Legal framework in Germany
The legal framework in Germany mandates compliance with both the TTDSG and GDPR when addressing cookie consent. Website operators must adhere to Section 25(1) of the TTDSG, ensuring that their cookie policies provide clear and comprehensive information that aligns with the GDPR standards. This includes specifying the controller’s identity, the purpose of data processing, the types of data collected, the right to withdraw consent, and information about automated decision-making and potential data transfer risks
To ensure compliance, the policy must describe processing purposes in concrete terms, avoiding general statements. For example, merely stating cookies are used to “optimize the website” is insufficient; specific details about web analysis, advertising, or personalization are required. In a layered consent approach, the right to withdraw consent must be prominently featured in the first level of the consent window, not buried in linked documents.
Requirements for a TTDSG-compliant cookie banner
A TTDSG-compliant cookie banner in Germany must adhere to specific requirements outlined in the Telemedia Act (TTDSG) and the General Data Protection Regulation (GDPR). To ensure compliance, the cookie consent banner must provide clear and comprehensive information in alignment with GDPR standards. According to the European Data Protection Board (EDPB), the following information is necessary for obtaining valid consent:
The controller’s identity.
The purpose of each processing operation seeking consent.
Type of data to be collected and used.
Right to withdraw consent.
Information about automated decision-making and potential data transfer risks.
The Lower Saxony data protection authority emphasizes that processing purposes must be described concretely, avoiding vague statements. Additionally, in a layered consent approach, the right to withdraw consent should be prominently featured on the first level of the consent window.
Obtaining valid cookie consent
To ensure valid cookie consent in Germany, website operators must adhere to the requirements outlined in the Telemedia Act (TMG) and the Telecommunications Telemedia Data Protection Act (TTDSG), which align with the General Data Protection Regulation (GDPR) and the ePrivacy Directive. Here are key aspects to consider:
Clear and informed consent:
Consent must be obtained before placing cookies on users’ devices.
Users should be clearly informed about the types of cookies used, their purposes, and any third-party involvement.
Freely given and specific:
Consent must be freely given and specific to each purpose of data processing.
Avoid using pre-ticked checkboxes or bundled consent; users should actively select their preferences.
Granular consent options:
Provide granular options for users to choose which types of cookies they accept, allowing them to customize their preferences.
User-friendly consent interface:
The consent interface should be user-friendly and easily accessible, ensuring users can understand and manage their choices effectively.
Keep records of user consent, including details on what users were informed about and when they provided consent.
Regular review and update:
Regularly review and update cookie policies to reflect any changes in data processing practices.
Compliance with TTDSG and GDPR:
Ensure compliance with the TTDSG, which supplements GDPR requirements, to cover specific aspects of data protection in the context of telemedia services.
Legal bases for cookies under TTDSG
Two categories of cookies (TTDSG Section 24): The TTDSG distinguishes between two categories of cookies:
Cookies that require consent: These are cookies for which user consent is necessary before they can be set or read.
Cookies that are strictly necessary: This category includes cookies that are essential for the basic operation of the website and, therefore, do not require explicit user consent.
Strictly necessary cookies: Cookies that are strictly necessary for the functioning of the website, such as those required for authentication or security purposes, are exempt from the general consent requirement. However, this exemption only applies to cookies that are genuinely essential for website operation.
Cookie banner compliance (TTDSG Section 24): To comply with TTDSG, website operators need to implement cookie banners that facilitate user consent. These banners should clearly communicate the types of cookies used and their purposes and provide an easy mechanism for users to grant or deny consent.
These legal provisions under TTDSG create a framework for responsible and transparent cookie usage, aligning with broader data protection principles.
Subsequent processing under TTDSG
The Telecommunications and Telemedia Data Protection Act (TTDSG) in Germany addresses subsequent processing, particularly focusing on storing users’ end devices and reading device identifiers. Subsequent personal data processing also involves any operations not covered by the scope of Section 25 of the TTDSG. This can include storing and processing personal data collected through technologies like cookies.
When both the TTDSG and GDPR apply, companies must provide separate and clear information about the legal basis for processing under each regulation. The TTDSG applies to the storage on users’ devices and reading of device identifiers, while the GDPR encompasses subsequent processing of personal data collected through technologies like cookies.
Data storage duration under TTDSG
The absence of a specific rule on data storage duration means businesses must adhere to data minimization and purpose limitation principles. Data should only be stored for as long as necessary to fulfill the purpose for which it was collected. This aligns with broader data protection principles under the GDPR and other applicable regulations.
Scope of cookie consent – website operators and beyond
The scope of cookie consent under the Telecommunications and Telemedia Data Protection Act (TTDSG) in Germany extends beyond website operators. TTDSG emphasizes the need for valid cookie consent, specifying that such consent is required for setting and accessing cookies and similar technologies on users’ devices. The law applies to website operators and any entity involved in storing or retrieving information on users’ devices.
Validity of pre-TTDSG consent
For consents obtained before TTDSG, it is crucial to ensure that they align with the consent requirements set by TTDSG and the General Data Protection Regulation (GDPR). Valid consent, whether obtained pre-TTDSG or afterward, should be freely given, specific, informed, and unambiguous.
It’s advisable for organizations to review and update their consent mechanisms to comply with the new TTDSG requirements. While pre-existing consents may remain valid, ensuring ongoing compliance with evolving data protection laws is essential.
Future of cookie consent in Germany
The future landscape of cookie consent in Germany is undergoing significant changes, marked by new regulations and ongoing discussions aimed at enhancing user privacy and consent practices. Notably, the German digital and transport ministry is in the process of drafting an alternative cookie consent management regulation, indicating potential modifications to the existing cookie consent rules and framework.
Additionally, a German Data Protection Officer (DPO) has advocated for the inclusion of a “reject all” cookie consent option, emphasizing the importance of empowering users with greater control over their data by allowing them to reject all cookies if they choose to do so. These developments underscore a dynamic environment where legal requirements and compliance play a crucial role.
Organizations are urged to stay abreast of evolving cookie consent requirements, ensuring alignment with German privacy laws, including the General Data Protection Regulation (GDPR), Telecommunications and Telemedia Data Protection Act (TTDSG), and the German Data Protection Conference (DSK) guidelines. As these changes unfold, they may have implications for designing and implementing cookie banners and consent management practices on websites, reflecting a broader commitment to user-centric privacy measures.
Complying with Germany’s cookie consent regulations entails thoroughly comprehending the legal structure, establishing transparent communication with users, and adhering to ethical and transparent data processing practices. Website owners must comply with the General Data Protection Regulation (GDPR) and the Telemedia Act (TTDSG) to guarantee a lawful and user-friendly online environment. This includes implementing a cookie banner that allows users to choose their preferences, providing a clear and concise explanation of how cookies are used, and obtaining explicit consent from users before collecting and processing their data. Additionally, website owners must ensure that they have proper data protection measures in place to safeguard user information and honor their privacy rights.