No-go Zones in the Use of Cookies

No-go Zones in the Use of Cookies

Czech Republic
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The Office for Personal Data Protection has released an inspection plan for the year 2020, which announces that this year they aim at intensively focusing on cookie use and plan to start 8 inspections at once that are intended to check cookie use. Yet, cookies are also the subject of interest for some other inspection offices that have made numerous statements about the use of cookies. While in the rest of the EU, users’ consent is required before storing cookies (the opt-in principle), according to the current Czech legislation embedded in Act N. 127/2005 Coll., on Electronic Communications, cookies can be used until the user says something (opt-out principle).

Still, even in the Czech Republic the statements of inspection offices from other EU countries cannot be completely ignored, because cookies and other tracking technologies in most cases lead to personal data processing, and the data obtained concerns persons that, in combination with other collected data (e.g. IP addresses), can be identified. In this case, the Electronic Communications Act is used alongside the GDPR.

Even though the statements of inspection bodies do not completely agree with each other in some cases, we can deduce from them what approaches to the use of cookies and related processing of personal are not permitted. No-go zones, which one often comes across and that will be discussed further below, also apply in the Czech Republic. In this article, we will go through the three most common ones: cookie walls, obtaining consent from the user’s behavior, and classifying cookies as essential even when they are not.

Cookie walls

Some websites exact the user’s consent to the use of cookies and subsequent personal data processing through so-called cookie walls. A typical cookie wall looks like a banner that pops up over the whole webpage and prevents the user from browsing the content of the website.

In the Czech Republic, this is problematic particularly where consent is needed for the related processing of personal data, for instance if the data collected by cookies and tracking are used for personalized advertising.

According to the European Data Protection Board’s updated statement No. 5/2020 on Consent, consent like this is not given freely, for the user is not given an actual option to not consent. Personal data processing that is based on this consent thus contravenes the GDPR. Therefore, cookie walls are not advisable even in the Czech Republic.

Deriving consent from the user’s behavior

Many webpages contain a notice that by browsing a webpage the user agrees to the use of cookies. However, if the use of cookies is related to personal data processing, which should be based on the user’s consent (e.g. for personalized advertising), such consent is not given by a clear expression of will.

Thus, consent cannot be obtained indirectly based merely on the fact that users browse a page, spend a particular amount of time on the page, or that they have scrolled down half of the page. Such user interaction with a page does not directly imply users’ intention to give consent, as users might have some other motives (e.g. they might be trying to find contact details, which are usually located at the bottom of a webpage).

Classifying cookies as essential even if they are not

There are certain types of cookies that do not need the user’s consent for their use, and even Czech legislation does not set out an obligation to provide an option to refuse them. These are so-called essential cookies that serve the purpose of technical storage, or exclusively for the transmission of communications, or they are essential for information companies to provide the online service which the user has explicitly requested.

This no-go zone is relevant for the Czech Republic when the operator of a website incorrectly classifies cookies in such a way that an opt-out option is denied, does not provide information about personal data processing, or does not obtain consent to personal data processing (if it is needed).

But neither opt-in nor opt-out apply to essential cookies. Therefore, website operators could be tempted to include in this category as many cookies as possible.  As the Irish inspection office has found, in practice non-essential cookies are sometimes also included in this category. This is mainly because the classification of cookies is subject purely to the website operator’s discretion.

Cookies that are used for improving users’ experience, for instance those that remember search histories, are among those that are often mistakenly categorized as essential. We also cannot classify as essential cookies that are used for chatbots – such cookies become essential only after the user starts using a chatbot actively, which according to law, means that the user explicitly requests the service. On the contrary, cookies that are needed in particular for adding goods to a cart and for placing an order are genuinely essential.

Conclusion

As businesses have shifted online, inspection offices have begun to pay more attention to this area, and as we have seen recently, the use of cookies and tracking technologies on websites is a thorny topic. Nevertheless, these small and seemingly innocuous files and technologies often appear on the websites of companies without the legal and compliance officers’ knowledge. Yet, we advise against such approach in light of the stricter attention from inspection offices and planned regulations.

By Michal Nulicek, Partner, Bohuslav Lichnovsky, Senior Associate, and  Filip Benes, Junior Lawyer, Rowan Legal