The storage of so-called cookies in users’ computers is primarily regulated at Union level, whereby this regulation is implemented by means of a European Union directive (that is, not by means of a regulation). This means that Union law itself does not directly impose obligations on subjects of law in individual Member States, but rather envisages the transposition (implementation) of this regulation into individual national legal orders (see below).

In 2009, Directive 2009/136/EC of the European Parliament and of the Council (hereinafter referred to as the “amending directive”) was adopted, which amended Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (hereinafter referred to as the “Directive on privacy and electronic communications”). The amending directive brought, inter alia, an amendment to the provision of Article 5(3) of the Directive on privacy and electronic communications, which is devoted to the issue of storage of cookies.

The provision of Article 5(3) of the Directive on privacy and electronic communications has thus read as follows since the entry into force of the amending directive: “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

It thus follows from the above that in the area of storage of so-called cookies, website operators should apply the opt-in principle, except in those cases where the storage of so-called cookies is “strictly necessary in order for the provider of an information society service to provide the service explicitly requested by the subscriber or user.” In our view, therefore, in cases where certain functionality of a website (web service) is dependent on the necessity to store cookies, prior consent of the user to the storage of the file in the user’s computer should not be necessary (however, the information obligation towards the user should be fulfilled).

As mentioned above, the general framework of this legislation should be implemented in all EU Member States. However, the amended provision of Article 5(3) of the Directive on privacy and electronic communications has not yet been implemented into the Czech legal order. Specifically, this concerns the provision of Section 89(3) of the Electronic Communications Act (Act No. 127/2005 Coll., as amended), which provides that “Any person who intends to use or uses electronic communications networks for storing data or for gaining access to data stored in the terminal equipment of subscribers or users is obliged to inform such subscribers or users in advance in a demonstrable manner of the scope and purpose of their processing and is obliged to offer them the possibility to refuse such processing. This obligation shall not apply to technical storage or access solely for the purposes of carrying out or facilitating the transmission of a message over an electronic communications network or where this is strictly necessary for the purposes of providing an information society service explicitly requested by the subscriber or user.” Czech legislation in the area of storage of cookies thus still proceeds from the opt-out principle.

This text was originally prepared by the law firm Mašek, Kočí, Aujezdský in cooperation with the civic association Association for Electronic Commerce (APEK) as legal circular No. 5/2012 intended for members of this association.

This text was translated from Czech to English using an AI translator.