The UOOU has issued a set of FAQs to ensure that websites comply with the relevant regulations. The FAQs cover a range of topics related to the use of cookies, such as the need for a cookie bar, obtaining user consent, informing users of the cookies, allowing users to withdraw consent, processing personal data through cookies, using different buttons for 'accept all' and 'reject all', and pre-selected options in settings. In addition, the FAQs also address issues regarding cookie walls and the duration of consent retention. By understanding these different aspects of cookie usage, website operators can ensure that they are compliant and protect users' privacy.

Summary of the key FAQs

The FAQs first explain in general terms whether a cookie bar is necessary for websites and outline the regulations for its usage. According to the UOOU, if the website uses cookies, it must clearly specify the purpose of each cookie and establish the legal basis for processing personal data. Additionally, the website must fulfill the obligation of informing data subjects about the processing of their personal data and their corresponding rights. Consent is necessary for non-technical cookies, and the website must offer an opt-out button. The cookie bar must be easy to read and access, without impeding interaction with the website (e.g. cookie walls). Therefore, it must incorporate a feature that allows users to easily close the bar without making a specific choice. On the other hand, if the website only uses technical cookies, it does not need to have a cookie bar, but the obligation to provide information remains.

In addition, the FAQs explain the different consent requirements according to the different regulations. The Czech Electronic Communications Act requires verifiable consent for the use of non-technical cookies on websites. On the other hand, the GDPR stipulates that any processing of personal data, including via cookies, must be founded on one of six legal bases, one of which is consent. Therefore, the UOOU confirms that personal data can be processed through cookies based on legitimate interest. However, if the controller decides to rely on consent as the legal basis, it must be free, specific, informed, and unambiguous. It is possible to obtain both types of consent simultaneously, provided that all requirements are met.

Finally, certain questions relate to the form of user consent and the circumstances under which the provider can assume that consent has been granted. It is emphasized that the design and color of consent buttons should not influence the user's decision. Additionally, the 'reject all' button must be placed on the same level as the consent button, ensuring that opting out is as effortless as opting in. Pre-checked boxes for analytics and marketing cookies do not constitute consent. The UOOU recommends informing users of all individual cookies, their purpose, and their retention period. This information can be provided in the second layer of information. Closing the cookie bar or browsing the site without giving explicit consent cannot be considered valid consent.

Consent to use cookies is typically valid for 12 months. If the user refuses consent, it is not necessary to require consent again for a minimum period of six months from the last time the cookie bar was displayed. However, this period may be shortened if one or more of the processing circumstances change significantly or if the operator is unable to track the previous consent or refusal (e.g. if the user has deleted cookies stored on their device).

Practical strategies for implementing cookie consent mechanisms

We have identified the following practical strategies for implementing cookie consent mechanisms and best practices for organizations:

• Clearly define the purpose of each cookie: if your website uses cookies, it is important to define the purpose of each cookie to determine the legal basis for processing personal data. This ensures compliance with the relevant legislation and enables proper consent from users.
• Obtain valid consent: verifiable consent is required for the use of non-technical cookies. If the website operator intends to process personal data through cookies based on consent, the consent should also be free, specific, informed, and unambiguous.
• Avoid pre-checked boxes for non-technical cookies: pre-checked boxes for non-technical cookies are not considered as valid consent.
• Enable withdrawal of consent: allowing users to withdraw their consent is essential, and they must be informed about this option.
• Provide a 'reject all' button in the cookie bar: websites using non-technical cookies must provide a 'reject all' button in the cookie bar. The cookie bar must be readable, and accessible, and should not prevent interaction with the site. It should also include a mechanism to easily close the bar without selecting a specific response.
• Avoid influencing the user's decision: the design and color of consent buttons should not influence the user's decision. The 'reject all' button must be placed on the same layer as the consent button, making it equally convenient to reject or to give consent.
• Allow users to access the site without accepting cookies: preventing users from accessing the site before accepting cookies is not allowed and closing the cookie bar or browsing the site without providing explicit consent cannot be considered valid consent.
• Renew consent after 12 months: consent to use non-technical cookies should be valid for 12 months. The website operator should then renew the consent. If a user refuses consent, the website operator can request consent again after a six-month period.
• Fulfill information obligations towards data subjects: the website must comply with the obligation to provide information to data subjects about the processing of their personal data and their rights.
• Regularly review and update your cookie policy: it is important to regularly review and update your cookie policy to ensure compliance with relevant legislation.

By implementing the above practices, organizations can ensure compliance and protect users' privacy.

Tomáš Matějovský Partner
[email protected]
Daniel Szpyrc Associate
[email protected]
Jakub Kabát Associate
[email protected]
CMS Cameron McKenna Nabarro Olswang, advokáti, v.o.s., Prague