Article 5(3) of Directive 2002/58/EC (“ePrivacy Directive”), as amended in 2009, has been implemented into Czech law through Section 89 of the Czech Electronic Communications Act. Section 89 of the Electronic Communications Act establishes the “opt-in” principle. The end-user must grant its prior consent before information can be stored on their terminal equipment or before information already stored on the terminal equipment may be accessed. The consent must comply with the GDPR.
The “opt-in” principle has been incorporated into Czech law as of 1 January 2022. Until then the ePrivacy Directive had been implemented incorrectly, and the Electronic Communications Act enabled the opt-out principle. Therefore, cookies could have been placed without the prior end-user’s consent. The end-users must have only been provided with an opt-out option. Following the change of the Czech Electronic Communications Act and the publication of the Czech Data Protection Authority (DPA) that it would focus on cookie practices in its supervisory activities in the year 2022, most of the website operators have updated their cookie procedures during the year 2022 and now comply with applicable cookies rules.
Only technical cookies or cookies which are strictly necessary for enabling or facilitating communication by electronic means or for the provision of an online communication service can be placed automatically. The prior end-user’s consent is not necessary only in the case of technical cookies which enable storage of information or access to information that: (i) has the sole purpose of enabling or facilitating communication by electronic means; or (ii) is strictly necessary for the provision of an online communication service expressly requested by the end-user.
No.
No. The Czech DPA stresses that the consent with cookies must comply with GDPR requirements and refers to the EDPB guidance. According to EDPB Guidelines 05/2020 on consent under Regulation 2016/679, merely continuing the ordinary use of a website is not conduct from which one can infer an indication of the end-user’s consent. The Czech DPA has also confirmed that the inactivity of the data subject, such as remaining on the website, cannot be considered consent under the GDPR.
No. The consent must fulfil the GDPR requirements. According to Articles 4(11), 7, and 13 of the GDPR, the consent must be provided in an informed manner. The end-users have to be provided with relevant information before the consent is granted.
The Czech law does not stipulate the manner as to how the cookie consent has to be obtained. However, some kind of cookie banner/ management tool is necessary as the end-users must have control over the cookies placed on their terminal equipment and manage their preferences. However, the Czech DPA stated that the cookie management tool is not necessary provided that only technical cookies are used.
No. In relation to the question of cookie walls, the Czech DPA refers to the EDPB Guidelines 05/2020 and confirms that the use of cookie walls is prohibited. According to EDPB Guidelines 05/2020 on consent under Regulation 2016/679, if the end-users are forced to grant their consent with cookies to access to services in question by cookie walls, such consent would not be considered to be given freely. Therefore, the consent would not comply with GDPR requirements.
Yes. Following the amended Czech Electronic Communications Act as of 1 January 2022, the Czech DPA focused on cookie practices in its supervisory activities in the year 2022. Subsequently, the Czech DPA published a press release in August 2023 and stated that it has proceeded to impose fines on website operators, because they have had sufficient time to bring their use of cookies into compliance with applicable cookies rules. Therefore, even though the Czech DPA has not listed cookie practices as the focus of its supervisory activities in the year 2024, cookie practices are likely to be still on the Czech DPA’s radar over the coming year.
No, we are not aware of any.
None that we are aware of.
