Czech Republic Consent: Requirements & Guidelines

The Office for Personal Data Protection ('UOOU') in the Czech Republic updated its list of frequently answered questions ('FAQs') on cookie bars and consent in March 2023. These FAQs provide significant clarity on the Czech Republic‘s legal requirements concerning the use of cookies and similar technologies.

It is important to note that the consent of users only allows website operators to store non-technical cookies on the users’ devices. In order to be able to process personal data through cookies, the data controllers must comply with the requirements of the GDPR, including having a lawful processing ground. It is possible to obtain consent for the use of cookies and processing of personal data obtained via such cookies at the same time.

Following is an overview of the cookie consent requirements highlighted by the UOOU.

Technical Cookies v. Non-Technical Cookies

• Websites can use technical cookies, which are essential for a website’s operations, without the consent of the users.
• Valid consent of users should be obtained prior to the activation of non-technical cookies, which are used to monitor the behavior of website users for marketing purposes, etc.

Notification Requirements

• Users should be provided with appropriate information in simple language regarding the following matters:
  • the purposes and legal reasons for the use of cookies, including technical and non-technical cookies and the applicable consent requirements;
  • the controller of personal data obtained through cookies,
  • any legitimate interests of the controller,
  • the recipients of personal data,
  • the intention to transfer personal data to a third country or an international organization,
  • the contact details of the data protection officer,
  • the storage period of cookies and personal data - the controller should set such periods keeping in consideration the principle of storage limitation,
  • the rights to access, correction, erasure, portability, objection to processing, restriction of processing, withdrawal of consent, and to lodge a complaint with the supervisory authority,
  • whether the users’ provision of personal data is a legal or contractual requirement or a requirement to enter into a contract, and
  • whether automated decision-making takes place, including profiling.
• A website should provide the foregoing information in both English and the Czech language (for Czech-speaking visitors).
• Any information provided should be clear, structured for clarity, accessible, and comprehensible for the average user.

Consent Requirements

• Demonstrable consent should be obtained from website users prior to the use of non-technical cookies and similar technologies.
• Consent should be free, specific, informed and unequivocal.
• Pre-set consent-friendly browser settings do not constitute valid consent.
• Consent cannot be implied. A user continuing to browse a website without interacting with the consent banner, or closing the banner without expressing whether or not they give consent, cannot be considered valid consent.
• Users should be able to revoke their consent at any time. Withdrawal of consent should be as easy as giving consent, such as through an easily accessible button or a link on the website.

Design of Consent Banner

• The consent banner should facilitate users in terms of readability and accessibility of website content.
• Pre-ticked options should not be used on the consent banner.
• While users can accept or reject to give consent for each individual non-technical cookie, the processing purpose, or administrator, users should also be able to accept or reject all non-technical cookies at once.
• The ‘Accept All’ and ‘Reject All’ buttons should be placed on the same layer of the consent banner (preferably the first layer) and in a comparable visual design.
• The accept and reject buttons should not be designed in a manner that is misleading to the users. The buttons’ appearance, font, and color should be such that the user is freely able to decide whether to give consent or not.
• The colors of the buttons should be chosen in a way as to respect the generally accepted meaning of the colors.
• The link to detailed information regarding the use of cookies may be provided in the first layer of the consent banner.

Re-presenting the Consent Banner

• The website operator should determine the period for which cookie consent is valid and the period after which a consent banner may be re-displayed following the refusal of consent, taking into account the processing purpose and the expectations of the data subjects.
• Generally, 12 months may be considered a reasonable time for the validity of consent. Moreover, in case of refusal of consent, a consent banner should not be re-presented for at least 6 months after the last display, provided this time period may be lessened if:
  • one or more processing circumstances have changed significantly - for example, there is a significant change in the settings of the consent banner and/or the processing purposes, or there is such a change that could prompt the user who earlier refused consent to now give consent; however, the change of individual cookies cannot be considered a significant change, or
  • the operator is not able to monitor the previous consent choice - for example if the user has deleted the cookies stored on their device.
• If there is a significant change in processing that would also affect users who previously gave their consent to the processing of personal data, it is necessary for the data controller to re-apply for the users’ consent.

Use of Cookie Walls

• A cookie consent banner should not be placed or designed in such a manner that it prevents interaction with the website and only collapses when a user has selected an option on the banner regarding their consent for the use of cookies.

How Securiti Can Help

Securiti’s Cookie Consent Management Solution enables you to achieve compliance with the Czech Republic’s cookie consent requirements with the help of the following features:

• Scanning and auto-classification of cookies and similar technologies,
• Implementation of an opt-in cookie consent banner with equally prominent accept and reject options of comparable sizes, fonts, and colors,
• Unchecked consent for non-technical cookies by default,
• Configurable consent preference centers allowing granular consent opt-ins and opt-outs and honoring immediate consent revocations,
• Legally compliant consent banner verbiage,
• Compliance with leading industry frameworks such as the GPC and IAB EU TCF,
• Provision of simple, accessible and detailed information for users on the use of cookies through consent banners and preference centers, and
• Maintenance of updated and comprehensive consent records to help you demonstrate compliance.

Ask for a DEMO today to understand how Securiti can help you comply with global privacy laws.