On 1 February 2022, the Act No. 452/2021 Coll. on Electronic Communications entered into force and replaced the Act No. 351/2011 Coll. on Electronic Communications. We discuss the new Electronic Communications Act and the new instruments and institutions in a separate article titled "The New Electronic Communications Act". If you are interested in reading about the changes that the new legislation introduces for the activities of telecommunication companies, you can find the article here.

In this article we examine the details of the regulation of so-called "cookies" introduced by the new Act. The term "cookies" itself is not found in the Act and this term means "the information saved in a user's terminal device." This information might be of a diverse character or, in other words, may be saved for various purposes. Thus, different types of cookies can be distinguished, e.g. necessary, analytical or marketing cookies.

Consent to cookies according to the new regulation

Similar to the previous regulation, the new regulation requires the user's consent for saving or accessing cookies. However, when compared with the previous regulation, the new Act introduces numerous changes. So, what must consent be like according to the new regulation?

Freely given

The consent must be granted voluntarily and must not be enforced in any way. The possibility to grant or refuse the consent should be equally displayed on the so-called cookies bar. It is advisable to avoid the situation when refusing the consent would be too complicated and thus refusing the consent would be more difficult than granting the consent. Furthermore, the user cannot in any way either be urged or persuaded to grant the consent. The user's ability to make the decision freely should include their ability to choose which cookies they consent to and which they do not.

Active

Only the consent granted by the user's own activity (unambiguous confirmatory action) is acceptable. The simple continuing in page browsing with "pre-clicked" boxes without any active clicking is not considered as actively granted consent.

Web browser settings are not considered as an actively expressed consent and this was explicitly excluded as an option under the new regulation. The new Act has removed the following sentence from the previous regulation: "The use of the relevant settings of a web browser or other computer programme shall also be considered as consent for this purpose." This means that from 1 February 2022 web browser settings, as well as settings of other PC programmes, cannot be considered as the proper granting of consent. In practice the change applies when processing cookies, the entrepreneurs are obliged to request the actively expressed consent upon a potential customer's first visit to the website. Those entrepreneurs that used to save cookies based on the web-browser settings have to change their practice and harmonize it with the new regulation.

Informed and prior

Prior to granting the consent the user must be informed and must have had a chance to familiarize themselves with all relevant information, e.g. which particular cookies are used, what is their purpose, how long they are stored and also, who is going to use them, and whether they will be made available to third parties.

Specific

The consent must be specific which means that it must be granted specifically and individually for each particular purpose of the processing (e.g. statistical or marketing purposes).

Demonstrable

The new Act explicitly requests demonstrability of the consent to storage and making this information available. On the other hand, the Act does not further specify when the consent is considered demonstrable. Neither does it specify its requirements.

When consent is not required

Exceptions remain that already existed under the previous Act the consent is not required when it comes to so-called necessary cookies. These are cookies "whose only purpose is the transmission or easing the transmission of messages via a network, or if it is absolutely necessary for the provider of the informationsociety service for providing the information-society services explicitly requested by the user."

Primarily, each entrepreneur should know which cookies they store at their website and for which purpose the purpose is decisive for assessing if the consent is required for their storage.

Necessary cookies (also labelled as "functional") are those cookies that are strictly necessary for the proper functioning of the website visited by the user. Websites also often store so-called analytical cookies which gather various statistical data for website operators to assess, e.g. how the users use the website, how many visitors have visited the website etc. In general, these cookies cannot be considered as necessary for the functioning of the website and, therefore, their storage is subject to the consent granted by the user.

Similarly, marketing cookies, often used for targeted advertising purposes, are subject to the user's consent too. In case the website provides marketing data to other persons (third parties), this must be transparent, and the user should be informed thereof as well.

Consequences

For the practical life, we recommend that entrepreneurs operating websites carry out an internal "audit" and examine which cookies they store and for what purposes and, based on that, adjust the consent to cookies in accordance with the new legislation.

An important change in comparison to the previous regulation, is that new one introduces sanctions that can be imposed for breach of obligations relating to the use of cookies. The storing and processing of cookies in violation of the law carries a fine ranging from EUR 200 up to 10% of turnover calculated from the previous financial year. If it is not possible to determine the amount of such turnover, the Office for the Regulation of Electronic Communications and Postal Services imposes a fine of up to EUR 300,000.

GDPR violations in the use and processing of cookies containing personal data of individuals carry a fine that can be imposed by the Office for Personal Data Protection, and which ranging from up to EUR 20 million or 4 % of the company's total global turnover.