The Czech Cookie Law: From Opt-Out to Opt-In
The Czech Republic was one of the last EU member states to correct its transposition of the ePrivacy Directive. For years, Czech law permitted an opt-out approach to cookies - website operators could set non-essential cookies by default and only had to let visitors refuse them after the fact.
That changed on 1 January 2022. An amendment to Act No. 127/2005 Coll. on Electronic Communications (the Czech ePrivacy transposition) brought the country in line with the rest of the EU by requiring prior opt-in consent for all non-essential cookies. If your website targets Czech visitors, you now need affirmative consent before dropping analytics, marketing, or personalisation cookies.
The authority overseeing compliance is the UOOU (Urad pro ochranu osobnich udaju), the Czech Office for Personal Data Protection. Based in Prague with around 100 staff, the UOOU is the sole supervisory authority for both the GDPR and the amended Electronic Communications Act.
What the Amended Act 127/2005 Requires
Section 89(3) of the amended Act mirrors Article 5(3) of the ePrivacy Directive. Cookies and similar tracking technologies must not be placed on a visitor's device without that visitor's prior consent - unless the cookie is strictly necessary for delivering a service explicitly requested by the user.
Consent must meet the GDPR standard set out in Article 4(11) and Article 7: it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, implied consent from continued browsing, and consent-friendly browser settings do not qualify.
Strictly Necessary Cookies: The Exception
Cookies that are technically required to deliver a service the visitor has actively requested do not need consent. Session cookies such as PHPSESSID, authentication tokens, and load-balancing cookies fall into this category. A functional cookie like pll_language that remembers a visitor's language preference is also typically exempt.
Analytics cookies like _ga and advertising cookies like _fbp are never exempt. They always require prior consent.
UOOU Cookie Banner Requirements
The UOOU published detailed FAQs and recommendations on cookie banner design. These go beyond the bare legal text and set clear expectations for how consent mechanisms should look and behave.
| Requirement | UOOU Position |
|---|---|
| Accept and reject buttons | Must be the same size, font, and colour - no visual bias toward acceptance |
| Cookie walls | Prohibited - the banner must not block access to content or make the site unusable |
| Pre-ticked boxes | Not valid consent |
| Continued browsing | Does not constitute consent |
| Withdrawal of consent | Must be as easy as giving consent (single click) |
| Consent validity period | 12 months maximum before re-prompting |
| Refusal retention | If a visitor refuses, do not re-prompt for at least 6 months |
| Granular choices | Visitors must be able to accept or refuse individual cookie categories |
The equal-prominence rule for accept and reject buttons is particularly strict. Dark patterns such as hiding the reject option behind a secondary menu or using muted colours for the refuse button will not satisfy the UOOU. For more on manipulative banner design, see dark patterns in cookie banners.
UOOU Enforcement and Fines
The UOOU has the power to initiate inspections either on its own initiative or following a complaint. If an inspection reveals a breach, the authority may give the operator time to remedy the issue or move directly to administrative proceedings and financial penalties.
Between 2018 and 2024, the UOOU issued fines totalling approximately EUR 16 million across all data protection matters. The largest single fine in Czech GDPR history was imposed on Avast Software s.r.o. in 2024 - CZK 351 million (approximately EUR 14.4 million) for unlawful processing of personal data.
Cookie-specific enforcement has followed a measured approach. After the 2022 amendment took effect, the UOOU published a monitoring report and gave operators a grace period to adapt. The authority warned that continued non-compliance would result in financial sanctions. Since then, the UOOU has been actively auditing websites for cookie compliance as part of its annual control plans.
How Czech Cookie Law Relates to the GDPR
Two legal frameworks apply simultaneously when a Czech website uses cookies that process personal data. Act 127/2005 governs the act of placing cookies on a device (derived from the ePrivacy Directive). The GDPR governs the processing of personal data collected through those cookies.
In practice, this means you need a valid legal basis under both laws. For non-essential cookies, consent under Article 5(3) of the ePrivacy Directive (transposed into Act 127/2005) and consent under Article 6(1)(a) of the GDPR typically overlap - a single, properly obtained consent satisfies both.
Your cookie policy must disclose which cookies your site uses, their purposes, retention periods, and any third parties that receive the data. The GDPR's transparency requirements under Articles 13 and 14 apply in full.
Czech Republic vs Neighbouring EU Countries
The Czech Republic's cookie rules are broadly similar to those of its EU neighbours, but enforcement intensity and specific guidance vary.
| Country | DPA | Opt-in Required | Notable Guidance |
|---|---|---|---|
| Czech Republic | UOOU | Yes (since Jan 2022) | Equal-prominence buttons, 12-month consent validity |
| Poland | UODO | Yes | Telecommunications Law Art. 173 |
| Slovakia | UOOU SR | Yes | Act on Electronic Communications |
| Austria | DSB | Yes | TKG 2021 Section 165 |
| Germany | Various LDAs | Yes | TTDSG Section 25, detailed DSK guidance |
All five countries require prior opt-in consent for non-essential cookies. The key difference lies in enforcement appetite - Germany and Austria have issued higher cookie-related fines to date, while the Czech UOOU has focused more on guidance and monitoring before pursuing penalties.
Compliance Checklist for Czech Websites
Before Cookies Load
Run a cookie scan to identify every cookie and tracking technology on your site. You cannot build a compliant consent mechanism without knowing exactly what needs consent.
Banner Configuration
Configure your cookie banner to block all non-essential cookies until the visitor makes a choice. Accept and reject buttons must have equal visual weight. Provide granular category-level choices (analytics, marketing, functional) rather than an all-or-nothing approach.
Documentation and Records
Keep records of consent - who consented, when, what they were told, and which categories they accepted. The GDPR requires you to demonstrate that valid consent was obtained. A consent log is your primary evidence if the UOOU comes knocking.
Consent Withdrawal
Place a persistent link or button (often labelled "Cookie Settings" or "Manage Cookies") in the footer of every page. Withdrawal must be possible with a single click, matching the ease of the original consent.
Re-consent Timing
Set consent to expire after 12 months at most. If a visitor refuses cookies, respect that choice for at least 6 months before showing the banner again.
Google Consent Mode and Czech Compliance
If your site uses Google Analytics or Google Ads, Google Consent Mode v2 is relevant. Consent Mode communicates your visitors' consent choices to Google's tags, adjusting their behaviour based on whether analytics_storage and ad_storage have been granted or denied.
Configuring Consent Mode correctly helps satisfy the UOOU's requirement that non-essential cookies are blocked until consent is given. It does not replace the need for a proper consent banner - it works alongside one.
Frequently Asked Questions
Does the Czech Republic require cookie consent?
Yes. Since 1 January 2022, the amended Act 127/2005 on Electronic Communications requires prior opt-in consent for all non-essential cookies. Only strictly necessary cookies are exempt.
What is the UOOU and what does it do?
The UOOU (Urad pro ochranu osobnich udaju) is the Czech Office for Personal Data Protection. It is the sole supervisory authority responsible for enforcing both the GDPR and Czech cookie law.
How long is cookie consent valid in the Czech Republic?
The UOOU recommends a maximum consent validity of 12 months. After that period, you must ask for consent again. If a visitor refuses consent, you should not re-prompt for at least 6 months.
Are cookie walls allowed under Czech law?
No. The UOOU has stated that cookie walls - banners that block access to website content unless the visitor accepts cookies - are not permitted.
Can I use pre-ticked boxes for cookie consent in the Czech Republic?
No. Pre-ticked boxes do not constitute valid consent under the amended Act 127/2005 or the GDPR. Consent must result from an active, affirmative action by the visitor.
What fines can the UOOU impose for cookie violations?
The UOOU can impose administrative fines for breaches of both the Electronic Communications Act and the GDPR. Under the GDPR, fines can reach up to EUR 20 million or 4% of global annual turnover, whichever is higher.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of Czech law.
