On January 1, 2022, the Czech Republic aligned its cookie consent practices with the General Data Protection Regulation (GDPR) and the EU Cookies Directive by amending its Electronic Communications Act (ECA).
This development effectively changed the status quo for cookie processing in the Czech Republic. More specifically, it prompted a shift from an opt-out to an opt-in cookie consent system, placing the burden of consent on businesses rather than users.
In this article, we'll discuss cookie processing in the Czech Republic, the responsibilities of applicable businesses, and practical steps for ensuring compliance in light of stricter requirements.
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
At Step 2, add in information about your business.
At Step 3, select a plan for the Cookie Consent.
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
</head>section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
- 1. Czech's Cookie Law Amendment: A Little Context
- 2. Data Protection Landscape in the Czech Republic
- 3. Cookie Consent Rules in the Czech Republic
- 3.1. Quality of Consent
- 4. Frequently Asked Questions about Cookie Processing in the Czech Republic
- 4.1. Can users give consent through a browser?
- 4.2. Can I consider users closing my cookie banner to be consent?
- 4.3. Is it necessary for the "Reject All" button to be visible at first glance?
- 4.4. How long can cookie storage consent be kept, and when can it be requested again if it was previously declined?
- 5. Cookie Processing Requirements in the Czech Republic
- 6. How to Comply with the Czech Republic Cookie Processing Requirements
- 6.1. Provide a Comprehensive Cookies Policy
- 6.2. Set Up a Czech Cookie Law-Compliant Cookie Banner
- 7. Summary
Czech's Cookie Law Amendment: A Little Context
As a member state of the EU, the Czech Republic has been covered by EU data privacy laws since the GDPR's inception. However, not all aspects of Czech's legal system conformed to the stricter EU standards. This was especially true for Czech's cookie processing requirements.
Up until January 1, 2022, the Czech Republic Electronic Communications Act (aka Czech's cookie law) contradicted the provisions of the GDPR and EU Cookies Directive.
Needless to say, this legal inconsistency confused businesses and made compliance all the more difficult.
Now, thanks to the ECA's amendment, cookie processing rules in the Czech Republic are in accord with those of the GDPR and EU Cookies Directive.
While these rules are notably more stringent, the good news is that cookie processing is now far less ambiguous and more straightforward for businesses to implement.
Data Protection Landscape in the Czech Republic
Following the ECA's amendment, the Czech Republic's national legislation and data protection rules are now completely aligned with European data privacy standards.
Presently, the following data protection laws apply in the Czech Republic:
- The EU General Data Protection Regulation (GDPR) which is directly applicable in all the EU member-states
- The Czech Act No.110/2019 on Personal Data Processing which aligns the Czech data protection law with the GDPR, and
- The Electronic Communications Act (ECA), which is now aligned with the EU Cookies Directive
These three laws work together to regulate data privacy and ensure compliant cookie practices in the Czech Republic.
As a business owner, you don't have to be physically present in the Czech Republic to be covered by its privacy laws. Thanks to the GDPR's oversight, if you offer products and services to Czech residents, monitor their online behavior, or collect their personal data, you must comply with the regulation.
The GDPR defines personal data as "any information relating to an identified or identifiable natural person." Typical examples include but aren't limited to:
- Home addresses
- Email addresses
- Identification numbers
- Financial information
- "Technical data" such as IP addresses, browsing histories, cookie IDs, etc.
So, if your business collects the personal data of Czech residents through cookies and similar technologies, you may have to comply with all three laws above.
Fortunately, the provisions of these laws are now in harmony, and compliance with one of the laws will likely make you compliant with at least some of the demands of the others.
That said, let's take a closer look at the Czech Republic's cookie consent rules in light of the ECA's amendment.
Cookie Consent Rules in the Czech Republic
Now that the ECA is aligned with the GDPR and EU Cookie Directive, applicable businesses must review their cookie processing practices and make adjustments where necessary.
The most impactful change for businesses is the switch from an opt-out to an opt-in cookie consent system.
As a website or app owner, this means the old method of automatically loading cookies and then allowing users to decline them is no longer compliant. Instead, you must first get explicit consent from users before setting cookies on their devices.
- Purely technical purposes
- Providing services explicitly requested by users
- Transmitting data over an electronic communications network
In other words, consent isn't needed to implement "technical cookies" (also known as "strictly necessary" cookies).
To better understand the obligation of consent under Czech's cookie law, let's take a closer look at what is required.
Quality of Consent
The GDPR defines consent as:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
To help businesses be mindful of and avoid common pitfalls, the Czech Republic Office for Personal Data Protection (UOOU) published a short guide containing the most common issues relating to cookie consent.
With this in mind, here are some of the most important tips to remember when obtaining consent for cookies in the Czech Republic:
- Cookie consent banners that prevent users from accessing the website until they opt in are non-compliant.
- Users must take affirmative action, such as ticking an empty checkbox next to a statement that makes it clear it's an "I Agree" checkbox, or clicking an "I Accept" or "I Agree" button before you can legally set cookies on their devices.
- Evidence of consent must include relevant details such as the time of approval, method of consent request, data collection, etc.
- Separate consent is necessary for each purpose of processing.
- Consent must be just as easy to withdraw as it was for users to give it.
Now, let's see some of the most common questions about the Czech Republic's cookie processing standards to get even more clarification.
Frequently Asked Questions about Cookie Processing in the Czech Republic
The Czech Republic Office for Personal Data Protection (UOOU) maintains that businesses must comply with the following laws:
- The ECA (for processing cookies and similar technologies), and
- The GDPR (in cases where the processing of cookies or similar technologies may constitute the processing of personal data)
To help businesses navigate this complex framework, the UOOU has published specific FAQs relating to cookie processing in the Czech Republic. Let's take a look at some of them.
Can users give consent through a browser?
The UOOU does not rule this option out. However, the data administrator must be able to show that users have given their explicit consent to the processing of cookies (for individual purposes).
Can I consider users closing my cookie banner to be consent?
No, you must obtain active consent from users before placing cookies on their devices. If users can close your cookie banner without accepting or rejecting cookies, their continued use of your website cannot be interpreted as consent.
Is it necessary for the "Reject All" button to be visible at first glance?
The reject button for cookie consent should be on the same level as the accept button. This is because for users to have a free choice under the GDPR, refusing consent must be as easy as giving it.
For example, here's how HP presents these buttons as equally sized in its cookie consent banner, with the reject button in no way less prominent than the accept button:
How long can cookie storage consent be kept, and when can it be requested again if it was previously declined?
If a user declines to grant consent, they shouldn't be prompted to do so again for at least 6 months after the cookie banner was last displayed.
That said, you may shorten this period if any of the following occurs:
- One or more processing circumstances significantly changes, or
- You cannot track previous consent/disapproval (e.g., users have deleted the cookies stored on their device)
Now that we've established the cookie processing rules in the Czech Republic, let's look at the specific requirements and practical steps for compliance.
Cookie Processing Requirements in the Czech Republic
Since the GDPR is directly applicable in all EU member states, the updates to the Czech Republic's ECA add nothing significantly new to compliance requirements.
Before the ECA's amendment, most businesses had to comply with the GDPR and the EU Cookies Directive and will therefore already be in compliance with Czech's cookie law as well.
That being said, if your business isn't GDPR-compliant, you'll need to take the following steps to satisfy Czech's cookie processing requirements:
- Conduct a comprehensive cookies audit to determine the categories of cookies you use on your website or app.
- Provide detailed and accurate information about cookies on your website or app in a clear and straightforward language.
- Obtain active, opt-in consent from users before loading non-technical cookies on their devices.
- Keep a record of user consent.
- Make it as simple to withdraw consent as it is to give it.
Next, let's take a look at the practical steps you can take to comply with these requirements.
How to Comply with the Czech Republic Cookie Processing Requirements
Provide a Comprehensive Cookies Policy
In any case, your Cookies Policy should provide (at least) the following information:
- What cookies are and how they work
- What categories of cookies and similar tracking technologies you use
- Third-party cookies on your website and their purposes
- How to manage or adjust cookie preferences
- Updates to your Cookies Policy
- Your contact information
Coca-Cola, for example, has a comprehensive Cookies Policy that explains the necessary information in clear and simple language. Here's just an excerpt, but the full policy is linked in the previous sentence:
Set Up a Czech Cookie Law-Compliant Cookie Banner
In light of the Czech Republic's opt-in consent requirement, you'll need to set up a cookie consent banner on your website or app that satisfies the quality of consent guidelines outlined earlier in this article.
To recap, you must not set cookies on users' devices automatically, but only after they opt in by ticking an empty checkbox or clicking an "I Accept" button.
Furthermore, you must include a prominent "reject" button or a similar means for users to decline non-technical cookies in the first layer of your cookie consent banner. This is necessary to satisfy the requirement for easy consent withdrawal.
Here's how Capgemini's cookie consent banner complies with these requirements:
Similarly, Deloitte has a compliant cookie consent banner, as shown below:
Thanks to the ECA's amendment, the Czech Republic's data protection laws are fully aligned with EU privacy standards.
When it comes to cookie compliance requirements in the Czech Republic, businesses must now implement the opt-in consent system and observe specific consent standards, much like under the GDPR and EU Cookies Directive.
To comply with the Czech cookie processing requirements, you must take the following practical steps:
- Provide a comprehensive Cookies Policy that accurately summarizes your cookie-processing practices.
- Set up a Czech cookie law-compliant cookie banner following the various guidelines provided above.