Czech Republic: FAQs related to cookie bars and consent
Summary of the key FAQs
In addition, the FAQs explain the different consent requirements according to the different regulations. The Czech Electronic Communications Act requires verifiable consent for the use of non-technical cookies on websites. On the other hand, the GDPR stipulates that any processing of personal data, including via cookies, must be founded on one of six legal bases, one of which is consent. Therefore, the UOOU confirms that personal data can be processed through cookies based on legitimate interest. However, if the controller decides to rely on consent as the legal basis, it must be free, specific, informed, and unambiguous. It is possible to obtain both types of consent simultaneously, provided that all requirements are met.
Finally, certain questions relate to the form of user consent and the circumstances under which the provider can assume that consent has been granted. It is emphasized that the design and color of consent buttons should not influence the user's decision. Additionally, the 'reject all' button must be placed on the same level as the consent button, ensuring that opting out is as effortless as opting in. Pre-checked boxes for analytics and marketing cookies do not constitute consent. The UOOU recommends informing users of all individual cookies, their purpose, and their retention period. This information can be provided in the second layer of information. Closing the cookie bar or browsing the site without giving explicit consent cannot be considered valid consent.
Practical strategies for implementing cookie consent mechanisms
We have identified the following practical strategies for implementing cookie consent mechanisms and best practices for organizations:
- Obtain valid consent: verifiable consent is required for the use of non-technical cookies. If the website operator intends to process personal data through cookies based on consent, the consent should also be free, specific, informed, and unambiguous.
- Avoid pre-checked boxes for non-technical cookies: pre-checked boxes for non-technical cookies are not considered as valid consent.
- Enable withdrawal of consent: allowing users to withdraw their consent is essential, and they must be informed about this option.
- Provide a 'reject all' button in the cookie bar: websites using non-technical cookies must provide a 'reject all' button in the cookie bar. The cookie bar must be readable, and accessible, and should not prevent interaction with the site. It should also include a mechanism to easily close the bar without selecting a specific response.
- Avoid influencing the user's decision: the design and color of consent buttons should not influence the user's decision. The 'reject all' button must be placed on the same layer as the consent button, making it equally convenient to reject or to give consent.
- Allow users to access the site without accepting cookies: preventing users from accessing the site before accepting cookies is not allowed and closing the cookie bar or browsing the site without providing explicit consent cannot be considered valid consent.
- Renew consent after 12 months: consent to use non-technical cookies should be valid for 12 months. The website operator should then renew the consent. If a user refuses consent, the website operator can request consent again after a six-month period.
- Fulfill information obligations towards data subjects: the website must comply with the obligation to provide information to data subjects about the processing of their personal data and their rights.
By implementing the above practices, organizations can ensure compliance and protect users' privacy.