German Federal Government issues Consent Management Ordinance – (No) end in sight for cookie banners?

No internet user can escape them: cookie banners and consent management platforms (“CMPs”). In recent years, they have become established for obtaining data protection consent on the internet and for presenting the required information under Article 13 of the GDPR. From a user's perspective, interacting with cookie banners or CMPs can be annoying.

The German government wants to counteract this: On September 4, 2024, it passed the Consent Management Ordinance (“EinwV”). It sets out requirements for so-called “recognized consent management services”. These services are intended to provide a more efficient and user-friendly alternative to cookie banners by managing users' consent decisions once they have been documented, and transmitting them in bundled and automated form to all service providers as trustees. According to the presumably somewhat unrealistic wish of the German government, it would then not be necessary to obtain separate consent from each individual service provider. The aim is therefore to provide end users with an effective and comprehensible tool for managing their consent.

The EinwV addresses three areas (the CHART illustrates this):

• requirements for approved consent management services (Part 2 of the EinwV),
• the process of approving consent management services (Part 3 of the EinwV), and
• technical and organizational measures to be taken by providers of digital services and manufacturers and providers of retrieval and display software (Part 4 of the EinwV).

In terms of content, the Ordinance regulates two levels: on the one hand, the relationship between the end user and the consent management service (level 1), and on the other hand, the relationship between the consent management service and the digital service provider (level 2).

Requirements for recognized consent management services

Sections 3 to 7 of the Ordinance govern the requirements for recognized consent management services.

They may only manage the consent of end users who have been fully informed in advance (Section 3 (2) of the Ordinance). The information requirement includes, in particular:

• the provider of the digital service,
• the information stored,
• the purpose of storage,
• the period of storage and
• the fact that consent can be withdrawn at any time.

Furthermore, consent management services must be user-friendly (Section 4 (1) of the Ordinance). This requires a transparent and comprehensible design that allows users to make a free and informed decision. Likewise, users must be able to view and revoke their stored settings at any time.

End users have the right to switch to a different consent management service at any time and to transfer their settings to that service, a process known as interoperability (Section 5 (1) of the Ordinance). This requires that the consent management service stores the end user's settings in a common and machine-readable format and makes them available for retrieval by another recognized service free of charge (Section 5 (2) of the Ordinance).

Consent management procedures must be designed in a competition-compliant manner (Section 6 EinwV). This results in the following guidelines:

• Every digital service provider must be able to request the consent management procedure in real time under the same conditions.
• No digital service provider may be refused consent management.
• The default settings of the approved consent management service's user interface must present the digital service providers in a standardized way, either alphabetically or chronologically in a list.

Finally, requirements are placed on the recognized services for consent management with regard to technologies and configurations (Section 7 of the Ordinance): On the one hand, it must be technically recognizable to digital service providers and retrieval and display software that the user is using a recognized service for consent management. On the other hand, digital service providers must be able to send their requests to them and check whether end-user settings are being managed.

Recognition of services for consent management

Sections 8 to 16 of the Ordinance on the Notification Requirement for Telecommunications Services Regulate the recognition of consent management services.
The BfDI is responsible for recognition (Section 8 of the Ordinance). A consent management service is recognized upon electronic application (Section 11 of the Ordinance) if it meets the requirements of Sections 3 to 7 of the Ordinance and submits a security concept in accordance with Section 12 of the Ordinance. The BfDI informs the data protection officers of the federal states about each approval (Section 9 (1) of the Ordinance) and maintains a public register of all approved consent management services (Section 13 of the Ordinance).

Approval as a consent management service is, however, revocable: the BfDI and the state data protection authorities are in constant information exchange regarding any deficiencies that may arise (Section 9 (2) of the Ordinance). At the same time, the recognized consent management services must annually review whether they continue to meet the legal requirements for recognition. Any deficiencies identified must be reported to the BfDI; the BfDI may also request an audit (§ 14 EinwV). Third parties may also report deficiencies known to the BfDI (§ 15 EinwV). If the BfDI becomes aware of facts indicating that the requirements for the recognition of a consent management service are no longer met, it must withdraw the recognition after a hearing (Section 16 of the Ordinance)..

Technical and organizational measures

Sections 17 to 20 of the Ordinance stipulate obligations for both providers of digital services and providers and manufacturers of retrieval and presentation software. These obligations essentially include technical and organizational measures.

Manufacturers and providers of retrieval and display software have two obligations (Section 17 of the Ordinance): Firstly, they must ensure that the retrieval and display software takes into account the integration of recognized consent management services by end users. Secondly, they must ensure that the information stored with a service is not suppressed, delayed, decrypted or otherwise modified.

Providers of digital services must take comparable measures to integrate recognized consent management services. Although the integration of consent management services is voluntary (Section 18 (1) of the German Regulation on the Introduction of Telecommunications Services into the Public Sphere), so that cookie banners can continue to be used, However, if a provider decides to integrate a recognized consent management service, they must observe numerous requirements to ensure their functionality and to inform the end user (Section 18 (2) and (3) of the Ordinance on the Provision of Telecommunications Services as well as Section 19 (1) of the Ordinance). Likewise, providers of digital services must transmit all end-user consents already in their possession to the consent management service (Section 19 (2) of the Ordinance).

Finally, providers of digital services, as well as manufacturers and providers of retrieval and display software, are obliged to maintain neutrality: they should not, without objective reason, encourage end-users to use or exclude certain recognized consent management services (Section 20 of the Ordinance).

Outlook – No end to cookie banners for the time being!

It remains to be seen whether the EinwV will stem the flood of cookie banners. From a user perspective, approved consent management services are potentially and theoretically an attractive tool for circumventing tracking measures. However, there is no legal obligation for service providers to implement recognized consent management services. It is therefore up to the service providers to continue using cookie banners.

However, it is possible that, although there is no legal obligation, there will be a de facto pressure to act to implement consent management services according to the principles of platform economics. In this respect, the EinwV offers potential for the development of new business models. If the “first movers” can win over a critical mass of users, the providers of digital services could be effectively persuaded to integrate consent management services if they do not want to lose the traffic of these users. The significant distribution of the IAB TCF proves that such a process is fundamentally possible. There is no legal obligation to comply with the IAB TCF or to use CMPs and tracking tools registered under the IAB TCF. However, the application of this framework by a significant number of service providers has made it a de facto requirement.

However, it is doubtful whether consent management services will experience a similar triumph to the IAB TCF. There are several reasons for doubting such a development:

1. The approved consent management services go much further than the IAB TCF: not only are requirements and classifications for obtaining consent provided, but individual requests for consent are no longer necessary. In this respect, consent management services are not likely to be very popular with vendors and publishers, as less advertising traffic is to be expected.
2. In addition, the use of consent management services must also be pointed out. Cookie banners would thus simply be replaced by a comparable information pop-up along the lines of a CMP, which would have to be displayed to the end user each time a digital service is modified.
3. Furthermore, the advantage of recognition under the EinwV for consent management services is likely to be negligible. Such services could have been offered at any time in the past. However, there was apparently insufficient demand for them, otherwise consent management services comparable to the IAB TCF would have long since established themselves in Germany, Europe or the USA. The legislator apparently hopes that market entry for a consent management service will be significantly easier if user trust is increased by state recognition. However, the requirements of the EinwV actually impose significantly higher hurdles for a consent management service. It is doubtful whether this will lead to the establishment of numerous consent management services.
4. In addition, there are data protection concerns: Any requirements that the data protection authorities impose on the IAB TCF must also apply to consent management services. In addition to questions of transparency and the definition of the purposes for which consent applies (consent that is too broadly defined carries the risk of violating the principle of purpose limitation), the question of the joint responsibility of the parties involved remains. In this respect, it should be noted that the Belgian data protection authority has declared IAB Europe to be jointly responsible (see our updates no. 174, 155, 131, 128 and 76).

It remains to be seen whether corresponding consent management services will also map data protection consent under the GDPR in the future, as well as facilitate the fulfillment of data subjects' rights, thereby increasing their attractiveness. In any case, it seems doubtful that – aside from the legal aspects – a factual obligation for service providers to use recognized consent management services will develop.

There is no urgent need for action for vendors and publishers at this point in time. It is highly doubtful whether the EinwV will have a measurable influence on the transmission of consents.