Cookie tips from the analyst practice

In September 2021, the Chamber of Deputies approved an amendment to the Electronic Communications Act, which will come into force in January 2022. This brings the Czech legislature up to speed with the previously issued ePrivacy Directive, which is already in place in most EU countries. The amendment will affect almost everyone with a website!

Disclaimer: This is not a legal interpretation, but rather practical tips and recommendations based on the practice of our professionals. This article was written in collaboration with Tomas Pauch from eLegal, who we would like to thank for their support in the legal field and we are pleased to see their interest in making the digital world work legally correctly.

According to the amendment, you can no longer get by with a sample GDPR page downloaded from the internet. And you won’t have any worries if you add an informative bar about cookies, which will have no functional impact on analytics or marketing brands.

Website operators will need to get clear consent from the visitor to use their data and tracking tools (Google Analytics, Smartlook, remarketing codes) for a clearly defined purpose. It does not matter then whether the data is from the website (IP address, cookie identifiers), user-supplied data (email, phone, address) or data from the user’s device (geolocation data, device information or screen resolution, etc.).

Based on the amendment of the law, an opt-in mode is introduced = the user will have to click in advance to agree to the use of cookies. Without consent, it will not be possible to start or collect data. The only exceptions are data without which the website cannot function (stored products in the wishlist, preferred language, colour design or current products in the basket, etc.).

Digital Architects is a partner of Cookiebot, a tool we recommend to solve the current situation for small and medium-sized online projects. If you need help with implementation contact us at obchod@digitalniarchitekti.cz.

For larger projects we recommend considering consent management platforms (CMP) such as Usercentrics or OneTrust, where we are also happy to help with implementation.

Article content

We have designed the article as a summary of practical tips and recommendations that you can direct to marketing specialties and analysts to ensure proper adoption into practice.

What are cookies
What to look out for when introducing consent under the new amendment to the law?
What to do in Q4/2021?
Related topics on privacy issues in the digital world
What will targeting look like in a post-cookie digital world?

About Cookies

What are cookies?

Cookies are not cookies, as is now all too common on websites. They are small text files containing, most often, advertising and user identifiers (clusters of numbers and letters) used to link activities to a particular browser and, most importantly, to identify the user’s return in the future. They also provide functionality for some of the more advanced parts of the site.

Cookies are divided into:

1st party cookies: 1st party – created by your site
3rd party cookies: 3rd party – creates scripts and partner codes that you insert into the site

Third party cookies are most often used by advertising systems and analytics tools to create more accurate audiences for targeting ads or tracking users’ movements around the web.

If you do not know what we are talking about, we recommend watching the webinar on cookies that we prepared together with eLegal.cz.

What are cookie bars?

Cookie bars are parts of a website that provide an interface for a user to decide whether to use their personal data (primarily identifiers stored in cookies) for further processing (most commonly targeting ads or tracking their movements around the site). Their format varies and they should offer a simple and clear option for your decision.

Currently, the situation is changing where you need consent for each purpose of processing these files (which includes the actual storage of these files on the user’s device), which meets the requirements of the GDPR. The European Union (GDPR) requires consent to be:

Informed,
for a specific purpose,
for a specified period of time,
actively given,
free,
revocable as easily as it was granted.

What are CMPs?

If you’ve been following the issue of cookies and consent under GDPR on websites in general, you’ve probably come across the newly oft-mentioned acronym CMP in English consent management platforms. These include third-party tools that, in addition to prominently displaying a cookie bar on a website, offer companies comprehensive management and processes over their customers’ data. These include the recording of other consents under GDPR and generally used in practice as part of so-called compliance, a process whereby a company tries to comply with various regulations in the countries in which it operates. Operating in multiple countries is then often an argument for choosing a more complex solution than a simple open source bar.

What to look out for when introducing consent under the new amendment to the law?

By browsing the site, you agree…

This simple information for users about the use of cookies may no longer be available.

You will need an active action from the user – a checkbox or button or toggle
GDPR says that consents should be separate and should be tiered in purpose and scope (the user should be able to choose what we can collect about them – hence the often recommended categories e.g. Non-technical, Preference, Statistical, Marketing cookies)
By default, everything should be unchecked / turned off (except technical cookies)
Storing anything on the user’s computer should be able to be unchecked

Default cookie bar settings

The cookie bar must be easy to put away. It must not be in a permanently displayed state with no option to turn it off “in the background” or with only the “I agree” option. This also applies to mobile devices. In addition to violating the privacy policy, you would be throwing sticks under the feet of users with reduced usability of the site in such a case. It is advisable to ensure and be able to control how the bar is displayed and behaves when declined or ignored.

If the user does not confirm the cookie bar (does not select each cookie category and confirm), you automatically have to work with the default state – all denied.

Recommended cookie bar design

Manage the options and be clear about them – they must be clearly defined – I have to decide on each cookie, on each advertising system or on each purpose, the user must know what he is deciding, what he is approving; this is compounded if the user will return to the bar, for example, when he wants to withdraw consent.
I don’t want anything – it is recommended to place an option to disagree with everything as well, but this may cause too large an influx of opt-outs.
Recommended options in the bar (middle ground) – agree to everything, manage options and only here refuse everything – practice will show whether this option is legally and ethically acceptable, currently it is also possible to use different colour buttons, this is valid until the first fines and court decisions on what is and is not ok start to fall.

Recommendations on the cookie bar and a mixture of ideas for data collection

In addition to the cookie bar modifications, here are some notes that came to mind on this topic.

In the privacy policy, we recommend placing a button that brings up the bar again and allows the user to change the consents; you must immediately delete the cookies in question and prevent further processing of the data that the user has prohibited. Often this button is found on the bottom left or right of every page, depending on the tool used.
The argument that I need to store cookies (especially analytics and marketing cookies) to grow my business as a legitimate interest does not hold water.
Cookie wall or consent wall (no access to the site without consent) is not possible = the user must be able to use the site even if he/she has not opted out in the cookie bar.
Google or another advertising platform may have different requirements for consent (what the user has to agree to) than the legal legislation in a given country (e.g. according to Czech legislation you do not have to have a cookie bar now (until 1. 1. 2022), but Google’s terms of use for both Google Analytics and Google Ads state that you have to secure the user’s consent); of course, these systems are pushing for the data that goes into them to be as clean and legally sound as possible – this may be because Google Ads, for example, started sending out information in the recommendation box that giving consent will improve your campaigns.
Still, it’s a good idea to have good quality, easy to follow and understand information on your website about cookies, the intermediaries that accept user data, the length of time for which the data is collected, the validity of cookies, how to renew them and the data they contain.
We recommend that the cookie bar should appear to be part of the site, respecting its design, and not just a stuck-on box from a random provider
Google Analytics will not stand up as a necessary cookie even without Demographic and advertising data
Cookies in the EU: legislation in other EU countries copies ePrivacy and the interpretation is the same: opt-in always and everywhere (it is useless to look for loopholes) again, keep in mind that the policies of advertising systems (see Google mentioned above) apply worldwide
Do not confuse consent to cookies with the fact that I can send personal customer data such as email or phone number to any advertising systems – I must have separate consent for such processing. Some marketing systems try to balance the line of legitimate interest for direct marketing, here we always recommend asking your lawyer or DPO Data Processing Officer for a legal interpretation.
Beware that some tools may explicitly prohibit the sending of personal data within the data they collect. An example of this is Google Analytics, which from its inception has a prohibition on the collection of personal data in its terms of use.

Changes to Facebook and Pixel

Facebook has struggled with the collection of personal data since perhaps its inception. Now the changes will affect it in a big way.

Resolved lookalike audience – if you upload customer emails to Facebook to create a custom or lookalike list, you need consent to use it for that purpose.
Watch out for Advanced Matching with Facebook – this feature is already on the cookie framework and consent is required to process the following data for ad targeting: email address, phone, first name, last name, city, state, county, zip code and gender. It is difficult to say when a user should give this consent and we recommend consulting a lawyer.
Multiple pixels on multiple sites – the use of multiple pixels should be no problem if it is one company (main site + satellite sites); if the pixel will be on multiple sites of different companies, it is not correct
Advertising account owner – ideally, there should be only one owner of the advertising account, pixel (or the entire Business Manager) and that should be the one to whom the user confirms the data collection. This can be a big problem because often these accounts are set up by specialists from their personal FB accounts

Use of email for newsletter

On many websites, a user can sign up for a newsletter. However, nowhere is it mentioned that this email goes to 10 other marketing systems, several automations and three other processors (agencies).

The user has no way of knowing this, but you will be in violation of the terms if they do not consent to these purposes.

Two levels of functioning of remarketing cookie tags

Most advertising systems offer two levels of :

one they create an id (what we currently call cookies and what we agree to) by which they track you = consent to cookies is enough
the second level asks the website operator to send your personal data, most often email or phone = you must have consent to the processing of data for a specific purpose (such as Advanced Matching on Facebook)

Obligation of the processor

If the processor discovers that the controller is processing certain data unlawfully, you have a duty to inform the controller.

In this respect, you really only need to inform in the style of “We think you are processing this personal data without GDPR consent, which implies for you.”

As long as no explicit judgment is given by the controller (client) that the cooperation is suspended, you can continue to work as a processor.

Experience from Q1/2022

As we kind of expected after the new year, we had dozens of inquiries and questions about cookie bars, cookie consent, post-cookie bar deployment measurement, post-cookie bar deployment data drop. We list the most recurring queries here for everyone’s edification:

What platform do you recommend?

For us, we implement CookieBot for small and medium projects and OneTrust or Usercentrics for more complex ones. This recommendation may change in the future.

After deploying the bar my data dropped to zero, what can I do about it?

Probably the bar has been deployed incorrectly or is not understandable enough for your customers to be able to freely decide to agree or disagree. It’s also possible that you have unknowingly turned on Google Consent Mode technology, but it’s putting consent or non-consent data into the site at the wrong time when the page loads, and even users who don’t consent aren’t being measured. We can audit the settings and possibly re-implement the bar. It is also possible that the bar design or wording you have chosen is not suitable for your customers.

I have the bar deployed but some cookies are still being created, what can I do about it?

The most common problem here is when we have part of the codes directly in the website (hardcoded) and part in one of the tagging systems, for example Google Tag Manager. At the same time, you may have a wrong setting of the so-called auto or manual blocking, i.e. automatic or manual blocking that some CMPs offer. For us, we recommend to go the following way – to use the current situation to refactor the measurements, i.e. transfer all tags from hardcoded variants to GTM, then use ready-made templates that exist today for most services and allow you to work with Google Consent Mode. This gives you clear control over what is measured and when, so you can make the most of the bonuses that tag managers offer. The other option is that you can play directly with hardcoded events using attributes for script tags, but for us this is a road to hell that is unsustainable in the long run and requires constant communication with developers.

Hello and is there any way around this? How do I measure without cookie bars or how to get the most data?

Partially yes, but you won’t be the wisest of data. It is necessary to understand what the core of the ZEK amendment is, and that is the STORAGE AND READING of cookies on the user’s device. So if you develop or find a solution that doesn’t need cookies to give you the data you want and DOESN’T need to process any other GDPR personal data (ip address, location, user agent, digital fingerprint or other fingerprint) you don’t need any consent. In extreme interpretations, then, even by some analysts the browser name and operating system version are considered personal data. The problem with solutions that won’t use the above data is that you can’t link a given user’s visit from landing page to purchase, which is the basis of any analytics today. We currently offer our clients a Google Analytics setup in counter mode using Measurement Protocol where all the above data is deleted. However, from these dals it is possible to derive, for example, the number of cookie bar views, their approvals or the overall difference in page views between the main account and this test account. We are gradually testing a solution that would meet all the requirements of the ECC and GDPR and allow for “consent-free measurement”. We caution our clients and fellow professionals against using tools that have been touting alternatives to just Google Analytics in recent months under the slogans “GDPR compliant, cookieless and consent free”. Often, these solutions are offered by newly formed or untraceable legal entities with data repositories in unknown territories. Or they use technologies that, on closer inspection, are not very GDPR complaint.
So, in general, we recommend that the effort you would put into finding a solution that will circumvent the current legislation or fall into a grey area, is better invested in long-term optimization of the consent bar, communicating and explaining to your customers what is going on, and building credibility and transparency for your company, which in our opinion leads to long term satisfaction of your customers, who then have no reason to click on Reject All because they know that you will not spam them with irrelevant advertising or other messages, but actually offer them a better and higher quality service, as most current cookie bars proclaim; ).

What is the current state of adoption of the ZEK amendment in our experience?

According to our experience, there are the following approaches that consciously or unconsciously Czech companies choose to the issue:
– they do not address it (there is nothing on the web, there are no policies, they more or less do not understand the situation and do not have the internal capacity to resolve it, etc.)
– they have an old cookie bar with an OK button, you agree to use …., etc.
– they have a new bar that complies with the ZEK without the measurement being linked – so cookies are still being created regardless of the bar but probably ok on the face of it
– they have a new bar that meets the ZEK modifications and the measurement is linked – so cookies are not created until the user consents to the relevant category

How to choose from the above “approaches”?

There is only one thing we can say about this, it is purely your business decision and like all business and non-business entities in the Czech Republic you are obliged to operate according to the applicable legislation, whether it is ZEK, GDPR, Civil Code, Labour Code or anything else.
If you want to take a risk either way you can think about two questions:
How aggressive and competitive is your industry and how fair is the playing field?
How much is the extra data you get worth to you and how much are you actually using it now?

What should you have done in Q4/2021?

Don’t put off adjusting cookie bars, GDPR pages and downstream measurement changes and start working on it now.

Familiarize yourself with the issues and changes that come with the change from opt-out to opt-in
Implement your own consent management tool or use a third-party partner
Start connecting your advertising and analytics systems to consent and get used to the new baseline
Test cookie bar variations and evaluate their opt-in rates
Monitor best practices (GCP) abroad, with competitors and across the market
Test options for withdrawing consent following data deletion and user requests for data deletion under GDPR
Beware of privacy washing – it is possible that security and privacy will become one of the future competitive advantages by which customers choose where to shop or who to entrust their data to – always approach this situation with a level head and avoid extreme recommendations
Consider whether it is appropriate for you to use the principles of monetising users’ personal data

What will targeting look like in a post-cookie digital world?

First-party data

First-party data, i.e. data collected by the website operator itself about its customers after appropriate consents – examples include email marketing, push notifications and advertising directly within a website or app – will play a big role. Content sites, media houses led by video content, will then return to full strength, leveraging their empire of content sites to deliver targeted ads, while at the same time there will be more incentive to create content specifically to mine your own visitor data to target specific business offers.

Privacy sandboxes

Individual global organisations and advertising houses are taking the approach of creating ‘privacy sandboxes’ – that is, grouping aggregated data about users with specific behaviours (e.g. by the pages visited in the browser) – the difference with cookies is that with cookies I can target specific users whereas with a privacy sandbox I can target groups of users.

Contextual targeting

Let’s go back a few years, when contextual targeting, i.e. targeting according to the content of the page the user is currently reading, was the key. In that time, AI text processing has moved on, and we’re moving from simple keyword targeting to truly topic-based targeting.

Logged in user

Targeting specific users who agree and are logged in and more or less monetize their data by communicating their interests. They make money based on the ads that are targeted to them – an approach demonstrated by the Brave browser and other platforms of this type that resemble turn-of-the-millennium group buying (the discount applies if you get enough people to buy with you).

Technical specifics

Interesting technical issues arise when using embedded services like Google Maps, YouTube Embed, etc. Here, it is necessary to ensure that these tools do not also store cookies on the user’s device and possibly collect statistical data for analytics or ad personalization. Youtube offers a partial solution and the so-called no cookie embed can be used, but it is only cookie-free until the play button is pressed. This puts website operators in an interesting situation: how to solve this technically? Not showing youtube videos without consent? Or prevent clicks?

Cookie-less and GDPR consent free analytics

We are currently internally testing one-time tools and counters that could be used both without ZEK and GDPR consent. These tools are counter.dev and microanalytics.io Partly, the library for GA3 can be used to disable the storage of cookies. Such tools then function as simple pageviews or event counters.

We are experts in analytics and will be happy to help you set up your metering so that everything is ready in time for the updated amendment. In addition, we can take care of ongoing measurement management or follow-up work with the data. If you are interested in legal interpretation, please contact our partner – eLegal.cz

Disclaimer: this is not a legal interpretation, but rather practical tips and recommendations. This article was written in cooperation with eLegal, whom we would like to thank for their support in the legal field.

Digital Architects is a partner of the Cookiebot tool, which we recommend to solve the current situation for small and medium-sized online projects. If you need help with implementation please contact us at obchod@digitalniarchitekti.cz.

For larger projects, we recommend considering a consent management platform (CMP) such as Usercentrics or OneTrust, where we are also happy to help with implementation.

About The Author

Marek Čech