On 9 November 2022, the Office for the Protection of Personal Data for the Slovak Republic (ÚOOÚ) published updated guidance on the use of cookies. Prior consent is required for the use of cookies except for those cookies that are considered absolutely necessary or essential to provide the website service expressly requested by the user.
The ÚOOÚ reminds organizations that the consent for the use of non-essential cookies must be freely given, specific, informed, unambiguous, and as per the requirements of the GDPR.
This article provides an overview of the Slovakian Guidance that will help companies ensure compliance with Slovakian consent requirements for the use of cookies.
Freely Given Consent
Freely given consent implies real choice and control with the data subject. Consent is not valid where the user is forced to give consent or suffers negative consequences for not providing consent.
For consent to be considered freely given, access to services and functions of the website should not be made conditional to the data subject’s acceptance of the use of cookies. This means that the website user must be able to continue the use of a website even if he/she chooses to not accept non-essential cookies. Any cookie banner that covers an entire website and requires users to give consent in order to be able to use the website is construed as forcing consent.
Moreover, website users must have the option to close the cookie consent banner without accepting cookies, for example, by clicking on the X button on the top right corner of the banner. If the user clicks on the X button with the intention of closing the banner, the website operator is not authorized to activate any non-essential cookies.
Purpose Specific Consent
As per the GDPR, the data may be processed only for specified, explicitly stated and legitimate purposes. For any processing of data for purposes other than those that have been communicated to the data subject, the data controller must obtain fresh consent from the data subject so that they retain control over their personal data. This means a website operator cannot use cookies for marketing purposes if users are informed that cookies will only be dropped for statistics and traffic analysis.
Also, users must be able to consent to specific categories of cookies based on their purposes. The ÚOOÚ notes that consent is not considered freely given if the user is unable to grant separate consent for separate cookie purposes.
Informed Consent
To ensure user transparency, the data controller must provide the following information to data subjects while obtaining their consent:
- The identity of the data controller,
- The purpose of all processing operations for which consent is required,
- The category of data to be obtained and used,
- The existence of the data subject’s right to withdraw consent,
- Information on the use of data for automated decision-making where applicable,
- Any possible risks associated with cross-border data transfer due to the absence of an adequacy decision and appropriate safeguards, and
- The list of all organizations with whom user’s personal data is shared via cookies. The list needs to be regularly updated so as to allow the data subject to grant consent for specific organizations.
For providing all the relevant information to data subjects, a cookie consent banner and a cookie policy may be used. Where a cookie consent banner provides the necessary and most important information in a clearly formulated manner, a cookie policy, located on the website, consists of detailed information on cookies that can help users make an informed choice.
A cookie banner should contain detailed information on the classification of essential and non-essential cookies and should describe the purpose of each cookie category. The cookie consent banner may provide the link to the cookie policy if a user seeks detailed information.
Unequivocal Consent
The data subject’s consent must be clear and deliberate so that there remain no doubts about his/her intention. Moreover, all non-essential cookie categories, such as marketing and analytics, should be turned off by default.
Withdrawal of Consent
The data subject must have the right to withdraw consent at any time without any adverse consequences, and such an option should be easily accessible. The withdrawal of consent must be as easy for the user as giving consent, and consent withdrawal must not affect the lawfulness of prior data processing based on consent.
Use of Language and Colors on Banners
Data controllers must use appropriate and clearly understandable language on consent banners for the consent to be considered freely given and informed, and to not force users to consent.
The wording used on consent banners for obtaining consent must clearly denote users’ agreement. For this purpose, the ÚOOÚ emphasizes that the term “I Understand” is not recommended if the website drops non-essential cookies, and instead, unambiguous terms such as “I Agree” or “Accept” should be used so that the user would know that he/she has a choice and may express their consent unequivocally. However, the term “I understand” can be used if the website drops only essential cookies as it draws attention to this fact in order to increase transparency.
It is possible to not provide any “accept” field on the first information layer of the banner provided that the consent banner provides “Reject All” and an “Edit Settings” field that includes the option for the user to select all options.
Moreover, the colors of all fields on the consent banner must be the same so that the user is not instinctively prompted to click any of the options. For example, having an “Accept All” button in green and other options in red is not allowed because such a consent design would prompt the user to click on the “Accept All” option.
How Can You Demonstrate Compliance with Securiti?
The ÚOOÚ has emphasized that the burden to prove that the users have consented freely to the use of cookies falls upon the website operator. The website operator, as a data controller, must be able to demonstrate that they have obtained users’ consent for the processing of data, as per the requirements applicable in Slovakia.
Securiti’s Cookie Consent Solution helps organizations comply with cookie consent requirements with the help of the following features:
- The implementation of an opt-in cookie consent banner;
- The ability to design equally prominent accept and reject fields on the cookie consent banner;
- Configurable consent preference centers allowing granular consent opt-ins and opt-outs and honoring immediate consent revocations; and
- Updated and comprehensive consent records to help demonstrate compliance.
Ask for a DEMO today to understand how Securiti can help you comply with global data privacy laws.
