30.12.2021 10:21
The amendment to Act No. 127/2005 Coll., on electronic communications, will come into force on 1 January 2022. By that date, you are obliged to adjust your website as summarized below.
- What are cookies?
Simply put, they are small data files that, among other things, enable the functionality of the website. When you visit a website, cookies are placed on the device you use to log in to the website. Cookies are used to identify visitors of the website and some are used to collect information about the visitors’ movements around the website.
In essence, there are three types of cookies:
- Technical– technical cookies are necessary for the functionality of the website. Without them, the website would not perform well. For example, technical cookies ensure that the website remembers you when you make a purchase in an online shop. They allow you to add individual items to your shopping cart. If the website did not use cookies, each change (e.g. selecting another item and adding it to the basket) would be treated as a new visitor to the site and the previous items added to the basket would be forgotten. Technical cookies are stored for a short period of time and no personal data are processed in connection with their use;
- Analytical – analytical cookies are used to recognize visitors to the website when analyzing its traffic. The aim is, simply put, to recognize visitors who return to the website and not to count them in again. Analytical cookies are not necessary for the functionality of the website and are stored for a medium to long period of time. Personal data may be processed in connection with their use;
- Marketing– marketing cookies are designed to identify the users of a website and their behavior across the site. Marketing cookies are used for targeted advertising and are not necessary for the functioning of the site. To give you a better idea, marketing cookies are the reason why, after looking for a tour on a particular tour operator’s website, you will be haunted by that tour operator’s advertisements as you browse the internet, whether or not you have purchased anything from that tour operator. Marketing cookies tend to be stored for a long period of time and personal data may be processed in connection with their use.
For more information on cookies, see for example, https://
www.aboutcookies.org/.
- What does the change in legislation entail?
The legislation contained in the Electronic Communications Act, including the conditions for the use of cookies, is a transposition of EU directives (see EU Directive 2009/136/EC).
European legislation is based on the so-called OPT-IN principle for the use of cookies. In short, with the exception of technical cookies, about which it is sufficient to inform, the consent of the website visitor is necessary for the use of analytical and marketing cookies.
However, the EU Directive was incorrectly transposed into the Czech legal system and the legal provisions for the use of cookies contained in the Electronic Communications Act are based on the opposite principle, i.e. the OPT-OUT principle. This has led to a situation where analytical and marketing cookies are/were used without prior consent simply by advising the user/visitor of their use and allowing the possibility to opt out from the use of cookies later (cookies can be disabled).
Given the above, websites in this country are only exceptionally built on the OPT-IN principle. In the vast majority of cases, the OPT-OUT principle prevails. The website usually just pops up a bar informing that cookies are used and the visitor acknowledges this fact by confirming it by ticking a box.
The incorrect transposition of European law cannot result in harm of the website operator, i.e. the website operator cannot be penalized under the Electronic Communications Act for using the OPT-OUT principle
However, this does not change the fact that if the use of (in particular) marketing cookies results in the processing of visitors’ personal data for marketing purposes, in particular if profiling and automated decision-making are part of the processing of personal data, there is no legitimate interest of the controller as a basis for such processing of personal data (Article 6(1)(f) GDPR). Such processing of personal data must only and exclusively be based on the data subject’s consent and the consent must have all the parameters under data protection legislation. Among other things, it must be an unambiguous, free, informed, conscious and active expression of will, whereby the data subject consents to the processing of certain personal data by a particular controller for a specified period of time and for a specific purpose. Clicking on the “I acknowledge” button hardly meets such parameters.
In other words and in short, without explicit consent to the processing of personal data for marketing purposes via cookies, such processing of personal data is contrary to the law. The fact that the mere installation of cookies does not have to be illegal does not change this.
The foregoing clearly indicates what kind of changes of the Electronic Communications Act are to be expected as of 1 January 2022.
By amending the Act, the Czech law will be brought into line with European legislation. The rules for the use (installation) of cookies will change such that, apart from technical cookies, where mere information about the type of cookies, their description and storage period, will suffice, the use of all other cookies will be subject to the user’s consent; the principle will change from OPT-OUT to OPT-IN. The consent will have to be in accordance with the rules of data protection legislation.
- Good and bad practice and other problems and issues
In light of the practical experience to date regarding the design of information bars and other parts of the site relating to cookies and in the context of the legislation outlined above, the following examples of good and bad practice can be highlighted and the following recommendations made:
- consent to the use of cookies – the consent must meet the requirements of data protection legislation, which means:
- the form of words of the consent, which will be subsequently confirmed by the user, must be simple;
- it is advisable to use multiple layers, where the initial layer describes the basic parameters and subsequent layers, working on the click-through principle, specify the parameters and give more details;
- if the site uses more than one type of cookies, a general consent to all types of cookies can be offered as a default on the information bar with a consent tool (button), which will be summarized in the basic initial text (together with a possible consent to the processing of personal data), and an option of custom settings must follow (if the user is interested, he or she should be able to allow only some cookies or only processing for certain purposes);
- the expression of will must be active, i.e. the box indicating consent cannot be pre-ticked, dropping the consent bar cannot be considered as consent, and the text “by using the site you agree to the installation of cookies” etc. cannot be used;
- consent is given for a specific period of time. The period of time must be precisely stated, bearing in mind that for some cookies the retention period is reset at the time of the visit to the site;
- the possibility to withdraw one´s consent in a simple way must be offered;
- access to the content of the site cannot be conditional upon consent to the use of cookies and the processing of personal data;
- when asking for consent, it is not permissible to mix it with or condition upon unrelated services;
- cookies may only be installed after consent has been granted;
- information about cookies, processing of personal data and the rights of the data subject – it is advisable to set up a special tab on the website to provide information on cookies, including the types of cookies used, their purpose and retention period, as well as to provide information on the processing of personal data and on the rights of the data subject, as well as to offer communication channels for the data subjects to exercise their rights, to withdraw their consent with cookies, etc.;
- when using cookies for marketing purposes, it is important to take into account that devices used by multiple, not discriminable, persons may result in distorted information and if containing personal data, a responsible judgment needs to be made;
- it is not permissible to extract consent with cookies by means of a cookie wall, i.e. a bar whose size covers most of the screen and makes it effectively impossible to use the site;
- the user’s web browser settings cannot be referred to as an indication of consent.
Finally, if third-party cookies are used on a website (usually through a space dedicated to advertising purposes), the website operator and the person processing personal data through such cookies are considered joint data controllers in terms of data protection legislation. Both are thus responsible for the handling of the data. Similarly, the website operator may also be held liable to the user for informing the user about such cookies and for obtaining consent.
In this context, we recommend that you pay full attention to the contractual arrangements with the third parties advertising on your website.
Given that the issues surrounding the use of cookies are very abstract, we stand ready to assist you in setting up cookies and drafting the underlying documentation should the need arise.
Theis update was drafted by: doc. JUDr. Jakub Morávek, Ph. D.
Felix a spol. advokátní kancelář s.r.o.