Update Data Protection No. 108
New requirements for cookies under the TTDSG – German Data Protection Authorities publish Guidance for Telemedia Providers
The German Data Protection Conference, the joint committee of the data protection authorities in Germany (Datenschutzkonferenz, "DSK"), has published new guidance (available here) for providers of telemedia services dated December 20, 2021. The guidance is not yet final, but is the subject of a public consultation procedure until March 15, 2022, so changes may still be expected. In terms of content, the guidance takes into account the provisions of the new German Telecommunication Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, “TTDSG”) and replaces previous guidance by the DSK. The content of the new guidance primarily covers the requirements for obtaining effective consent for the use of cookies and similar technologies that require consent (e.g. tracking pixels and fingerprinting techniques; hereinafter collectively referred to as “Cookies”). An essential aspect here is the design of so-called consent banners (also often referred to in practice as "cookie banners", "consent management platforms" ('CMP') or "cookie walls") which are used on telemedia services, such as websites, smartphone apps, smart TVs and in the infotainment systems of connected cars. In addition, the guidance contains explanations on the exceptions to the need for consent pursuant to Sec. 25 (2) TTDSG. The processing of the personal data collected by Cookies is only marginally covered. This article primarily covers the specifications for the design of consent banners and presents the DSK’s main guidelines. BackgroundThe new TTDSG has been in effect since December 1, 2021. The new Sec. 25 TTDSG – which implements Art. 5 (3) e-Privacy Directive into national law – is decisive for the use of Cookies. In contrast to the previous regulation in Section 15 (3) German Telemedia Act (Telemediengesetz, “TMG”], this provision now explicitly provides that Cookies that do not fall under the specific exceptions of Sec. 25 TTDSG require consent. With regard to the requirements for the effectiveness of consent, Sec. 25 TTDSG refers to the provisions of the GDPR. Art. 4 No. 11 GDPR and Art. 7 and 8 GDPR in particular are therefore decisive. However, the GDPR itself does not contain any sufficiently concrete specifications as to how consent is to be obtained in connection with the use of Cookies. Against this background, therefore, the question has repeatedly arisen in recent years as to which specific requirements apply to the design of consent banners. This discussion was then given significant impetus last year by numerous complaints from the NOYB organization founded by the data protection activist Max Schrems, which focused on, inter alia, the (alleged) non-transparent design of consent banners. The German data protection authorities have so far been more reserved and have rather foregone the issuance of clear guidelines. However, it can be assumed that the German data protection authorities will also pursue this issue promptly after the consultation process has been completed and will insist on the enforcement of the guidelines set out in the guidance (see our current practical risk assessment under "Conclusion"). Material statements of the guidanceThe DSK’s requirements can essentially be summarized as follows: |
|
ConclusionOverall, it can be ascertained that the guidance contains valuable information for telemedia providers on the design of consent banners. In practice, however, the implementation of these requirements is likely to pose a challenge for them. This applies in particular to those providers which have their own consent banners and now have to reprogram them. |