COOKIES. CONSENT. COMPLIANCE
secure privacy badge logo
March 7, 2022

Czech Cookie Law: What Do Businesses Need to Know

The last amendment to the Czech Republic’s national data protection legislation guarantees full alignment with the European data privacy laws, including the GDPR and the ePrivacy Directive. Read about these latest updates here.

Starting from 1 January 2022, the Czech Republic’s national data protection legislation is aligned with the GDPR and the ePrivacy Directive, thanks to the amendments to the Act 127/2005 Coll. on Electronic Communications. It was the last amendment of the Czech national legislation needed for a full alignment with the European data privacy laws and the national laws of their European counterparts.

Previously, the misalignments of the privacy laws resulted in confusion for the Czech online businesses, but now the rules have been simplified and easy to follow.

Data Protection regulatory landscape in the Czech Republic

Because the Czech Republic is a member state of the European Union, which means that aside from their national laws, the EU regulations are also directly applicable to Czech citizens and businesses.

In terms of data protection, the following laws apply:

  • The Czech Act No.110/2019 on Personal Data Processing, which aligned the existing data protection law with the GDPR,
  • The Electronic Communications Act, which has not been fully aligned with the ePrivacy Directive until the  most recent amendments have been made, and
  • The General Data Protection Regulation of the European Union, which is directly applicable in all the EU member-states, even if their national laws are not fully aligned with the regulation.

All three laws co-exist and are enforced at the same time. Every business operating from the Czech Republic or handling personal data of Czech customers has to comply with all of them simultaneously.

Fortunately, the rules arising from each of them are similar now and compliance with one of the laws will likely make you compliant with at least some of the requirements of the other laws.

What’s new with the amendments to Act 127/2005 Coll. on the Electronic Communications?

Until 1 January 2022, Czech website owners could only rely on the opt-out principle in the use of cookies. That meant that the national law allowed Czech businesses to use cookies if users had not clearly protested the collection and the processing of their personal data.

If you‘re familiar with the GDPR and the ePrivacy Directive requirements, you know that the requirements of the Czech national law were not aligned with them. 

That’s not the case anymore. Now all laws applicable to Czech businesses clearly state the need to obtain the users’ explicit consent for the use of cookies and other tracking technologies.

In sum, the amendments to the law confirm that the consent needs to be:

  • Freely given, which means that the business must not condition the consent with access to the website, parts of the website, or anything else that should be available without tracking. This also means that cookie walls, where websites do not allow users to access the website without accepting cookies, are against the law.
  • Informed, which means that the user should be informed about the privacy practices of the business at the moment of collection of personal data. In practice, this means that the website should provide the user with a link to their privacy policy at the moment of requesting consent. The user can then read the privacy policy and make an informed decision whether to give consent or not.
  • Specific, which means that the business should obtain separate consent for each specific purpose of processing. If the business processes personal data for analytics and marketing purposes, which are two different purposes, then the business is required to obtain consent for each specific processing purpose.
  • Unambiguous, which means that the user needs to take affirmative action to consent to the use of cookies. Therefore, statements such as “By browsing this website you agree to the use of cookies” are against the law.
  • Easily withdrawn, which means that the user should be allowed to withdraw the previously given consent as easily as it has been given. If it has been given with a single click on an ACCEPT button, then it should be withdrawn with a single click on a WITHDRAW CONSENT button. You cannot require them to contact you over the phone or email or ask them to fill in requests as that would be a violation of the law.

Aside from the updates on the use of cookies, the amendments introduced important changes regarding contacting users for direct marketing purposes.

Until 1 January 2022, businesses could rely on the opt-out mechanism, i.e. they could contact customers using their personal data until the customer opted out. Now, they have to comply with the opt-in principle, which means contacting only the customers who have given consent to be contacted.

What do the updates mean for businesses?

Given the GDPR requirements and their direct applicability in every single EU member-state, the amendments to the Czech law do not bring anything substantially new. Businesses had to comply with the GDPR cookie requirements already. They also had to ask for consent before using personal data for direct marketing.

Therefore, businesses that complied with the GDPR will have no issues complying with the Czech cookie law as well. On the other hand, Those that have not been compliant with the GDPR  still have a lot of work to do.

How can you comply with the Czech Cookie Law?

Similar to the GDPR, the Czech cookie law amendments require you to obtain consent for the use of cookies. You can do so by serving your website visitors with a Czech Cookie Law-compliant cookie banner that will collect and record their consent. Remember, the consent must be: freely given, specific, informed, unambiguous, and easily withdrawn.  Take a look at cookie banner best practices.

In addition, you are required to keep records of all the obtained consents.

Secure Privacy can provide you with a ready-made SaaS for compliant consent collection according to the Czech Cookie Law and the GDPR.

Image

Third-Party Risk Management in Consent Compliance: A 2025 Perspective

Is your organization effectively managing the risks associated with third-party consent practices? With the growing complexity of vendor relationships and stricter regulatory requirements, a comprehensive approach to TPRM has never been more crucial for maintaining both compliance and consumer trust.

  • Legal & News
Image

FCC's One-to-One Consent Rule Eliminated: What This Means for Your Marketing Strategy

The marketing landscape has shifted significantly with the elimination of the Federal Communications Commission's One-to-One Consent Rule. Originally set to take effect on January 27, 2025, the rule was struck down by the U.S. Court of Appeals for the 11th Circuit just days before implementation. This last-minute reversal has substantial implications for how businesses collect, share, and utilize consumer contact information. What does this mean for your marketing operations? How should your business respond to maintain both regulatory compliance and consumer trust? This article explores the implications of this ruling and provides actionable guidance for navigating the evolving regulatory landscape.

  • Legal & News
  • Cookie Consent
Image

Why Ethical Data Practices are a Competitive Advantage in 2025

Is your organization leveraging ethical data practices as a strategic asset? The evidence shows that companies treating data ethics as a core business function rather than a compliance burden are gaining significant competitive advantages in today's privacy-conscious marketplace.

  • Legal & News
  • Cookie Consent