Cookie Consent Requirements in the Czech Republic [Includes Checklist]

The Czech Republic amended its Electronic Communications Act (ECA) in 2022 to align national law with the EU’s ePrivacy Directive and GDPR. This shift has moved the country from an opt‑out approach to a strictly opt‑in model for non‑essential cookies. The data protection authority (ÚOOÚ) tightened rules on cookie banners and emphasised clear consent mechanisms. This guide explains how the Czech cookie consent rules work and provides actionable steps for businesses operating websites or apps that target Czech users.

The Czech Republic’s framework for data protection and cookie consent is based on a combination of EU regulations, national laws, and guidance from the supervisory authority (ÚOOÚ). Together, these instruments define how organisations can collect, process, and store personal data through cookies and similar technologies.

EU General Data Protection Regulation (GDPR)

As an EU Member State, the Czech Republic is directly bound by the GDPR. It defines what counts as personal data (e.g., IP addresses, cookie IDs, browsing history), outlines individuals’ rights, and sets standards for lawful data processing, including the requirements for valid consent.

Under the GDPR, consent must be freely given, specific, informed, and unambiguous. This has a direct impact on cookie banners and consent mechanisms used in the Czech Republic.

Electronic Communications Act (ECA)- the Czech Cookie Law

The Czech Electronics Communications Act transposes the EU ePrivacy Directive into Czech law (Czech version).

Since 2022, the Act introduced a stricter, opt-in model for non-essential cookies, replacing the older opt-out system. This means businesses can no longer assume consent or use implied consent. Instead, users must actively accept cookies before they are stored on their devices.

The Czech cookie law also clarifies the distinction between technical (strictly necessary) cookies, which do not require consent, and non-technical cookies (analytics, marketing, personalisation), which do.

Czech Act No. 110/2019 on the Processing of Personal Data

The Personal Data Processing Act of 2019 aligns the Czech Republic’s national legislation with the GDPR, ensuring consistent enforcement at the local level.

It supplements the GDPR by providing additional rules for how data processing and supervision should function in practice within the country.

Internet cookies are small text files stored on a user’s device. They fall into two main categories:

Technical (strictly necessary) cookies

These cookies enable core website functions such as navigation, security and shopping cart sessions. They can be used without the visitor’s consent.

Non‑technical cookies

All other cookies, other than those that are strictly necessary for website functioning, are considered non-technical cookies. Examples include analytical, marketing or preference cookies that track user behaviour for statistics, advertising or personalisation.

Under the Czech cookie consent law (ECA), they may only be stored after obtaining valid consent.

Why does this matter?

Non‑technical cookies often collect personal information such as IP addresses, location, and purchase histories.

The GDPR treats these online identifiers as personal data and requires a lawful basis like consent, legitimate interest or contractual necessity for processing them.

The Czech Republic’s cookie consent rules are not limited to companies registered in the country. They follow the broad, territorial scope of the GDPR.

Any organisation that places cookies on the devices of people located in the Czech Republic must comply with the law, irrespective of where that organisation is based. In practice, this means:

Businesses established in the Czech Republic

Every business operating in the Czech, that uses cookies or other online‑tracking technologies must adhere to the ECA, Act No. 110/2019 and the GDPR simultaneously.

Businesses outside the Czech Republic that target Czech users

If you offer goods or services to Czech residents, monitor their online behaviour or otherwise collect their personal data, you must comply with Czech cookie rules, even though you have no physical presence in the Czech Republic. This includes websites, apps and other online services that process IP addresses or cookie identifiers of Czech visitors.

Yes. In the Czech Republic, websites are legally obligated to display a cookie bar, also known as a cookie banner, to users. This banner must be readily accessible and should not prevent users from viewing the website’s content, regardless of whether they consent to cookie usage.

The following are the Czech cookie consent requirements that websites must know:

#1 Cookie bar/ cookie banner requirements

Websites must display an opt-in cookie banner informing users about the use of cookies. This includes what cookies are used, the purposes of individual cookies, how long they will be stored on devices and user rights. 

Websites with many cookies can display detailed cookie information on a second layer, accessible via a “more information” link or in a separate document, like a cookie or privacy policy.

The cookie banner requirements are similar to the GDPR opt-in requirements. It must be easily accessible, easy to understand, and without any dark patterns.

#2 Transparency or cookie policy requirements

You must clearly state in your cookie policy why you collect each cookie and identify the legal basis for processing personal data. This helps users understand which cookies are essential and which require consent.

 Include the following cookie information:

• The names and purposes of cookies used on the website (Analytics, marketing, etc.).
  
• The controller’s identity and contact details.
  
• Legal basis of use of cookies.
  
• Legitimate interests, if any.
  
• The recipients of the data.
  
• Details of international transfers, if applicable.
  
• Storage duration for each cookie; the retention period must respect the principle of storage limitation and be proportionate to the purpose.
  
• Data subject rights, including the right to access, rectification, erasure, portability, and objection, and the right to lodge a complaint with the supervisory authority.
  
• Right to withdraw consent at any time.
  
• Specify whether users have a legal or contractual obligation to provide certain data and what happens if they refuse.

Example:

Skoda, a prominent car manufacturer in the Czech Republic, complies with the requirement by providing a detailed cookie notice.

#3 Consent requirements

Czech consent requirements align with the GDPR standards.

In order to comply, consent must be freely given, specific, informed and unambiguous. To satisfy this standard:

• Avoid complicated languages or technical jargon. Instead, provide clear information in simple language.
  
• Do not rely on implied consent or passive browsing. Users continuing to browse or closing the banner without taking action cannot be treated as valid consent.
  
• Dark patterns like pre‑ticked boxes, hidden reject buttons, or pre‑enabled settings do not count as consent.
  
• Consent for storing cookies (ECA) and processing personal data (GDPR) may be obtained simultaneously, but the request must meet the requirements of both laws.
  
• Access to websites should not be denied solely on the grounds of refusing cookies.
  
• Rejection of cookies must be as easy as accepting them.

#4 Validity of consent

According to the Czech cookie consent requirements, the validity of cookie consent depends on the purpose of cookies. Generally, a reasonable time period for which consent is valid is considered to be 12 months.

You may re-display the cookie bar and ask for consent after 12 months.

However, if a user rejects cookies, wait for at least 6 months before re-presenting a banner.

#5 Enable easy withdrawal and granular choices

Under Czech cookie law, users must be able to withdraw consent as easily as they give it. To comply, follow the tick the following:

• Display a prominent “Reject All” button alongside the “Accept All” button on the same layer of the banner.
  
• Options to accept or reject each category or individual cookie for granular control.
  
• A link or button (e.g., in the website footer) where users can revisit their preferences and withdraw consent at any time

#6 Respect the design and placement rules 

Design your cookie banner to avoid dark patterns that nudge users toward consent. The ÚOOÚ recommends that:

• Accept and reject buttons should be of comparable size, font and colour to prevent bias.
  
• The banner should not block access to the site or make content unusable (cookie walls are prohibited).
  
• If the banner appears in the middle of the screen, include an option to close it without giving consent; however, non‑technical cookies must remain deactivated until consent is obtained.
  
• Provide a link to detailed cookie information or your full cookie policy on the first layer of the banner.

#7 Consent log

Record the proof of consent to demonstrate compliance. For this purpose, you may need to keep a copy of the displayed cookie banner, the consent log with time stamps and their consent status, preferences, etc.

#8 Ensure multi‑language support

Information must be provided in Czech for Czech‑language websites and in other relevant languages for international visitors. Use clear, concise language and avoid legal jargon

No. The Czech Republic requires express affirmative action rather than a preset browser setting for consent.

Therefore, websites must obtain explicit user consent for each purpose, like analytics, advertising, etc. 

• Identify all cookies and similar technologies used by your site or app and classify them as technical or non‑technical.
• Provide an accessible and detailed cookie policy with information such as purposes, legal bases, recipients, storage periods and user rights.
• Deploy an opt-in cookie banner on your website.
• Do not block access to the website due to cookie refusal.
• Display “Accept All” and “Reject All” buttons equally.
• Offer granular cookie consent choices (Ads, analytics, performance).
• Block non‑technical cookies until the user gives affirmative consent.
• Store proof of consent by maintaining a consent log.
• Make withdrawal of consent as easy as giving it.
• Refresh consent at least every 12 months.
• Refrain from re‑presenting the banner within six months of a refusal unless circumstances change.
• Update your banner policy when new cookies or analytics tools are added, and re‑evaluate your cookie practices whenever regulations or technologies change.

Compliance with EU cookie laws should not mean days of development work, complicated scripts, or guesswork. CookieYes Consent Management Platform makes it simple.

Our platform, built for developers, marketers, and business leaders, caters to websites of all sizes- from small businesses to global brands, and helps them achieve GDPR and ePrivacy compliance without hindering their operations.

CookieYes is more than a banner. It is a complete consent management platform trusted by over 1.5 million websites worldwide to stay compliant, protect brand reputation, and build user trust.