March 4, 2022

Germany Federal Act on Privacy in Telecommunications and Telemedia (TTSDG)

The TTSDG came into effect in Germany on 1 December 2021. Learn all about this legislation in this article.

The Federal Act on Privacy in Telecommunications and Telemedia (German abbreviation: TTSDG) has come into effect in Germany on 1 December 2021. It brings some adjustments to the national legislation aiming to align the whole privacy legislation with the privacy acts of the European Union.

The TTSDG does not bring any significant new requirements for businesses. It deals with the use of cookies in electronic communication, so if you interact with German users or operate from Germany, you need to be aware of these requirements and ensure that you meet them, otherwise you are going to be penalized. 

What is the Federal Act on Privacy in Telecommunications and Telemedia (TTSDG)?

The Federal Act on Privacy in Telecommunications and Telemedia (TTSDG) regulates privacy in electronic communications and telemedia. It merges two laws - the Telemedia Act and the Telecommunications Act and harmonizes them with the ePrivacy Directive and the General Data Protection Regulation of the EU.

This makes Germany the last EU country to fully align its national legislation with the ePrivacy Directive 2002, and with the EU privacy regulations.

Update: Germany's 1&1 Telecom Fined $10.6 Million for a GDPR Violation

What’s new in TTSDG?

TTSDG regulates the use of cookies but it does not bring any significant changes as it just aligns with the EU rules we are already familiar with.

Coverage

TTSDG applies not only to cookies but to all the communications that result in storing information in the terminal equipment of the user. This means that it not only covers sending cookies to phones, laptop and desktop devices, and tablets, but it also covers any other equipment that may receive cookies in the future.

In practice, this would mean that whatever device is included in an Internet of Things network and is capable of receiving cookies is also covered by the TTSDG.

In addition, TTSDG applies to all the businesses that have a presence in Germany or provide products and services in Germany. Put simply, this means that it applies to every website that is available to German users.

Types of cookies according to TTSDG

TTSDG recognizes two categories of cookies:

  • Strictly necessary cookies. You don’t have to obtain consent for the use of these cookies as they are strictly necessary for the provision of services.
  • Non-necessary cookies. You need consent for these cookies, because they are not strictly necessary. They should only be used with the user’s consent. In all other cases, you must refrain from sending cookies to their devices.

Rules on cookies

Section 24 prescribes a requirement for consent for the use of cookies and rules according to which consent should be obtained from the user.

This section incorporates the Planet49 decision of the CJEU into the national law. The law is clear that the consent needs to be:

  • Freely given, which means that the user must not be lured into giving consent with access to content or anything else,
  • Specific, which means that the business has to obtain consent for each processing purpose separately,
  • Infomed, which means that the business has to inform the user about the processing at the moment of obtaining consent,
  • Unambiguous, which means that the user has to take affirmative action to provide consent. In practice, this means that the checkboxes to consent for each purpose has to be marked. Planet49 was penalized because they left the checkboxes marked although they should have been unmarked to begin with; and
  • Easily withdrawn, which means that the business has to make it possible for the user to withdraw the consent as easily as it was given.

The same section provides two exceptions to the rule where you do not have to obtain the user’s consent:

  • When the use of cookies is strictly necessary to provide telemedia services to the user, and
  • When the sole purpose for the use of cookies is to communicate over a public network.

In all other cases, you need consent for the use of cookies.

At the same time, TTSDG explicitly allows businesses to rely on Personal Information Management Systems (PIMS). PIMS grants users better control over consent related to processing their data. Businesses then interact with PIMS and process only the data which they have consent to process.

Penalties

Interestingly, the penalties prescribed in the TTSDG are significantly lower compared to GDPR and the Federal Data Protection Act (German abbreviation - BDSG). The penalties for violations are capped at EUR 300.000 for TTSDG, while the GDPR penalty caps are set at 4% of the annual turnover or 20 million EURO, whichever is greater.

Does the TTSDG replace BDSG and GDPR?

No, the TTSDG does not replace the BDSG and the GDPR. Note that the requirements in all the three laws are almost the same. With the updates, they are aligned with each other and are therefore easier to implement.

How can you comply with the TTSDG?

TTSDG explicitly requires you to obtain consent for the use of cookies. You can do so by serving your website visitors with a TTSDG-compliant cookie banner that will collect and record their consent.

Remember, the consent must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous, and
  • Easily withdrawn.

In addition, you are required to keep records of all the obtained consents.

Secure Privacy can provide you with a ready-made SaaS for compliant consent collection according to the TTSDG and the GDPR. Sign up for a free trial here.

You can read about the Swiss Federal Data Protection Act.

Secure Privacy dashboard

Want to try
Secure Privacy?

Get your free cookie banner up and running today!