The Office for Personal Data Protection (hereinafter referred to as the “Office or the Office”) has published a control plan for 2022 (Czech only). The most talked about are controls of cookies on websites and the dissemination of unsolicited advertising. What exactly do businesses need to implement to avoid becoming the target of inspections and fines?

New legal regulation of cookies from 1.1.2022

The reason for cookie controls is the amendment to the Electronic Communications Act (Act No. 127/2005 Coll.), which requires obtaining consent from website visitors to use cookies. The only exceptions are technical cookies that are necessary for the correct functioning of the website. In addition, the Office for Personal Data Protection has published a methodology on how cookie banners (cookie setting dialogs) should look and function. Until the amendment, the requirement for consent was not precisely formulated, which is probably why the use of cookies was not intensively monitored.

We recommend that website operators using cookies for analytical and marketing purposes revise or newly implement solutions to obtain consent (cookie banners). Many practical examples show that businesses have great difficulty complying with the new requirements. The Authority will start inspections as early as Q2 2022.

Large EU markets have stricter requirements

Companies operating abroad should implement a solution that is in line with the practice of local authorities. Otherwise, they may face heavy fines. For example, the French data protection authority CNIL fined Google €150 million for an offence that is very common with Czech cookie banners – users of Google’s services could not refuse consent as easily as they could provide it. This is a very popular trick, where websites do offer the option to refuse cookies, but only after a complicated click through the cookie banner. The CNIL requires that users have an equally effective alternative to the “I agree” button, i.e. that they can refuse cookies with a single button. Facebook was fined €60 million for the same offence.

In the Federal Republic of Germany, on the other hand, great care is taken to ensure that the “Impressum” with the details of the website operator and the “Privacy Statement” are not blocked by the displayed cookie banner. In the event of non-compliance with these requirements, the website operator may receive a warning notice (“Abmahnung”) with the counterparty being entitled to assume the legal costs.

Control of commercial communications

In addition to the use of cookies, the Office will check whether direct marketing by electronic means complies with Act No. 480/2004 Coll. This means that in practice, the Office will focus in particular on the sending of email commercial communications. For this purpose, according to the Office’s statement, the customer databases of companies will be checked, as well as the legal title for sending commercial communications, the verifiability of consent, and possible links to other companies or associations with which they cooperate in this area.

Again, it should not be forgotten that stricter obligations are often enforced abroad. For example, according to German case law, a “double opt-in” is required for sending newsletters: after registering for the newsletter, the subscriber receives an e-mail with a verification link that he or she must click on to activate the newsletter. Without the “double opt-in” just described, the sender exposes himself to the aforementioned risk of a reminder (“Abmahnung”), as he is unable to prove that consent was given by the user of the e-mail address in question. In addition, the recipient of the junk mail is entitled to compensation of up to EUR 300 (judgment of AG Pfaffenhofen of 9.9.2021).