Czech ECA - Cookie Consent Requirements & Compliance

Back to Regulations Guide

Key Facts

Effective Date

January 1, 2022

Enacted

January 1, 2005

Enforcing Authority

UOOU (Office for Personal Data Protection); CTU (Czech Telecommunication Office) for telecom aspects

Consent Model

Opt-in

Applies To

Any entity storing or accessing information on terminal equipment of users in the Czech Republic

Overview

The Czech Republic underwent a significant shift on January 1, 2022, moving from one of the EU's most permissive cookie regimes (accepting browser settings as consent) to full opt-in consent. The UOOU focused its 2022 supervisory activities on cookie practices and began imposing fines in 2023.

What This Means for Your Website

Full opt-in consent is required before placing any non-essential cookies on Czech visitors
Pre-checked boxes are prohibited — consent must be an active choice
Browser settings alone are no longer valid consent since January 2022
Consent must be easily revocable
The UOOU has been actively fining non-compliant websites since 2023

Key Requirements

Section 89(3) of the Electronic Communications Act requires GDPR-compliant prior consent before storing or accessing cookies. The UOOU and CTU share enforcement responsibilities, with the UOOU handling data protection aspects. GDPR penalties of up to EUR 20 million or 4% of global turnover apply. The transition from implied to explicit consent caught many Czech websites off guard.

How ConsentStack Handles This

ConsentStack presents Czech visitors with a full opt-in consent banner where all non-essential cookies are blocked by default. No pre-checked boxes or browser-setting reliance — every cookie category requires explicit visitor action.

Penalties

GDPR penalties apply (up to EUR 20 million / 4% global turnover). National telecom penalties also applicable.

Key Requirements

Prior opt-in consent before placing non-essential cookies since January 2022
Consent must satisfy GDPR requirements
Pre-checked boxes are prohibited
Browser settings alone are NOT valid consent
Consent must be easily revocable

Notable Provisions

Major shift from implied consent to full opt-in on January 1, 2022
UOOU began imposing cookie-specific fines in 2023
Previously one of the most permissive EU countries for cookies

Other ePrivacy Directive Related Regulations

FDPAFrance

France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.

TDDDGGermany

Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

SI 336/2011Ireland

Ireland implements the ePrivacy Directive through SI 336/2011. The DPC is the lead supervisory authority for major tech companies headquartered in Ireland including Meta, Google, Apple, and Microsoft. Uniquely, cookie consent is limited to 6 months and must then be refreshed.

Dutch Telecom ActNetherlands

The Netherlands implements the ePrivacy Directive through Article 11.7a of the Telecommunications Act. The AP launched a major enforcement sweep in April 2025, warning 50 organizations for misleading cookie banners or placing tracking cookies without consent. Cookie walls are not permitted.

LSSISpain

Spain implements the ePrivacy Directive through Article 22 of the LSSI. Cookie violations are classified as slight offenses with EUR 30,000 fines per URL, but multiple URLs multiply penalties. AEPD allows consent-exempt analytics under privacy-friendly configurations, similar to CNIL.

Italian Privacy CodeItaly

Italy implements the ePrivacy Directive through Article 122 of the Privacy Code with detailed Garante cookie guidelines effective January 2022. Only technically necessary cookies may load by default. Scrolling is not valid consent, and closing a banner with "X" closes it without granting consent.

Danish Cookie OrderDenmark

Denmark implements the ePrivacy Directive through the Cookie Order (Cookiebekendtgørelsen), administered by the Danish Business Authority. Cookie consent is a declared 2026 enforcement priority for Datatilsynet, which will examine whether Danish websites give users a genuine choice.

Polish Telecommunications LawPoland

Poland implements the ePrivacy Directive through Articles 173-174 of the Telecommunications Law. While Article 173(2) technically permits consent via browser settings, PUODO recommends active consent. Since 2019, Article 174 requires cookie consent to meet full GDPR standards.

Belgian E-Communications ActBelgium

Belgium enforces strict cookie consent with one of the EU's most active DPAs. Cookie walls are prohibited, and a Reject all button must appear on the first layer with equal prominence to Accept all. Dark patterns in cookie banners are actively enforced against.

Norwegian E-Com ActNorway

Norway's January 2025 amendment to Ekomloven marked a major shift from tolerating passive consent to strict opt-in. Pre-ticked boxes and browser settings are now explicitly invalid. Accept and reject options must have equal prominence. Datatilsynet sanctioned 6 websites for tracking pixel violations.

Portuguese ePrivacy LawPortugal

Portugal implements the ePrivacy Directive through Law 41/2004, with a distinctive tiered penalty structure distinguishing between large companies, SMEs, and natural persons. The CNPD issued 90 fines totaling EUR 559,950 in 2023, demonstrating active enforcement.

LEKSweden

Sweden implements the ePrivacy Directive through Chapter 9 Section 28 of LEK. In April 2025, IMY issued a landmark reprimand against Aller Media for dark patterns in cookie banners. Less than 25% of Swedish users accept cookies, reflecting strong privacy awareness.

Other Europe Regulations

GDPREuropean Union + EEA

The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.

PECRUnited Kingdom

PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.

ePrivacy DirectiveEuropean Union + EEA

Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.

FDPAFrance

UK GDPRUnited Kingdom

The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.

TDDDGGermany

Frequently Asked Questions

When did the Czech Republic switch to opt-in cookie consent?

January 1, 2022. Before this date, the Czech Republic accepted browser settings as valid consent, making it one of the most permissive EU countries. The change aligned Czech law with strict EU standards.

Are browser settings valid cookie consent in the Czech Republic?

No. Since January 2022, browser settings alone are not valid consent. Websites must obtain active, GDPR-compliant opt-in consent from Czech visitors.

What are the cookie penalties in the Czech Republic?

GDPR penalties of up to EUR 20 million or 4% of global turnover apply. The UOOU began imposing cookie-specific fines in 2023 after a focused supervisory campaign.

Stay compliant with Czech ECA

ConsentStack helps you implement Opt-in consent for Czech Republic automatically.

Get started free