Authors: Robert Nešpůrek, Vojtěch Bartoš
With the New Year, new rules for the use of cookies and other tracking technologies on websites came into force. In this short article we offer you a simple overview of the most important information that you should definitely not miss.
The Electronic Communications Act has been amended with effect from 1 January 2022 in a way that means several significant changes for the practical use of these tools on your website. These changes relate in particular to the consent that must be obtained from the user before cookies can be used.
The most important thing is the reversal of the current concept of obtaining consent to the use of cookies. The user must actively give his/her consent to the use of cookies, and it is no longer sufficient for the user to be able to reject the use of cookies. The default setting for cookies on your website must therefore be “disabled until allowed by the user”, and not “allowed until disabled by the user”.
The consent to the use of cookies must itself meet specific qualitative criteria to be considered validly given. It must be a voluntary, informed and unambiguous expression of will, obtained in a demonstrable manner specifically for the individual purposes.
In practice, this means that the user must in particular be given relevant information in advance in a comprehensible and proportionate manner about what he/she is to agree to (i.e., what cookies are to be used, for what purposes, for how long they will be active, etc.).
For this purpose, a cookie banner must be set up appropriately so that it contains all the essential information and allows the user to accept or reject cookies in a simple way.
A specific topic is the so-called “dark patterns”, i.e., various practices that consist of setting the cookie banner in such a way as to guide the user towards the operator’s preferred option (e.g., to accept cookies as widely as possible). These practices are inherently contrary to the voluntary nature of consent and are strongly recommended to be avoided.
The user must clearly indicate his/her will to allow cookies or not. Thus, the most appropriate way is probably to actively click on the respective consent box.
On the other hand, a pre-ticked box, simply scrolling through the website or simply staying on the website cannot be considered an active expression of consent to cookies. This also implies that simply visiting the website cannot be considered an active expression of consent, and if the visitor does not select any option in the banner, this is identical to not giving consent at that moment.
It also appears from the supervisory authorities’ recent statements that it will not be considered sufficient in terms of the above consent requirements if the user is only referred to his/her browser settings. Ensuring the cookie banner and its correct settings will thus become a necessity.
Contrary to previous practice, consent given to the use of cookies by a particular user cannot be considered as consent given forever. There has not yet been a common view among European supervisory authorities on the specific period for which consent to the use of cookies can be given.
However, a statement from the Office for Personal Data Protection suggests that a period of approximately one year should be considered acceptable. Nevertheless, once one year has elapsed since a particular user has given his/her consent to the use of cookies, the user must again be offered the opportunity to give opt-in consent as described above. Thus, even this “repeated” consent cannot be in opt-out mode.
Withdrawing consent must be as simple as giving it. Thus, there must be a clear link on the website or another way how to retrieve the banner again where the user can change the settings.
However, it is quite common on the Czech Internet for the cookie banner to be displayed repeatedly, i.e., each time the user reloads the website, especially if he/she does not give his/her consent to the maximum extent possible. Such practices could be assessed a de facto coercion of consent and in any case as user nuisance.
If the user rejects the use of cookies (or the extent to which he/she rejects them), the website operator should ensure that such a user is not shown a cookie banner on each reload of the website. Currently, the prevailing view among the professional community is that a reasonable period for which the user who has rejected the use of cookies should not be repeatedly shown with a cookie banner asking for consent is approximately 3 to 6 months, depending on the type of a web service.
All these aspects of digital analytics and marketing tools, as well as their development, are closely monitored by our team of experts. They are ready at any time to advise you on setting up your website exactly according to your needs, so that you can take full advantage of the information that correctly collected data about your website visitors can provide you.