COMPUTER COOKIES – A CHANGE OF REGULATION YOU SHOULD NOT MISS

If you operate a website you probably guessed that we wrote this article especially for you. From 1st January 2022 the regulation on computer cookies changes, therefore in this article we explain main principles of this change and advise how to simply implement this change of rules.

As we provide legal services for many online shops and other entities that will be affected by this change of regulation, we decided to give you an early Christmas gift – a detailed step-list how to handle the new cookies legislation.

What are computer cookies?

Computer cookies are text files containing a small amount of information that are downloaded to your phone, computer or other device during web browsing. If you visit the website again, these cookies files are sent back to the original website or other website that recognizes cookies.

Simply said – by using cookies a website saves information about web browsing. Cookies are typically used in combination with Google Analytics, Sklik, Facebook Pixels, Hotjar, etc.

What categories of cookies exist?

There are several types of cookies that differ according to what information they store and for what purposes they use these information:

• Essential (session) cookies are necessary for basic functionality of a website. Therefore, in order for your website to be able to fulfil its basic function, you cannot do without these cookies. Typical example of use of essential cookies is online shopping – the website remembers the content of your cart after you click on the next item. Without this function, the eshop could not work properly.
• Other cookies are in practise sorted into these categories:
  • First-party (persistent, permanent or stored) cookies allow the website to remember personal settings or its look (e.g. preferred language of the website).
  • Third-party cookies (tracking cookies) track how visitors use the website and provide their operators with data for improving the content and functions of the website. They are also used for personalisation of advertisements and their right targeting.

What rules apply until 31st December 2021?

Until 31st December 2021 you do not need consent for using essential cookies, as without them the website cannot work properly. For using other cookies on your website, you need user’s consent, but you do not have to require this consent by a cookie bar.

As it is possible to set in every web browser whether saving of cookies can be allowed or not, every user has the possibility to set this in advance. Such web browser settings is according to The Office for Personal Data Protection considered as a necessary consent, or more precisely, this consent is, till 31^st December, presumed in absence of the web browser settings.

Website operator still has to fulfil the information obligation; he/she has to provide website users with this information: who processes cookies, to what extent, for what purpose cookies are processed, to whom cookies may be accessible, how the consent works and how to set up a web browser. The above-mentioned information is usually provided on a website page named “Cookies” or “Cookies Policy”.

If you fulfil the above-mentioned obligation, other cookies can be activated on your website for users until they change their website browser settings or until they inform you in some other way that they disagree with using other cookies. This principle is called opt-out.

What rules apply from 1st January 2022?

From 1st January 2022 you still will not need user’s consent with using essential cookies, as the website cannot work properly without them. For using other cookies on your website, you will need user’s consent, but it will no longer be enough to refer to the web browser settings. It will be necessary to get user’s consent actively using so-called cookie bar, i.e. with the opt-in method. Be aware that you can use other cookies only after you obtain the user’s consent, until the consent is revoked.  

How should the cookie bar look like?

The cookie bar should not bother users excessively; so it should not pop up and cover the entire page or its major part.

The information obligation should be fulfilled in the cookie bar.. The cookie bar should therefore contain at least information that the website uses cookies and also a link to website page with cookies policy. This page should contain following information:

• Identification and contact details of the administrator (i.e. website operator)
• Explanation of what computer cookies are
• Explanation what types of cookies you use; ideally with a table with particular cookies containing name of specific cookies, name of the provider, the purpose of cookies, time of cookies processing, type of cookies, and information to whom are cookies accessible. Your IT technician will help you prepare this table.
• Explanation of the consent with using cookies– how to grant it and withdraw it.

The cookie bar should contain an option to allow all cookies (known as “allow all”), reject all cookies (except for essential cookies, this option is known as “reject all”) and an option to custom cookies settings (an option named e.g. “manage cookies”) where users can give consent or reject each particular category of cookies. It should be possible to close the cookie bar by a “cross” even without choosing any option.

Consent to the essential cookies my and by its nature must be default and it must not possible to remove it, as without essential cookies the website cannot work properly. Default consent with other cookies is not allowed. Users should actively click on the option “allow” and this option cannot be preselected.

Giving consent should be as easy as withdrawing it. Ideally, buttons on the cookie bar should have the same colour so that one of the options is not instructive or misleading for some users, i.e. quick choice should not be too difficult. At the same time, once the user allows cookies, there should be an option on the website to open the cookie bar again and set cookies again. Alternatively, users should be able to set cookies again on the “Cookies Policy” page, i.e. to withdraw their consent.

What if your website has reach to other EU Member States?

The rules that will be effective in the Czech Republic from 1st January 2022 already apply in most EU Member States. The Czech Republic is one of the few countries that implemented this legislation with delay, and therefore we recommend adjusting the cookie bar to above-mentioned rules also for websites that have reach to other EU Member States. Naturally, the cookie bar should be translated to appropriate language so that users are able to understand it.

How the rules might change?

New EU “e-privacy” regulation, which it should complement GDPR regulation, is being prepared. E-privacy regulation will be directly effective in all EU Member States and one of the areas it should regulate is computer cookies. It is being said that e-privacy regulation will end the use of cookie bars, however, final version of the regulation is not known. So there is no choice but to wait.

For now we recommend adjusting cookie bar on you website with effect from 1st January 2022 and fulfil your information obligation by the Cookie policy page. You and your copywriter may adapt the wording to your style of expression but always make sure everything is clear, understandable and not misleading.