Data Processing and the GDPR (applicable to all member states of the EU whether or not their national laws align with it). 

 

The regional applicability of EU law to member states means the updates in the Czech Republic do not imply any dramatic break from the status quo. Most businesses had to comply with GDPR cookie requirements before now, anyway, and consent was already part and parcel of the data collection process. 

 

Moreover, as all businesses operating within the Czech Republic or handling Czech customers have to comply with all the data laws simultaneously and without reservations, adhering to these guidelines is not as tedious as it seems. 

 

All three laws have very similar provisions. So, complying with one helps you stay compliant with the others. Non-GDPR-compliant companies, however, have their work cut out, lest they get caught on the wrong side of the law. 

 

How can you maintain compliance with Czech Cookie Consent Laws?

 

Following recent developments, Czech business owners should focus on compliance to avoid potential backlashes or penalties. 

 

Since the Czech cookie law amendment compels website owners to obtain cookie consent, a sure route to compliance — as has been embraced by many business owners — will be to display a Czech cookie law-compliant banner on website homepages. Whichever purpose user data will serve, consent is not only a legal obligation to be discharged but a commercial win since obtaining consent would mean only interested users opt-in. 

 

Didomi’s Consent Management Platform (CMP) puts ease into your consent collection, management, and compliance with a user-friendly interface that lets users manage their consent and preference choices. That way, legal risks are reduced while you secure optimal user consent rates to boost your digital marketing efforts. 

 

Got more inquiries about the Czech cookie consent rules? Worried that your website hasn’t met the latest compliance standards? Reach out to our team to discuss how Diodmi can help with your data privacy challenges:  

 

Talk to an expert

 

Frequently Asked Questions (FAQ)

 

What do the 1st January 2022 amendment to the Electronic Communications Act (ECA) mean for data privacy in Czech Republic?

The amendment aligns the Czech Republic's data privacy regulations with the European standards, as per the GDPR and ePrivacy directive.

 

They introduce an 'opt-in' culture, requiring businesses to obtain user consent before collecting data through cookies, which is a shift from the previous 'opt-out' approach. This move provides an added layer of privacy protection for consumers.

 

How can businesses comply with the new Czech Cookie Act?

Businesses must inform users about the use of cookies and obtain their consent before collecting data, except for essential or technical cookies necessary for the website functionality.

 

Consent should be obtained through a clear, unambiguous, and user-friendly mechanism, typically displayed via a cookie banner on the website. 

 

What constitutes valid cookie consent under the new Czech laws?

Legally valid consent should be informed, specific, and unambiguous. It requires positive action from the user, meaning consent cannot be implied from user inaction like merely browsing the website.

 

The information regarding cookies should be provided in plain and simple language, and users should have the flexibility to withdraw their consent as easily as they granted it.