During 2021, we devoted several legal circulars to the issue of storing cookies, in connection with the adaptation of Czech legislation to EU law requirements. It should be recalled that by way of amendment to Act No. 127/2005 Coll., on Electronic Communications, as amended (hereinafter referred to as the “Act on Electronic Communications”), the regime for granting consent to the use of cookies changed from opt-out to opt-in as of 01/01/2022. In other words, the user must expressly consent to the storage of cookies other than technical cookies. This legislative change motivated the Office for Personal Data Protection to publish an FAQ before the end of the year, in which it analyses the most common situations associated with the implementation of the so-called cookie banner. Below we summarise some of our observations on this document.
Firstly, it is possible to mention that the Office for Personal Data Protection unfortunately designates (in our opinion incorrectly) every storage of cookies as processing of personal data. The Office has also taken a stricter interpretation in the sense that it requires that consent to the storage of cookies must also meet the same requirements that are required for granting consent under the GDPR. From the published information, it can therefore be inferred that practically every website, during the operation of which cookies are stored, requires some form of pop-up banner (the information obligation under the GDPR must also be fulfilled in the case of processing of personal data on the basis of legitimate interest). However, we are not entirely certain whether the Office for Personal Data Protection truly had such an intention.
From the more practical recommendations that appear in the answers, we select the following. Pre-ticked boxes in the cookie banner (pre-filled consent) cannot be considered consent granted in accordance with the GDPR. Similarly, the option to close the banner without the user expressly granting or refusing consent. Mere closure of the banner cannot be considered consent. The Office recalls that it already follows from the recitals of the GDPR that failure to grant consent cannot be a reason for refusing the user access to the content of a website. From this, however, in our opinion it factually follows that the trader should also operate such a version of the website that does not use any analytical or tracking cookies.
In the opinion of the Office for Personal Data Protection, the user must also have the possibility to withdraw his granted consent at any time. Withdrawal of consent must then be as easy as its granting. On websites, there should therefore be an easily accessible link by means of which granted consent can be withdrawn. In the ideal case, the button by which the user refuses to grant consent should be as easily accessible as the button for granting consent.
On a similar level, the Office then points out that there should be no difference between the graphic design of buttons by means of which the user grants or refuses consent. For example, the buttons should not have different graphic design. If the button leading to the refusal to grant consent is less colourfully distinctive (less visible), the granting of consent may not, in the opinion of the Office, be considered by the user to be free and therefore in accordance with the GDPR.
Jiří Moravec
This text was originally prepared by the law firm Mašek, Kočí, Aujezdský in cooperation with the association Association for Electronic Commerce (APEK) as legal circular No. 12/2021 intended for members of this association.
This text was translated from Czech to English using an AI translator.