Update Data Protection No. 144
New draft regulation for consent management services (PIMS) pursuant to section 26 TTDSG
As of June 1, 2023, the German Federal Ministry of Transport and Digital Infrastructure (Bundesministerium für Digitales und Verkehr, “BMDV”) published a new draft bill for a regulation on consent management services (Consent Management Regulation Einwilligungsverwaltungsverordnung, “EinwV”) under the German Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, “TTDSG”). The draft regulation now sets out the specific requirements for the recognition of corresponding services for consent management pursuant to section 26 TTDSG.
Background and content of the draft regulation
The new TTDSG, which regulates the use of cookies and similar technologies (hereinafter collectively referred to as “cookies”) in section 25 et seq. TTDSG, has been in force since December 1, 2021. Many telemedia providers (e. g. websites, mobile apps) use such cookies to store on or read information from end users’ devices. This, for example, enables users to be recognized, settings to be restored or activities to be tracked and personalized advertising to be displayed.
As a general rule, the use of cookies requires consent unless one of the exceptions provided for in section 25 TTDSG applies. In practice, corresponding consents are obtained via consent or cookies banners. In the last few years, discussion has mainly centered around the question of which specific requirements have to be observed when designing such consent banners (see our Data Protection Updates No. 108 and No.139). Even though many providers have already adapted their consent banners in the meantime, there remains often still the difficulty that users lose the plot when it comes to managing their consents.
The idea of the German legislator is that consent management services – also called Personal Information Management Services (PIMS) – will counteract this problem. For example, when a user accesses a website the website will use a central consent management system to check whether the user has already provided the relevant consents. This means users do not have to grant or refuse their consent each time via a consent banner. In light of the above, explicit provisions are contained in section 26 TTDSG governing the recognition of such services for consent management.
According to section 26 (1) TTDSG, consent management services are recognized by the competent body if the requirements specified in the provision are met in accordance with an ordinance issued by the legislator – in this case the EinwV. Recognition is subject to the respective consent management services having a user-friendly and competitive procedure for obtaining and managing consent, as well as no commercial economic self-interest in granting the consent and in the managed data, and being independent from companies who may have such interest. Furthermore, the personal data and the information on consent decisions may not be processed for any other purposes than consent management. Finally, a security concept must be in place that enables an assessment of the quality and reliability of the services and the technical applications and from which it follows that the service meets the legal requirements for data protection and data security, in particular based on the General Data Protection Regulation (GDPR), both technically and organizationally.
In terms of content, the draft regulation now sets out the user-friendliness and competition conformity requirements that a consent management service must meet in order to be recognized. Furthermore, the draft regulation deals with the procedure for the recognition of consent management services by the competent independent body as well as the technical and organizational measures of providers of telemedia and software (e. g. website operators, browser suppliers) in order to comply with end users’ consent settings and to take into account the integration of recognized consent management services.
Requirements for user-friendly and competitive procedures and technical applications
According to the draft regulation, a procedure is “user-friendly” if:
- the user interface of the consent management service is designed in such a transparent way that it does not impair or hinder the end user’s ability to make a free and informed decision;
- end users can view the consents they have given or refused, including the time stamp for the consents given and the information made available to the end user in the consent management service, at any time;
- the decisions to refuse or grant consent can be changed at any time; and
- end users are reminded about their consent settings and prompted to review them when relevant access and storage operations change.
A consent management service is deemed to comply with competition law if it ensures that every telemedia provider can ask the end user for the required consents under the same conditions and that the decisions taken by the end users in this regard are transmitted to them. Furthermore, there must be a uniform presentation of the telemedia providers on its user interface, arranged in alphabetical order according to the names kept available, as well as a uniform appearance of the consent settings and the information required for them.
The requirements for the technical applications for obtaining and managing consent shall, where necessary, be set out in a technical guideline.
Regulations on the recognition procedure
The German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, “BfDI”) is responsible for recognition of consent management services. The recognition procedure will first be preceded by an application to be submitted in writing or electronically to the BfDI.
Furthermore, a security concept must be presented that enables an assessment of the quality and reliability of the consent management. The security concept must show that the service meets GDPR legal requirements for data protection and data security, both technically and organizationally. For example, the security concept must include, among other things, information on the security of personal data and information on consent decisions to be processed by the service as well as measures to ensure that personal data and information on consent decisions are processed. Moreover, the requirements of the second part of the regulation must be implemented.
If the above requirements are met, the BfDI decides on the recognition within six weeks and enters the recognized service in a public register. This recognition can be revoked if the BfDI becomes aware of facts according to which the requirements for recognition can no longer be met.
Requirements for technical and organizational measures by software and telemedia providers and manufacturers
The draft regulation sets out various requirements for technical and organizational measures that are directed at providers and manufacturers of software products on the one hand and at telemedia providers on the other. The background to this provision is that the relevant providers and manufacturers should ensure that corresponding consent management services can also be properly integrated and work smoothly.
Accordingly, software manufacturers and providers should ensure that their software allows the integration of recognized consent management services. On the other hand, the respective software should not be provided in such a way as to suppress, delay, decrypt or otherwise alter any signal deposited via the consent management service or end users’ attitude to consent.
Telemedia providers should ensure that the involvement of a recognized consent management service is taken into account by end users when accessing their telemedia service and that it is verified whether the end user has already made decisions on consent and these are stored with the consent management service.
Outlook & conclusion
As a next step, the draft regulation will now be forwarded for consultation to the federal states in Germany, local authority central associations as well as expert groups and organizations. It remains to be seen to what extent any changes will be made within the scope of this participation. The draft regulation is not expected to be adopted until the consultation has been completed.
In terms of content, the intention of the legislator with the new draft regulation is to be welcomed, as it will give end users more control over the consent they have given to different telemedia providers. Furthermore, the legislator wants (at least partially) to put a stop to dark patterns, i. e. design patterns that are intended to tempt website visitors into undesirable acts through hidden or manipulative design, by ensuring that the user interface of the consent management service is so transparent that users’ ability to make a free and informed decision is not put at risk.
Overall, the draft regulation provides clear guidelines for consent management, in order to improve the protection of user data and transparency in the use of cookies and provides end users with an alternative procedure for the granting or refusal of consent enquiries under section 25 (1) TTDSG by telemedia providers. Whether these ideas and objectives of the BMDV are met however remains to be seen. The BfDI as the competent public authority for the recognition procedure is already not under-utilized, and experiences from the area of protection of minors show that certifications must meet stringent requirements, under which usability suffers, which is why such services are rarely used. Therefore, it remains to be seen to what extent corresponding consent management services will actually go through the envisaged recognition procedure in the future.