To keep the environment of Telemedia and telecommunication safe, on December 1, 2021, Germany got introduced to a new Federal Act, the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG).
The act endeavors to consolidate the Telecommunications Act 1996 and Telemedia Act 2007 and implement cookie consent requirements according to Article 5(3) of the ePrivacy Directive.
This post is meant to highlight the functions and components of TTDSG – the new cookie law for Germany. Let’s find out more about it.
What is TTDSG?
The curation of TTDSG took place as a response to the decision of the German Federal Court of Justice on the cogency of cookie consent when pre-checked tick boxes were in use to acquire the permission.
The decision put forth by the German Federal Court of Justice regarded the ruling of the Court of Justice of the European Union (CJEU). The German Federal Court of Justice discovered that the amendments made to the Article5(3) of the Directive on Privacy and Electronic Communications were not precisely transferred into German law.
Thus, the TTDSG came into the picture to integrate conditions for lawful cookie consent in section 25. Furthermore, despite being a federal law in Germany, the TTDSG has an extensive scope.
This means that this law can be applied to organizations operating across the globe. Also, the TTDSG summaries two types of cookies:
- The strictly necessary ones
- The ones that need consent
What are the requirements for a TTDSG-compliant cookie banner?
One of the major requirements for a TTDSG-compliant cookie banner is that the information displayed should comply with the GDPR. As per the EDPB, the following information is needed to get valid consent:
- The identity of the controller
- What type of data will be collected and used?
- The objective of every processing operation for which the consent is asked
- Information regarding the data used for automated decision-making as per Article 22(2)(C) of the GDPR
- The availability of the right to withdraw their consent
- On the possibility of risks related to data transfers owing to the absence of an adequacy decision and ideal safeguards
Moreover, the objective of processing should be elucidated concretely. Merely writing that the cookies are being used is not sufficient. Also, simply stating that the information will be shared with third-party partners and that these partners can amalgamate the information with other data does not suffice.
In such a scenario, to get valid consent, the objective behind the data processing should be explicitly explained, especially if user profiles are created and have data from other websites.
Also, if third-party service providers are available, they should be named clearly and individually. And then, the right to withdraw consent should be mentioned in the layered consent on the first level.
Therefore, in the consent window, simply adding a link to the data protection notice is not enough. In case the right of withdrawal reference is missing, the consent will be assumed to be invalid.
Are there any legal bases other than consent that can be used for cookies under TTDSG or other laws?
With TTDSG, there will be no other legal basis than consent for cookies use. Also, even in this one, there are narrow exceptions. Therefore, the use of genuine interest as a legal basis for cookies in regards to the GDPR’s Article 6(1)(f) is not possible anymore.
Does the TTDSG provide more legal certainty on what is meant by ‘strictly necessary cookies’?
However, it is not a pecuniary necessity. For instance, a cookie that stores items from an eCommerce site in a shopping cart is regarded as ‘strictly necessary.’ Thus, it is relieved from consent under the TTDSG.
On the other hand, user tracking for the purposes of advertisement, range measurement, and other relevant practices are not strictly necessary for a Telemedia service provider. Therefore, they need consent as per the TTDSG.
Also, considering that the ‘strictly necessary’ cookies have been exempted, they must be regarded narrowly. Thus, only some third-party services and cookies can be used on the site without any consent.
How long can I store data obtained from cookies under the TTDSG?
The TTDSG doesn’t outline any exact rules for the data storage acquired from cookies or the same technologies. Nonetheless, the TTDSG is applied along with the GDPR. Fundamentally, if the data acquired from cookies or the same technologies contains personal information, the GDPR requirements would not be fulfilled, including the storage limitation principle established by Article 5(1)(e) of the GDPR.
It states that personal data, generally, should not be stored for longer than required for the objective for which it has been extracted.
Is cookie consent required to be obtained only by website operators under the TTDSG?
It has been clarified that the Telemedia service providers to which the TTDSG is applied include non-public and public bodies along with private individuals who operate an app, a website and smart home applications.
In simple words, it means that not just website owners but other entities, such as smart home applications and app operators, would have to take the consent from the users to store and access information on their devices unless it is exempted.
Now that the TTDSG has entered into force, do I need to seek the users’ renewed cookies consent?
The TTDSG doesn’t comprise any express rule to define the consent’s validity acquired before the entry of this law into force. But, the GDPR regulates the requirements of consent under the TTDSG (Section 25(1)).
Along with that, for the evaluation of the consent’s validity, the same assessment criteria are applied as for the consent under the GDPR article 6(1)(a). If companies got consent before the commencement of TTDSG and the consent is complying with the GDPR, no new consent would be required.
The TTDSG applies to companies even if they only participate in the provision of services in Germany; what exactly is meant by ‘participating in the provision of services’ under the TTDSG?
The TTDSG doesn’t put forward the meaning of ‘participating in the provision of services.’ Consequently, it remains uncertain how low or high the bar for ‘participating’ in the provision of a certain service is.
To evaluate and find out if an organization has to comply with the TTDSG, the services that the organization doesn’t provide itself will have to be assessed.
How do I obtain valid cookie consent under the TTDSG?
Following the decision of CJEY and the implementation of TTDSG, companies and organizations cannot use pre-checked tick boxes as a valid form to obtain user consent anymore.
Along with this, browsing or scrolling and notice-only cookie banners don’t indicate that a user has provided consent to put cookies. So, if you wish to get valid cookie consent under the TTDSG, you will have to give clear, unbiased information regarding how you will use the cookies.
Also, you will have to ask for specific consent for every category of cookies that you are using, such as targeting cookies or performance cookies. This information should be given to users before they can give consent, and the cookies must not be placed on their devices until the consent is acquired.
To help you comply with the TTDSG, you have GDPR Cookie Consent Pro – A plugin that also helps you comply with the EU GDPR’s cookie consent and CCPA’s “Do Not Sell” Opt-Out regulations.
Using this plugin you can:
- Get visitor consent for cookies using a fully customizable cookie consent bar on your website.
- Give your website visitors the option to revoke consent
- Display Cookie categories to your website visitors and give the option to consent to cookies from a specific category.
- Stay GDPR Compliant
So, if you wish to comply with GDPR and TTDSG, buy GDPR Cookie Consent Pro today.