TTDSG: New regulations for cookies

On December 1st, 2021 the new Telecommunication Telemedia Data Protection Act, TTDSG for short, will come into force. With the TTDSG there are, on the one hand, some innovations with regard to cookies. On the other hand, it should create clarity for website operators and agencies. The following article explains the main points and changes.

For a long time the TTDSG only existed as a draft. It was launched in May 2021 by a resolution in the Bundestag. The purpose of the law is to create a compromise between the protection of privacy and business models in the digital world.

In addition, the TTDSG is intended to create clarity on the subject of data protection and eliminate uncertainties through various regulations. It is not always clear in which cases the provisions of the TMG, TKG, GDPR or ePrivacy Directive must be applied.

Furthermore, the ePrivacy Regulation should clearly regulate the handling of cookies. As of today, this is still a long way from being enacted at EU level. For this reason, the legislator has implemented the TTDSG. It contains the provisions on data protection from the TMG and TKG and has been adapted to the provisions of the GDPR and ePrivacy Directive.

If the operator of a website uses cookies and tracking tools, this requires the express consent of the user. This regulation has now been laid down in a law for the first time by the TTDSG. So far, this regulation has been clarified by the case law of the ECJ and BGH.

The website operator must obtain the consent of the user if information is to be stored in the user’s terminal device or if it is to be accessed. Technically indispensable cookies as well as cookies and information which are used exclusively for the purpose of transmitting messages in a public telecommunications network are excluded from this regulation.

The question now is which cookies should be classified as technically essential. Technically absolutely necessary cookies are cookies without which a website would not function. These include, for example, session cookies, cookies that are only necessary for processing the payment process and cookies that enable consent to be given or withdrawn.

The acceptance of the Personal Information Management Systems (short: PIMS) is put into perspective. This allows the user to specify once which cookies are accepted under which conditions. This information is then forwarded directly from the PIMS provider to the operator of the accessed website.

By using a PIMS, users should have more control over their personal data and better control third-party access in the digital world. A cookie banner could then no longer be required.

But none of this has yet been implemented. Because in order for this service to be fully accepted, an ordinance must be issued by the federal government. Until this is done, there is no way around a cookie banner.

The scope of application is expanded by the TTDSG. On the one hand, the provisions of the TTDSG apply to all devices that are connected to the Internet. This area also includes smartphone applications that allow the room temperature to be regulated or control the light, and e-mail and communication services such as Whatsapp. This means that providers of such services must also establish a cookie banner in the future.

On the other hand, the TTDSG also relates to all information that a user of a telemedia or telecommunications service reveals. In addition to personal data, this also includes the technologies that can be used to read information from the end device. An example of this is browser fingerprinting.

The following changes could also be decisive for the operator of a website. Providers must be able to provide public bodies with information about inventory and usage data.

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) is responsible for the protection of personal data and the implementation of the associated regulations. The (BfDI) also oversees the telecommunications sector and imposes fines in the event of violations. The Federal Network Agency is responsible for all other provisions of the TTDSG.

Are you the operator of a website and do not yet have a cookie consent banner? Then now is the time to change that. Because for cookies, tracking, etc., the express consent of the user is required. So you can’t avoid a cookie consent tool.

The TTDSG stipulates that the user must have given his consent on the basis of clear and comprehensive information. A cookie consent tool is the easiest and safest way to implement this.

The TTDSG gives clear guidelines regarding consent, but not in what form it has to be obtained. Data protection authorities and consumer advice centers use warnings and statements to clearly show how the banner should be designed. The following points should be implemented:

• The cookies are only activated with the express consent of the user; until then, they remain technically deactivated.
• The user has to act actively and tick the box himself. Pre-filled check boxes are not valid
• The user must be able to choose freely between accept and reject. The buttons to select must be on the same level so that the user has both options at a glance.
• When it comes to the color scheme, no distinction must be made between rejecting and accepting, for example by highlighting the consent button in color.
• The user must be fully informed before making a decision. The information includes the purpose of the tools used, the number of tools as well as their providers and general information about the provider such as the seat in the EU or in the EEA.

If no express consent is obtained from the user after the TTDSG has come into force, there is a risk of fines for various reasons. A fine can be imposed for violating the GDPR. In this case, there is a risk of a fine of up to 20 million euros or up to four percent of your turnover (Art. 83 GDPR).

A fine imposed on the basis of the TTDSG can also amount to up to 300,000 euros. A warning due to the missing banner can also threaten.