On 6 March 2023, the Czech Office for Personal Data Protection (UOOU) published an updated version of its recommendations on the use of cookies on its website. These updated guidelines provide website operators and visitors with practical information on the basic rules for using cookies and setting cookie banners.
Necessary or “technical” cookies are those that are necessary for the actual operation of the website. The UOOU’s new guidance states that if a website uses only technical and not non-technical cookies, there is no need to implement a cookie banner on the website. However, if the processing of cookies also involves the processing of personal data, it is still necessary to comply with the information obligation towards data subjects. This can typically be fulfilled by placing a link with a document containing the prescribed information in a prominent place on the website (e.g. in the footer).
The UOOU stresses that this information obligation must be fulfilled in an accessible and intelligible manner using plain language. The requirement of an accessible and intelligible manner will not be considered to be met, for example, if the visitor has to click through a number of pages to access the information or if the website intended for Czech-speaking visitors lacks information on the processing of personal data through cookies in the Czech language. In this context, website operators can be strongly advised to avoid other so-called “dark patterns” as well.
Visitors must be able to withdraw their consent to the processing of personal data by means of non-technical cookies at any time, and withdrawing consent must be as easy as giving it. Therefore, if consent is given via a cookie banner, the UOOU does not accept that consent can only be withdrawn, for example, by telephone. In this respect, the UOOU recommends that website operators implement an easily accessible button or link by which the visitor can withdraw consent (or change their choice).
The period of time for which consent to the processing of personal data by means of cookies is to be given, as well as the period for the re-display of the cookie banner in the event of a refusal to give consent, must be determined both with regard to the purpose for which the personal data are processed and with regard to the expectations of the visitors.
In this respect, according to the UOOU, 12 months may be considered a reasonable period for which consent to the use of cookies has been granted. Conversely, where consent has been refused, the UOOU advises the website operator that consent should be required again no earlier than 6 months after the last time the cookie banner was viewed by the visitor in question.
However, this period may be reduced if:
- one or more of the circumstances of the processing have changed significantly (e.g. the purposes of the processing have changed significantly), or
- the website operator is unable to track prior consent/non-consent (e.g. the visitor has deleted cookies stored on their device).
However, if there is a significant change to the processing that also affects those visitors who have previously consented, the website operator must again request consent for this new processing from these visitors.
There is no doubt that a number of the new recommendations of the UOOU reflect the shortcomings identified by the UOOU during its supervisory activities in 2022, when it focused specifically on the processing of personal data through cookies. However, it can be expected that supervising the compliance of personal data processing through cookies with the relevant legislation will remain in the focus of the UOOU in the future. Due to the rapidly increasing complexity of these legal questions, we recommend that website operators use the services of experts, such as our law firm Deloitte Legal, who have long been involved in this area of law and who can provide you with the necessary legal assistance.
Seminars, webcasts, business breakfasts and other events organized by Deloitte.
