New requirements for cookies under the TTDSG – German Data Protection Authorities publish Guidance for Telemedia Providers

The German Data Protection Conference, the joint committee of the data protection authorities in Germany (Datenschutzkonferenz, "DSK"), has published new guidance (available here) for providers of telemedia services dated December 20, 2021. The guidance is not yet final, but is the subject of a public consultation procedure until March 15, 2022, so changes may still be expected. In terms of content, the guidance takes into account the provisions of the new German Telecommunication Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, “TTDSG”) and replaces previous guidance by the DSK. The content of the new guidance primarily covers the requirements for obtaining effective consent for the use of cookies and similar technologies that require consent (e.g. tracking pixels and fingerprinting techniques; hereinafter collectively referred to as “Cookies”). An essential aspect here is the design of so-called consent banners (also often referred to in practice as "cookie banners", "consent management platforms" ('CMP') or "cookie walls") which are used on telemedia services, such as websites, smartphone apps, smart TVs and in the infotainment systems of connected cars. In addition, the guidance contains explanations on the exceptions to the need for consent pursuant to Sec. 25 (2) TTDSG. The processing of the personal data collected by Cookies is only marginally covered. This article primarily covers the specifications for the design of consent banners and presents the DSK’s main guidelines.

Background

The new TTDSG has been in effect since December 1, 2021. The new Sec. 25 TTDSG – which implements Art. 5 (3) e-Privacy Directive into national law – is decisive for the use of Cookies. In contrast to the previous regulation in Section 15 (3) German Telemedia Act (Telemediengesetz, “TMG”], this provision now explicitly provides that Cookies that do not fall under the specific exceptions of Sec. 25 TTDSG require consent. With regard to the requirements for the effectiveness of consent, Sec. 25 TTDSG refers to the provisions of the GDPR. Art. 4 No. 11 GDPR and Art. 7 and 8 GDPR in particular are therefore decisive. However, the GDPR itself does not contain any sufficiently concrete specifications as to how consent is to be obtained in connection with the use of Cookies. Against this background, therefore, the question has repeatedly arisen in recent years as to which specific requirements apply to the design of consent banners. This discussion was then given significant impetus last year by numerous complaints from the NOYB organization founded by the data protection activist Max Schrems, which focused on, inter alia, the (alleged) non-transparent design of consent banners. The German data protection authorities have so far been more reserved and have rather foregone the issuance of clear guidelines. However, it can be assumed that the German data protection authorities will also pursue this issue promptly after the consultation process has been completed and will insist on the enforcement of the guidelines set out in the guidance (see our current practical risk assessment under "Conclusion").

Material statements of the guidance

The DSK’s requirements can essentially be summarized as follows:

• Clear and complete information on the use of Cookies
  
  Consent must be obtained in an informed manner, cf. Art. 4 No. 11 GDPR. According to the DSK, this requires that any storage and reading activities that are triggered by Cookies must be transparent and traceable. The user must therefore be informed of, inter alia, who will access the respective end device, the form and purpose in which the access will take place, the duration of the functional life of the Cookies and whether third parties can gain access to them. It should also be pointed out whether and to what extent the use of Cookies is associated with further data processing processes, which are then no longer subject to the TTDSG, but directly to the GDPR. And, of course, the reference to the right of withdrawal pursuant to Art. 7 (3) GDPR is of importance.
  
  Furthermore, the DSK requires that the information on the purposes must be sufficiently specific. General information on the purposes, such as "improving the user's experience", "advertising purposes", "IT security purposes" is not sufficient – at least not without further information. In this respect, the DSK itself points out the possibility of building consent banners in several layers and only providing detailed information on a second level. In the event that there is already a button on the first level with which consent is obtained (e.g. an "Accept all" button), the DSK then explicitly requires that specific information on all individual purposes must also be stated on the first level.
  
  In practice, this will probably mean that consent banners on the first level will have to be designed even more comprehensively in the future. In the case of devices with a limited field of view (e.g. on mobile phones) in particular, the challenge for telemedia providers is, on the one hand, to provide sufficient information to meet the requirements of the DSK and, on the other hand, to enable the user to have an optimal user experience. It is helpful here to use a CMP, which offers suitable design and adjustment options and displays appropriate formulations on the first level.

• Comprehensible design and labeling of buttons
  
  A key point – which the DSK believes is important when a button is clicked – is how the buttons are labeled and designed and which additional information are made available. According to the DSK, buttons with the designation "OK" or "Agree", "I consent" or "Accept" are NOT sufficient in individual cases if the accompanying informational text does not clearly state what is ultimately being consented to. According to the DSK, providing this additional information at a later level (e.g. via a detailed view integrated in the consent banner) is not sufficient. It must therefore be clearly understandable which functions the individual buttons have and which consequences are associated with clicking on them. It is, therefore, insufficient to merely obtain a consent banner from an external service provider. Rather, every company is required to configure the consent banner and, for example, change the naming of the buttons, in order to meet the DSK’s requirements.

• Unmistakable and unequivocally affirmative action
  
  Furthermore, an unequivocal and clearly confirmatory action (opt-in) must take place for consent to be effective. The users making the declaration of consent must indicate that they expressly consent to accessing and retrieving information from their device. Active action is therefore always required, for example, by clicking on a designated button in the consent banner, by selecting technical settings or other actions with which consent is clearly given. The DSK emphasizes hereby that silence, inactivity on the part of the user or pre-ticked boxes do not constitute consent. Effective consent is also not given if the user merely scrolls or continues surfing on a website, as this has no legal explanatory content.

• Provision of equivalent options for accepting and rejecting Cookies
  
  Furthermore, users must be offered equivalent options for granting and refusing consent. When designing a consent banner, care must therefore be taken to ensure that users are provided with selection options for accepting and rejecting Cookies which have an equivalent communication effect. In practice, this means that if a consent button is located on the first level of the consent banner (e.g. an "Accept All" button), there must also be a reject button on the first level.
  
  In contrast, according to the DSK, it is not sufficient that the user can agree to the use of Cookies directly, but cannot directly reject such use and must first take further action to refuse consent. In this respect, the DSK explicitly states an example of where, on the first level of a consent banner, there is an "Accept all" button and another button labeled "Settings" or "Details", which the user can use to open another detail mask in which they can refuse the use of some or all Cookies.

• Simple possibility to refuse consent
  
  Users must continue to have a genuine and free choice to refuse or withdraw consent, without suffering any disadvantage as a result. The decisive factor here is whether the user is being forced to make a statement or whether the user can simply remain inactive. According to the DSK, prohibited force may be assumed where a consent banner or other graphic elements for the request of consent cover access to a website in whole or in part and the banner cannot simply be closed, but requires interaction from the user. Here, too, the user must be able to close the consent banner and reject the use of Cookies that require consent without any measurable additional effort.

• The possibility to withdraw consent
  
  Another important point concerns the possibility to withdraw consent. First of all, the DSK points out that if consent is given electronically via a website, it must also be possible to withdraw consent in this way. It is therefore not permissible to refer users to other communication channels (e.g. telephone, letter, fax, email). On the contrary, the DSK requires that users must have direct access to the settings (e.g. via a direct link or an icon that is always visible). Some of the consent management tools available on the market contain corresponding functions. However, it is unclear to this extent how the always visible direct link or the icon would have to be designed, and in particular, whether a direct link or icon contained in a fixed place in the header or footer of the website would be sufficient or whether the direct link or icon actually always has to be continuously visible in the user’s display

Conclusion

Overall, it can be ascertained that the guidance contains valuable information for telemedia providers on the design of consent banners. In practice, however, the implementation of these requirements is likely to pose a challenge for them. This applies in particular to those providers which have their own consent banners and now have to reprogram them.

It can also be assumed that the German data protection authorities will promptly monitor and enforce the implementation of the requirements as soon as the consultation process has been concluded and the guidance has been finally adopted. A large number of complaints are already pending with the German data protection authorities. Officials have so far said that these complaints have been temporarily put on hold, at least until the German data protection authorities agree on a uniform approach. This is now the case. However, it is also clear that many of the DSK’s requirements have NOT yet been enforced in court! It is certainly possible that different views will prevail in court. However, the risk of being exposed to fine proceedings still remains. So far, the German and other European data protection authorities – despite all of the strict guidelines – have been rather hesitant and reserved. However, every company is now required to reassess the risk and benefit of the specific design of the consent banners used, as considerable resistance to the previous practice is slowly forming throughout Europe.

For example, various data protection authorities within the EU have been taking action since the beginning of the year against the illegal use of Cookies that require consent. This relates in particular to the use of tracking tools such as Google Analytics. The French data protection authority "CNIL" recently imposed a fine in this regard of EUR 150 million on Google and EUR 60 million on Facebook. A major reason for the fines was that the websites of Google and Facebook did not have an equivalent option for rejecting Cookies that required consent. Instead several clicks were required in order to do so, while consent could be easily declared with one click at the first level. The European Data Protection Supervisor (“EDPS”] also recently banned the use of Google Analytics on a website of the European Parliament. One reason for this was that the cookie banner used on the first level did not contain an option to reject the use of Cookies that required consent, while consent was possible on the first level. The EDPS also identified further deficits in connection with the use of Cookies requiring consent and the design of the consent banners used (e.g. insufficient information on the functionality of the Cookies used, the lack of documentation on compliance with the requirements for transfer to third countries pursuant to Art. 44 et seqq. GDPR). At the same time, a complaint by Schrems was upheld in Austria in January, and the use of Google Analytics was also banned for the first time in Austria in an official decision.

In this respect, it should be noted that obtaining consent for the use of Cookies in accordance with data protection regulations represents an essential component of data protection compliance. At the same time, the aforementioned procedures in other EU countries show that a large number of other issues also play an important role here. This applies above all to the lawful data transfer of personal data to third countries. This issue is another aspect that has gained the attention of the data protection authorities after the Schrems II judgment of the ECJ and the introduction of the new EU standard contractual clauses, especially when tracking tools from international providers are used. For instance, the CNIL announced on Februar 10, 2022 (see the press release here) that data transfers to the USA as part of the use of Googloe Analytics does not comply with the GDPR and has therefore ordered a French website manager to bring the processing into compliance with the GDPR or, if necessary, cease to use the Google Analytics functionality.