December 22, 2020

German DSK Cookie Consent Guidelines: Key Steps for Compliance

Following the publication of the German DSK Cookie Consent Guidelines in April 2019, a federal court decision in May 2020 resulted in a change in cookie law enforcement in Germany. In addition, this decision triggered the introduction of a new law in Germany in December 2021. 

Following the publication of the German DSK Cookie Consent Guidelines in April 2019, a federal court decision in May 2020 resulted in a change in cookie law enforcement in Germany. In addition, this decision triggered the introduction of a new law in Germany in December 2021. 

What is DSK?

Private sector companies in Germany are subject to the jurisdiction of state data protection authorities (DPAs). Examples include Hamburg DPA (Hamburgische Beauftragte für Datenschutz und Informationsfreiheit - HmbBfDI), Berlin DPA (Berliner Beauftragte für Datenschutz und Informationsfreiheit - BlnBDI), among others. The DSK (short for “Datenschutzkonferenz” in German) is an association of German state data protection authorities. The DSK deals with and comments on the data protection issues in Germany. It serves as a coordinating body and makes no binding decisions on the organizations.

What are DSK cookie guidelines?

The German DSK issued its cookie guidelines in April 2019. The DSK cookie consent guidelines were designed to ensure that the German Telemedia Act (Telemediengesetz, or the TMG) was applied to telemedia activities. An example of such activity was the use of website cookies for targeted advertising after the GDPR (DSGVO) came into effect. The German DSK cookie consent guidelines, in particular, clarified and improved the previous statement on using website cookies issued in April 2018.  

The German Federal Court of Justice ruled in May 2020 that an opt-out mechanism for cookies is invalid under the German Telemedia Act. This decision stated unequivocally that the use of all non-essential cookies requires explicit cookie consent or opt-in from website users.  

Essentially, the Federal Court of Justice directed the DPA to incorporate GDPR (DSGVO) requirements into future enforcement actions.  The German Court of Justice's directive came after the European Union’s Court of Justice (CJEU) issued its ruling in the Planet 49 case. 

Additionally, the German Court of Justice's decision broadened the scope of the German Data Protection Conference’s (DSK) guidelines for the use of website cookies, which were published on April 5, 2019.

On December 1, 2021, the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) entered into force in Germany, consolidating the German Telemedia Act and Telecommunication Act of 1996 as well as implementing the EU ePrivacy Directive's cookie consent requirements.

On December 22, 2021, the DSK issued its Guidance for Providers of Telemedia Services, which was primarily concerned with the “cookie provision” of the new German Telecommunication and Telemedia Privacy Act. The guidelines focus on the TTDSG's consent requirements and exceptions for cookie consent.

Other Data Protection Authorities that have issued cookie guidelines are as follows:

Spanish AEPD Cookie Guidelines: The Ultimate Guide

The Belgian Data Protection Authority

French CNIL Consent Guidelines

The Dutch DPA's Cookie Consent Guidelines

Greek DPA Cookie Consent Guidelines

With this in mind, let's look at what it takes to obtain GDPR and TTDSG-compliant cookie consent for your German website. 

  • Overview of GDPR (DSGVO) Requirements
  • ePrivacy Directive and Cookie Consent
  • The ePrivacy Directive and the Planet 49 Case
  • TTDSG Cookie Consent Requirements
  • German DSK Cookie Consent Guidelines
  • Penalties for Non-Compliance with German DSK Cookie Consent Guidelines
  • German DSK Cookie Consent Guideline Compliance and Secure Privacy

Overview of GDPR Requirements

The EU's General Data Protection Regulation, which was adopted in May 2018, imposed strict regulations on how you collect and process data from EU citizens. 

In this context, personal data refers to information that can be used to identify an individual, such as:

  • A user’s name
  • Email
  • Phone number
  • Location data
  • Cookies 
  • IP Address  

Based on this understanding, the GDPR's main principles are as follows:

  1. Limit the data you collect to what you really need 

Ensure you know all the categories of personal information you collect to avoid collecting unnecessary data. 

  1. Store data within the necessary time 

You should implement relevant data retention measures for your users and remove them when they are no longer required. 

  1. Avoid keeping personal data without obtaining valid cookie consent from your users 

Obtain clear and affirmative consent from your website visitors before placing cookies on their devices to collect personal information. 

  1. Exercise transparency when it comes to the data you collect from users

You should disclose the types of personal data you collect, why you collect it, and who receives the personal data you collect. 

  1. Use the personal information you collect strictly for the stated purposes 
  2. Ensure that you keep your users’ personal data secure from breaches
  3. Provide your users a way to delete their account, as well as modify or erase their data

Check out these extra resources to learn more about what you need to do to be GDPR compliant. 

https://gdpr-info.eu/issues/

https://techblog.bozho.net/gdpr-practical-guide-developers/

 ePrivacy Directive and Cookie Consent

In layman’s terms, the ePrivacy Directive states that if you want to access your website users' personal information by placing cookies on their device, you must first obtain their consent. 

Cookie consent is considered validly obtained under the ePrivacy Directive if it is:

  • Freely given
  • Specific
  • A clear indication of your user’s wishes

The only exception to this rule is when access to such information is strictly necessary, such as when providing an Electronic Communications Service (ECS) or an Information Society Service (ISS). 

The main difficulty in enforcing EU Cookie Law's consent requirements is that it has been interpreted as a directive for having a simple consent banner on your website by most DPAs across Europe. 

Similarly, the German Data Protection Conference, the umbrella body of state DPAs, was not enforcing this section of the ePrivacy Directive. 

This is because regulators believed that the requirements outlined in this clause were already included in the German Telemedia Act. 

All of this changed in May 2020, following a ruling by the European Court of Justice’s (CJEU) in the case involving Planet 49’s use of advertising cookies, after the German Court of Justice requested clarification from the EU’s top court. 

The ePrivacy Directive and the Planet 49 Case

Planet 49, a German company, launched an online competition in 2013 that required participants to provide their name, address, and postcode in order to participate. 

Additionally, would-be participants were asked to provide consent to two main requirements; 

  • Marketing communications by post or SMS
  • Analytics and marketing cookies

While the cookie banner's box for marketing communications was left blank, the second box for analytic and marketing cookies was pre-checked. 

Because of this, participant complaints compelled the Federation of German Consumer Organizations to sue Planet 49. 

The German Court of Justice referred the case to the CJEU for legal interpretation and guidance. 

The CJEU issued its decision in May 2020, concluding that Planet 49’s practices violated cookie consent requirements under both the GDPR (DSGVO) and the ePrivacy Directive. 

The ePrivacy Directive, as previously stated, states that consent is only valid when it is freely given, specific, and provides a clear indication of the user’s wishes. 

It's also worth noting that, according to the EU Cookie Law, a checkbox is a legal way to obtain cookie consent.

The CJEU's primary findings in this case are as follows:

  • The un-ticked checkbox was compliant with both GDPR (DSGVO) and the ePrivacy Directive
  • The pre-ticked box was in violation of cookie consent regulations
  • Consent obtained via pre-checked boxes is invalid because it does not meet data protection requirements. 

The ePrivacy Directive was not fully implemented in Germany because some of its requirements were considered similar to the German Telemedia Act.

This means that the Planet 49 decision did not completely change the law. Instead, it had one significant implication: 

  • German data protection and cookie laws will now be interpreted according to the GDPR and the ePrivacy Directive. 

For the sake of clarity, this means: 

  • The consent you receive is considered valid only when it is freely given
  • The consent you obtain must clearly indicate the user’s wishes 
  • The consent you receive if you use pre-ticked checkboxes is invalid under both the ePrivacy Directive and the General Data Protection Regulation (DSGVO).
  • You should inform your users about the cookies you have on your website in your cookie notice, because consent is considered invalid if people are unaware of what they are consenting to. 

Our blog gives you a detailed breakdown of the CJEU’s ruling in the Planet 49 Case. Read it here: https://secureprivacy.ai/blog/the-planet-49-judgement-key-takeaways

TTDSG Cookie Consent Requirements

The TTDSG is the result of the German Federal Court of Justice's reaction to the validity of consent when placing cookies on end-user devices. The law incorporates Article 5(3) of the EU ePrivacy Directive into Section 25 of the TTDSG, almost word by word. In fact, this was one of the motivations behind the creation of the TTDSG. 

According to this section of the TTDSG, the storage of information on end users’ devices or access to information already stored on such devices is only permitted with the end user's consent. There are some exceptions, which are as follows:

  • When the only reason of storing information on the end user’s device or accessing information already stored on the end user’s device is to send a message over a public telecommunications network; or
  • When the storage of information on the end user’s device, or access to previously stored information on the end user’s device, is “absolutely necessary” for providing a “service expressly requested by the user.”

The DSK issued its guidelines in December 2021, shortly after the TTDSG went into effect, and they primarily addressed Section 25 of the TTDSG, which implements the cookie consent requirements of the EU ePrivacy Directive. 

German DSK Cookie Consent Guidelines

You must do the following to comply with the German DSK cookie consent guidelines:  

  1. Set tracking cookies only if you have explicit prior consent from your website visitors. 

Non-essential cookies, such as those set by Google Analytics on your website, must provide a way for your users to opt-in to the tracking of their personal information. 

  1. Avoid requiring users to accept tracking cookies to access your website's content

Cookie banners with pre-checked boxes for marketing/advertising cookies and terms such as “by using this website, you agree to our use of cookies” no longer constitute valid consent under German DSK cookie consent guidelines. 

  1. Allow users to opt-out of tracking cookies 

In addition to the essential cookies required for your website to function properly, you must allow users to opt-out of tracking cookies in accordance with the German DSK cookie consent guidelines. 

  1. You do not need to obtain valid GDPR cookie consent for essential cookies

The German DSK cookie consent guidelines state that you do not need to obtain user consent to deploy cookies that do not contain personally identifiable information.

Similarly, you are not required to provide users with the ability to opt-out of the deployment of these cookies. 

If you only use essential cookies, you should avoid using cookie consent mechanisms (such as a cookie banner) to obtain end-user consent, as this would unnecessarily interfere with the service.

In your cookie and privacy policies, disclose all of the types of cookies you use on your website, as well as the purpose of each.

  1. Take precautions with the embedded content 

Tracking cookies are frequently used by Facebook, YouTube, and other third-party widgets on your website. You need to either disable their ability to collect personal data from your users or avoid them entirely. 

  1. Disclose all the cookies you use on your website and communicate the purpose of each to your users in your cookie and privacy policies. 
  2. Do not use pre-checked consent boxes

Learn more about tracking cookies and GDPR compliance here: 

https://techblog.bozho.net/tracking-cookies-gdpr/

https://secureprivacy.ai/blog/gdpr-cookie-consent

DSK-Compliant Cookie Banner Examples

While the compliance of each cookie banner must be assessed on a case-by-case basis, there are a number of requirements that cookie banners must meet in order to be compliant with German authorities. You can read more on GDPR cookie consent examples and GDPR Cookie Guidelines.

text

This cookie banner is non-compliant since:

- It does not provide an option to reject cookies

- It does not provide an option for separate consent for each cookie category.

- It does not contain any link or button to explicit cookie policy/declaration.

text

(Source: www.fcbayern.com)

This cookie banner is likely compliant with since:

- It provides for an option to refuse cookies

- It provides for an option to consent or reject separate cookie categories

- It contains a link to the cookie policy

- It contains a link to the cookie settings where users can get detailed information about each cookie category.

Penalties for Non-Compliance with German DSK Cookie Consent Guidelines 

If you are found to be violating the German DSK cookie consent guidelines, you will face GDPR and TTDSG enforcement actions. When it comes to placing cookies on users' devices and accessing information on users' devices, the TTDSG takes precedence over the GDPR. As a result, failure to comply with the TTDSG's cookie consent requirements carries the statutory penalty. In contrast, further processing of information collected through cookies is subject to the GDPR and thus to the penalties under the GDPR.

Notably, the monetary penalty for intentional and unintentional violations of Section 25 of the TTDSG is set at 10,000 EUR. This is far less severe than the administrative penalties outlined in the GDPR. However, any violation which involves subsequent processing of data collected through cookies is subject to GDPR fines. 

Checklist for DSK Cookie Guidelines

To comply with German DSK cookie guidelines, you need to ensure that you comply with the following checklist:

▢ Have a cookie consent banner to collect users’ consent to use cookies  

▢ Do not place cookies before obtaining consent, except for essential cookies

▢ Do not use cookie walls

▢ Provide explicit information about cookie use and communicate the purposes; include a link to your Privacy Policy and/or Cookie Policy

▢ Do not use pre-ticked boxes

▢ Allow the user to reject cookies, don’t load any cookies before the user decides to use cookies

▢ Collect consent for each category of processing

▢ Provide “accept” and “reject” options in the same manner and with equal prominence. 

▢ Do not rely on silence or inactivity, such as browsing the website, to obtain consent

▢ Avoid using third-party widgets or disable their ability to collect personal data from your users

German DSK Cookie Consent Guideline Compliance and Secure Privacy

Secure Privacy is a powerful yet user-friendly solution for achieving compliance with the German DSK cookie consent guidelines. 

With the Secure Privacy’s GDPR compliance tool, you get: 

Easily customizable and stylish cookie consent banners to help you manage consents from your users and allow them to opt-in and opt-out the different types of cookies you have on your website in accordance with the ePrivacy Directive and GDPR requirements

Unique cross-domain consent capability that allows your users to manage their cookie preferences across multiple domains in a single step

A powerful cookie policy generator that allows you to automatically customize your cookie declarations and disclosures to your users.

Advanced monthly website scanning to ensure you are aware of all cookies on your website, the type of personal information they collect, their provenance, and the recipients of the data collected. 

Prior consent tool to ensure that cookies are not deployed before users consent to the collection and processing of their data. 

Real-time logs and consent tracking, so you can maintain recoverable records of your data subjects' consent statuses in case the German DSK requires them.

70+ language support, which enables you to set your cookie consent banner in the language of your target users 

Precise geolocation capability that allows you to show your cookie consent banner to German users only.

A future-proof solution with unrivaled agility in responding to evolving cookie consent compliance regulatory changes. 

Check out our video and learn more about Secure Privacy’s Top 6 Enterprise Features; https://www.youtube.com/watch?v=iULVRao0UcY&list=LL&index=5

If you want our data protection expert to perform a quick ‘check-up’ of your website, cookie consent banner, or cookie policy, book a call with one of our experts today.

You might also be interested in: 

Read our detailed on how to make your website compliant with the GDPR: https://secureprivacy.ai/solution/gdpr

Relevant Links

German DSK Official Website

German DSK Cookie Consent Guidelines

German DSK Guidance for Providers of Telemedia Services

You may also want to check out these other Cookie Consent Guidelines from other EU DPA’s

French CNIL Cookie Consent Guidelines

Irish Data Protection Commission Cookie Consent Guidance

Belgian DPA’s Cookie Consent Guidance 

The Spanish AEPD Cookie Consent Guidelines

The Swedish Datainpsektionen’s Cookie Consent Guidelines

UK ICO’s Cookie Consent Guidance 

Dutch DPA Cookie Consent Guidelines

Greek DPA Cookie Consent Guidelines 

Czech Cookie Law