On January 1, 2022, the Czech Republic aligned its cookie consent practices with the General Data Protection Regulation (GDPR) and the EU Cookies Directive by amending its Electronic Communications Act (ECA).

This development effectively changed the status quo for cookie processing in the Czech Republic. More specifically, it prompted a shift from an opt-out to an opt-in cookie consent system, placing the burden of consent on businesses rather than users.

In this article, we'll discuss cookie processing in the Czech Republic, the responsibilities of applicable businesses, and practical steps for ensuring compliance in light of stricter requirements.

As a member state of the EU, the Czech Republic has been covered by EU data privacy laws since the GDPR's inception. However, not all aspects of Czech's legal system conformed to the stricter EU standards. This was especially true for Czech's cookie processing requirements.

Up until January 1, 2022, the Czech Republic Electronic Communications Act (aka Czech's cookie law) contradicted the provisions of the GDPR and EU Cookies Directive.

Needless to say, this legal inconsistency confused businesses and made compliance all the more difficult.

Now, thanks to the ECA's amendment, cookie processing rules in the Czech Republic are in accord with those of the GDPR and EU Cookies Directive.

While these rules are notably more stringent, the good news is that cookie processing is now far less ambiguous and more straightforward for businesses to implement.

Data Protection Landscape in the Czech Republic

Data Protection Landscape in the Czech Republic

Following the ECA's amendment, the Czech Republic's national legislation and data protection rules are now completely aligned with European data privacy standards.

Presently, the following data protection laws apply in the Czech Republic:

  • The EU General Data Protection Regulation (GDPR) which is directly applicable in all the EU member-states
  • The Czech Act No.110/2019 on Personal Data Processing which aligns the Czech data protection law with the GDPR, and
  • The Electronic Communications Act (ECA), which is now aligned with the EU Cookies Directive

These three laws work together to regulate data privacy and ensure compliant cookie practices in the Czech Republic.

As a business owner, you don't have to be physically present in the Czech Republic to be covered by its privacy laws. Thanks to the GDPR's oversight, if you offer products and services to Czech residents, monitor their online behavior, or collect their personal data, you must comply with the regulation.

The GDPR defines personal data as "any information relating to an identified or identifiable natural person." Typical examples include but aren't limited to:

  • Names/usernames
  • Home addresses
  • Email addresses
  • Identification numbers
  • Financial information
  • "Technical data" such as IP addresses, browsing histories, cookie IDs, etc.

So, if your business collects the personal data of Czech residents through cookies and similar technologies, you may have to comply with all three laws above.

Fortunately, the provisions of these laws are now in harmony, and compliance with one of the laws will likely make you compliant with at least some of the demands of the others.

That said, let's take a closer look at the Czech Republic's cookie consent rules in light of the ECA's amendment.

Cookie Consent Rules in the Czech Republic

Now that the ECA is aligned with the GDPR and EU Cookie Directive, applicable businesses must review their cookie processing practices and make adjustments where necessary.

The most impactful change for businesses is the switch from an opt-out to an opt-in cookie consent system.

As a website or app owner, this means the old method of automatically loading cookies and then allowing users to decline them is no longer compliant. Instead, you must first get explicit consent from users before setting cookies on their devices.

There is, however, an exception to this provision. Consent isn't required if you use cookies for any of the following:

  • Purely technical purposes
  • Providing services explicitly requested by users
  • Transmitting data over an electronic communications network

In other words, consent isn't needed to implement "technical cookies" (also known as "strictly necessary" cookies).

To better understand the obligation of consent under Czech's cookie law, let's take a closer look at what is required.

The GDPR defines consent as:

"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

To help businesses be mindful of and avoid common pitfalls, the Czech Republic Office for Personal Data Protection (UOOU) published a short guide containing the most common issues relating to cookie consent.

With this in mind, here are some of the most important tips to remember when obtaining consent for cookies in the Czech Republic:

  • Cookie consent banners that prevent users from accessing the website until they opt in are non-compliant.
  • Passive or implied consent is insufficient. Statements like, "By browsing this website, you hereby agree to the use of cookies," are now considered inadequate to legally obtain consent.
  • Users must take affirmative action, such as ticking an empty checkbox next to a statement that makes it clear it's an "I Agree" checkbox, or clicking an "I Accept" or "I Agree" button before you can legally set cookies on their devices.
  • Evidence of consent must include relevant details such as the time of approval, method of consent request, data collection, etc.
  • Separate consent is necessary for each purpose of processing.
  • Consent must be just as easy to withdraw as it was for users to give it.

Now, let's see some of the most common questions about the Czech Republic's cookie processing standards to get even more clarification.

FAQ: Cookie Processing in the Czech Republic

The Czech Republic Office for Personal Data Protection (UOOU) maintains that businesses must comply with the following laws:

  • The ECA (for processing cookies and similar technologies), and
  • The GDPR (in cases where the processing of cookies or similar technologies may constitute the processing of personal data)

To help businesses navigate this complex framework, the UOOU has published specific FAQs relating to cookie processing in the Czech Republic. Let's take a look at some of them.

The UOOU does not rule this option out. However, the data administrator must be able to show that users have given their explicit consent to the processing of cookies (for individual purposes).

No, you must obtain active consent from users before placing cookies on their devices. If users can close your cookie banner without accepting or rejecting cookies, their continued use of your website cannot be interpreted as consent.

Is it necessary for the "Reject All" button to be visible at first glance?

The reject button for cookie consent should be on the same level as the accept button. This is because for users to have a free choice under the GDPR, refusing consent must be as easy as giving it.

For example, here's how HP presents these buttons as equally sized in its cookie consent banner, with the reject button in no way less prominent than the accept button:

HP Cookie Consent Banner with Reject All and I Accept buttons highlighted

Generally speaking, 12 months is a reasonable period to store consent for the use of cookies before requiring users to provide consent again.

If a user declines to grant consent, they shouldn't be prompted to do so again for at least 6 months after the cookie banner was last displayed.

That said, you may shorten this period if any of the following occurs:

  • One or more processing circumstances significantly changes, or
  • You cannot track previous consent/disapproval (e.g., users have deleted the cookies stored on their device)

Now that we've established the cookie processing rules in the Czech Republic, let's look at the specific requirements and practical steps for compliance.

Cookie Processing Requirements in the Czech Republic

Since the GDPR is directly applicable in all EU member states, the updates to the Czech Republic's ECA add nothing significantly new to compliance requirements.

Before the ECA's amendment, most businesses had to comply with the GDPR and the EU Cookies Directive and will therefore already be in compliance with Czech's cookie law as well.

That being said, if your business isn't GDPR-compliant, you'll need to take the following steps to satisfy Czech's cookie processing requirements:

  • Conduct a comprehensive cookies audit to determine the categories of cookies you use on your website or app.
  • Provide detailed and accurate information about cookies on your website or app in a clear and straightforward language.
  • Obtain active, opt-in consent from users before loading non-technical cookies on their devices.
  • Keep a record of user consent.
  • Provide links to your Cookies Policy or cookie information page in conspicuous locations around your website or app (e.g., in your cookie consent banner, website footer section, and Privacy Policy).
  • Make it as simple to withdraw consent as it is to give it.

Next, let's take a look at the practical steps you can take to comply with these requirements.

How to Comply with the Czech Republic Cookie Processing Requirements

If your website or app uses cookies and operates under the Czech Republic's jurisdiction, here are significant steps you must take to comply with the requirements.

Provide a Comprehensive Cookies Policy

Much like the GDPR, the Czech Republic's cookie law requires applicable businesses to provide sufficient information about their use of cookies and similar technologies on their website or app.

As a business owner, you can either include this information as a section within your website's Privacy Policy or on a separate webpage in your Cookies Policy or cookie information page.

In any case, your Cookies Policy should provide (at least) the following information:

  • What cookies are and how they work
  • What categories of cookies and similar tracking technologies you use
  • How and why you use cookies and similar tracking technologies
  • Third-party cookies on your website and their purposes
  • How to manage or adjust cookie preferences
  • Updates to your Cookies Policy
  • Your contact information

Coca-Cola, for example, has a comprehensive Cookies Policy that explains the necessary information in clear and simple language. Here's just an excerpt, but the full policy is linked in the previous sentence:

Coca-Cola Cookie Policy: What kind of cookies do we use, updates to this policy and contacting us clauses

In light of the Czech Republic's opt-in consent requirement, you'll need to set up a cookie consent banner on your website or app that satisfies the quality of consent guidelines outlined earlier in this article.

To recap, you must not set cookies on users' devices automatically, but only after they opt in by ticking an empty checkbox or clicking an "I Accept" button.

What's more, your cookie consent banner must inform users about your cookie processing practices and include a link to the cookie information section of your Privacy Policy or your Cookies Policy for a more detailed account of your practices.

Furthermore, you must include a prominent "reject" button or a similar means for users to decline non-technical cookies in the first layer of your cookie consent banner. This is necessary to satisfy the requirement for easy consent withdrawal.

Here's how Capgemini's cookie consent banner complies with these requirements:

Capgemini Cookie Consent Banner with Cookie Policy link and buttons highlighted

Similarly, Deloitte has a compliant cookie consent banner, as shown below:

Deloitte Cookie Consent Banner with cookie information page link and buttons highlighted


Thanks to the ECA's amendment, the Czech Republic's data protection laws are fully aligned with EU privacy standards.

When it comes to cookie compliance requirements in the Czech Republic, businesses must now implement the opt-in consent system and observe specific consent standards, much like under the GDPR and EU Cookies Directive.

To comply with the Czech cookie processing requirements, you must take the following practical steps:

  • Provide a comprehensive Cookies Policy that accurately summarizes your cookie-processing practices.
  • Set up a Czech cookie law-compliant cookie banner following the various guidelines provided above.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy