In September 2021, the Chamber of Deputies approved an amendment to the Electronic Communications Act, which will come into force in January 2022. This brings the Czech legislature up to speed with the previously issued ePrivacy Directive, which is already in place in most EU countries. The amendment will affect almost everyone with a website!
Disclaimer: This is not a legal interpretation, but rather practical tips and recommendations based on the practice of our professionals. This article was written in collaboration with Tomas Pauch from eLegal, who we would like to thank for their support in the legal field and we are pleased to see their interest in making the digital world work legally correctly.
According to the amendment, you can no longer get by with a sample GDPR page downloaded from the internet. And you won’t have any worries if you add an informative bar about cookies, which will have no functional impact on analytics or marketing brands.
Website operators will need to get clear consent from the visitor to use their data and tracking tools (Google Analytics, Smartlook, remarketing codes) for a clearly defined purpose. It does not matter then whether the data is from the website (IP address, cookie identifiers), user-supplied data (email, phone, address) or data from the user’s device (geolocation data, device information or screen resolution, etc.).
Based on the amendment of the law, an opt-in mode is introduced = the user will have to click in advance to agree to the use of cookies. Without consent, it will not be possible to start or collect data. The only exceptions are data without which the website cannot function (stored products in the wishlist, preferred language, colour design or current products in the basket, etc.).
Digital Architects is a partner of Cookiebot, a tool we recommend to solve the current situation for small and medium-sized online projects. If you need help with implementation contact us at obchod@digitalniarchitekti.cz.
For larger projects we recommend considering consent management platforms (CMP) such as Usercentrics or OneTrust, where we are also happy to help with implementation.
Article content
We have designed the article as a summary of practical tips and recommendations that you can direct to marketing specialties and analysts to ensure proper adoption into practice.
- What are cookies
- What to look out for when introducing consent under the new amendment to the law?
- What to do in Q4/2021?
- Related topics on privacy issues in the digital world
- What will targeting look like in a post-cookie digital world?
About Cookies
What are cookies?
Cookies are not cookies, as is now all too common on websites. They are small text files containing, most often, advertising and user identifiers (clusters of numbers and letters) used to link activities to a particular browser and, most importantly, to identify the user’s return in the future. They also provide functionality for some of the more advanced parts of the site.
Cookies are divided into:
- 1st party cookies: 1st party – created by your site
- 3rd party cookies: 3rd party – creates scripts and partner codes that you insert into the site
Third party cookies are most often used by advertising systems and analytics tools to create more accurate audiences for targeting ads or tracking users’ movements around the web.
If you do not know what we are talking about, we recommend watching the webinar on cookies that we prepared together with eLegal.cz.
What are cookie bars?
Cookie bars are parts of a website that provide an interface for a user to decide whether to use their personal data (primarily identifiers stored in cookies) for further processing (most commonly targeting ads or tracking their movements around the site). Their format varies and they should offer a simple and clear option for your decision.
Currently, the situation is changing where you need consent for each purpose of processing these files (which includes the actual storage of these files on the user’s device), which meets the requirements of the GDPR. The European Union (GDPR) requires consent to be:
- Informed,
- for a specific purpose,
- for a specified period of time,
- actively given,
- free,
- revocable as easily as it was granted.
What are CMPs?
If you’ve been following the issue of cookies and consent under GDPR on websites in general, you’ve probably come across the newly oft-mentioned acronym CMP in English consent management platforms. These include third-party tools that, in addition to prominently displaying a cookie bar on a website, offer companies comprehensive management and processes over their customers’ data. These include the recording of other consents under GDPR and generally used in practice as part of so-called compliance, a process whereby a company tries to comply with various regulations in the countries in which it operates. Operating in multiple countries is then often an argument for choosing a more complex solution than a simple open source bar.
What to look out for when introducing consent under the new amendment to the law?
By browsing the site, you agree…
This simple information for users about the use of cookies may no longer be available.
- You will need an active action from the user – a checkbox or button or toggle
- GDPR says that consents should be separate and should be tiered in purpose and scope (the user should be able to choose what we can collect about them – hence the often recommended categories e.g. Non-technical, Preference, Statistical, Marketing cookies)
- By default, everything should be unchecked / turned off (except technical cookies)
- Storing anything on the user’s computer should be able to be unchecked
Default cookie bar settings
The cookie bar must be easy to put away. It must not be in a permanently displayed state with no option to turn it off “in the background” or with only the “I agree” option. This also applies to mobile devices. In addition to violating the privacy policy, you would be throwing sticks under the feet of users with reduced usability of the site in such a case. It is advisable to ensure and be able to control how the bar is displayed and behaves when declined or ignored.
If the user does not confirm the cookie bar (does not select each cookie category and confirm), you automatically have to work with the default state – all denied.
Recommended cookie bar design
- Manage the options and be clear about them – they must be clearly defined – I have to decide on each cookie, on each advertising system or on each purpose, the user must know what he is deciding, what he is approving; this is compounded if the user will return to the bar, for example, when he wants to withdraw consent.
- I don’t want anything – it is recommended to place an option to disagree with everything as well, but this may cause too large an influx of opt-outs.
- Recommended options in the bar (middle ground) – agree to everything, manage options and only here refuse everything – practice will show whether this option is legally and ethically acceptable, currently it is also possible to use different colour buttons, this is valid until the first fines and court decisions on what is and is not ok start to fall.
Recommendations on the cookie bar and a mixture of ideas for data collection
In addition to the cookie bar modifications, here are some notes that came to mind on this topic.
- In the privacy policy, we recommend placing a button that brings up the bar again and allows the user to change the consents; you must immediately delete the cookies in question and prevent further processing of the data that the user has prohibited. Often this button is found on the bottom left or right of every page, depending on the tool used.
- The argument that I need to store cookies (especially analytics and marketing cookies) to grow my business as a legitimate interest does not hold water.
- Cookie wall or consent wall (no access to the site without consent) is not possible = the user must be able to use the site even if he/she has not opted out in the cookie bar.
- Google or another advertising platform may have different requirements for consent (what the user has to agree to) than the legal legislation in a given country (e.g. according to Czech legislation you do not have to have a cookie bar now (until 1. 1. 2022), but Google’s terms of use for both Google Analytics and Google Ads state that you have to secure the user’s consent); of course, these systems are pushing for the data that goes into them to be as clean and legally sound as possible – this may be because Google Ads, for example, started sending out information in the recommendation box that giving consent will improve your campaigns.
- Still, it’s a good idea to have good quality, easy to follow and understand information on your website about cookies, the intermediaries that accept user data, the length of time for which the data is collected, the validity of cookies, how to renew them and the data they contain.
- We recommend that the cookie bar should appear to be part of the site, respecting its design, and not just a stuck-on box from a random provider
- Google Analytics will not stand up as a necessary cookie even without Demographic and advertising data
- Cookies in the EU: legislation in other EU countries copies ePrivacy and the interpretation is the same: opt-in always and everywhere (it is useless to look for loopholes) again, keep in mind that the policies of advertising systems (see Google mentioned above) apply worldwide
- Do not confuse consent to cookies with the fact that I can send personal customer data such as email or phone number to any advertising systems – I must have separate consent for such processing. Some marketing systems try to balance the line of legitimate interest for direct marketing, here we always recommend asking your lawyer or DPO Data Processing Officer for a legal interpretation.
- Beware that some tools may explicitly prohibit the sending of personal data within the data they collect. An example of this is Google Analytics, which from its inception has a prohibition on the collection of personal data in its terms of use.
Changes to Facebook and Pixel
Facebook has struggled with the collection of personal data since perhaps its inception. Now the changes will affect it in a big way.
- Resolved lookalike audience – if you upload customer emails to Facebook to create a custom or lookalike list, you need consent to use it for that purpose.
- Watch out for Advanced Matching with Facebook – this feature is already on the cookie framework and consent is required to process the following data for ad targeting: email address, phone, first name, last name, city, state, county, zip code and gender. It is difficult to say when a user should give this consent and we recommend consulting a lawyer.
- Multiple pixels on multiple sites – the use of multiple pixels should be no problem if it is one company (main site + satellite sites); if the pixel will be on multiple sites of different companies, it is not correct
- Advertising account owner – ideally, there should be only one owner of the advertising account, pixel (or the entire Business Manager) and that should be the one to whom the user confirms the data collection. This can be a big problem because often these accounts are set up by specialists from their personal FB accounts
Use of email for newsletter
On many websites, a user can sign up for a newsletter. However, nowhere is it mentioned that this email goes to 10 other marketing systems, several automations and three other processors (agencies).
The user has no way of knowing this, but you will be in violation of the terms if they do not consent to these purposes.
Two levels of functioning of remarketing cookie tags
Most advertising systems offer two levels of :
- one they create an id (what we currently call cookies and what we agree to) by which they track you = consent to cookies is enough
- the second level asks the website operator to send your personal data, most often email or phone = you must have consent to the processing of data for a specific purpose (such as Advanced Matching on Facebook)
Obligation of the processor
If the processor discovers that the controller is processing certain data unlawfully, you have a duty to inform the controller.
In this respect, you really only need to inform in the style of “We think you are processing this personal data without GDPR consent, which implies for you.”
As long as no explicit judgment is given by the controller (client) that the cooperation is suspended, you can continue to work as a processor.
Experience from Q1/2022
As we kind of expected after the new year, we had dozens of inquiries and questions about cookie bars, cookie consent, post-cookie bar deployment measurement, post-cookie bar deployment data drop. We list the most recurring queries here for everyone’s edification:
What should you have done in Q4/2021?
Don’t put off adjusting cookie bars, GDPR pages and downstream measurement changes and start working on it now.
- Familiarize yourself with the issues and changes that come with the change from opt-out to opt-in
- Implement your own consent management tool or use a third-party partner
- Start connecting your advertising and analytics systems to consent and get used to the new baseline
- Test cookie bar variations and evaluate their opt-in rates
- Monitor best practices (GCP) abroad, with competitors and across the market
- Test options for withdrawing consent following data deletion and user requests for data deletion under GDPR
- Beware of privacy washing – it is possible that security and privacy will become one of the future competitive advantages by which customers choose where to shop or who to entrust their data to – always approach this situation with a level head and avoid extreme recommendations
- Consider whether it is appropriate for you to use the principles of monetising users’ personal data
Related topics on the introduction of the amendment
The situation regarding mobile devices (ATT – app tracking transparency)
Operating systems (primarily Apple and its iOS) have begun to require apps to respect consent to set up a device that does not want to be tracked, while also asking when the app is first launched whether or not the user wants to be tracked.
Currently, this consent or non-consent determines all tracking across the board – ad systems, ad ids, analytics, analytics tools and other libraries (Facebook, Google Analytics, Smartlook, etc.). It’s not specified exactly when the consent window should appear and whether there’s a way to inform the user about what the following consent means and how you’ll work with it before displaying it.
Modifying cookies in the browser (ITP – intelligent tracking protection)
Safari has been blocking 3rd party cookies for several years and setting 1st party cookies to expire in 1 day, other browsers will take a similar approach in the coming months or years
Conversion and audience measurement via server
Currently, Google, Facebook and other systems allow measurement using server-side features. Of course, this setup must always be used only after the user’s consent, as personal data such as email is often used for identification. Alternatively, it is necessary to send this data in a fully anonymised way – that is, for example, so that only a conversion has occurred. These techniques do not circumvent the need for consent, but they do circumvent the vagaries of ad-blocking adons and the tightening up of cookies at browser level
What will targeting look like in a post-cookie digital world?
First-party data
First-party data, i.e. data collected by the website operator itself about its customers after appropriate consents – examples include email marketing, push notifications and advertising directly within a website or app – will play a big role. Content sites, media houses led by video content, will then return to full strength, leveraging their empire of content sites to deliver targeted ads, while at the same time there will be more incentive to create content specifically to mine your own visitor data to target specific business offers.
Privacy sandboxes
Individual global organisations and advertising houses are taking the approach of creating ‘privacy sandboxes’ – that is, grouping aggregated data about users with specific behaviours (e.g. by the pages visited in the browser) – the difference with cookies is that with cookies I can target specific users whereas with a privacy sandbox I can target groups of users.
Contextual targeting
Let’s go back a few years, when contextual targeting, i.e. targeting according to the content of the page the user is currently reading, was the key. In that time, AI text processing has moved on, and we’re moving from simple keyword targeting to truly topic-based targeting.
Logged in user
Targeting specific users who agree and are logged in and more or less monetize their data by communicating their interests. They make money based on the ads that are targeted to them – an approach demonstrated by the Brave browser and other platforms of this type that resemble turn-of-the-millennium group buying (the discount applies if you get enough people to buy with you).
Technical specifics
Interesting technical issues arise when using embedded services like Google Maps, YouTube Embed, etc. Here, it is necessary to ensure that these tools do not also store cookies on the user’s device and possibly collect statistical data for analytics or ad personalization. Youtube offers a partial solution and the so-called no cookie embed can be used, but it is only cookie-free until the play button is pressed. This puts website operators in an interesting situation: how to solve this technically? Not showing youtube videos without consent? Or prevent clicks?
Cookie-less and GDPR consent free analytics
We are currently internally testing one-time tools and counters that could be used both without ZEK and GDPR consent. These tools are counter.dev and microanalytics.io Partly, the library for GA3 can be used to disable the storage of cookies. Such tools then function as simple pageviews or event counters.
We are experts in analytics and will be happy to help you set up your metering so that everything is ready in time for the updated amendment. In addition, we can take care of ongoing measurement management or follow-up work with the data. If you are interested in legal interpretation, please contact our partner – eLegal.cz
Disclaimer: this is not a legal interpretation, but rather practical tips and recommendations. This article was written in cooperation with eLegal, whom we would like to thank for their support in the legal field.
Digital Architects is a partner of the Cookiebot tool, which we recommend to solve the current situation for small and medium-sized online projects. If you need help with implementation please contact us at obchod@digitalniarchitekti.cz.
For larger projects, we recommend considering a consent management platform (CMP) such as Usercentrics or OneTrust, where we are also happy to help with implementation.