Germany Federal Act on Privacy in Telecommunications and Telemedia (TTSDG)
The TTSDG came into effect in Germany on 1 December 2021. Learn all about this legislation in this article.
The Federal Act on Privacy in Telecommunications and Telemedia (German abbreviation: TTSDG) has come into effect in Germany on 1 December 2021. It brings some adjustments to the national legislation aiming to align the whole privacy legislation with the privacy acts of the European Union.
What is the Federal Act on Privacy in Telecommunications and Telemedia (TTSDG)?
The Federal Act on Privacy in Telecommunications and Telemedia (TTSDG) regulates privacy in electronic communications and telemedia. It merges two laws - the Telemedia Act and the Telecommunications Act and harmonizes them with the ePrivacy Directive and the General Data Protection Regulation of the EU.
This makes Germany the last EU country to fully align its national legislation with the ePrivacy Directive 2002, and with the EU privacy regulations.
Update: Germany's 1&1 Telecom Fined $10.6 Million for a GDPR Violation
What’s new in TTSDG?
TTSDG applies not only to cookies but to all the communications that result in storing information in the terminal equipment of the user. This means that it not only covers sending cookies to phones, laptop and desktop devices, and tablets, but it also covers any other equipment that may receive cookies in the future.
In practice, this would mean that whatever device is included in an Internet of Things network and is capable of receiving cookies is also covered by the TTSDG.
In addition, TTSDG applies to all the businesses that have a presence in Germany or provide products and services in Germany. Put simply, this means that it applies to every website that is available to German users.
Types of cookies according to TTSDG
TTSDG recognizes two categories of cookies:
- Strictly necessary cookies. You don’t have to obtain consent for the use of these cookies as they are strictly necessary for the provision of services.
- Non-necessary cookies. You need consent for these cookies, because they are not strictly necessary. They should only be used with the user’s consent. In all other cases, you must refrain from sending cookies to their devices.
Rules on cookies
This section incorporates the Planet49 decision of the CJEU into the national law. The law is clear that the consent needs to be:
- Freely given, which means that the user must not be lured into giving consent with access to content or anything else,
- Specific, which means that the business has to obtain consent for each processing purpose separately,
- Infomed, which means that the business has to inform the user about the processing at the moment of obtaining consent,
- Unambiguous, which means that the user has to take affirmative action to provide consent. In practice, this means that the checkboxes to consent for each purpose has to be marked. Planet49 was penalized because they left the checkboxes marked although they should have been unmarked to begin with; and
- Easily withdrawn, which means that the business has to make it possible for the user to withdraw the consent as easily as it was given.
The same section provides two exceptions to the rule where you do not have to obtain the user’s consent:
At the same time, TTSDG explicitly allows businesses to rely on Personal Information Management Systems (PIMS). PIMS grants users better control over consent related to processing their data. Businesses then interact with PIMS and process only the data which they have consent to process.
Interestingly, the penalties prescribed in the TTSDG are significantly lower compared to GDPR and the Federal Data Protection Act (German abbreviation - BDSG). The penalties for violations are capped at EUR 300.000 for TTSDG, while the GDPR penalty caps are set at 4% of the annual turnover or 20 million EURO, whichever is greater.
Does the TTSDG replace BDSG and GDPR?
No, the TTSDG does not replace the BDSG and the GDPR. Note that the requirements in all the three laws are almost the same. With the updates, they are aligned with each other and are therefore easier to implement.
How can you comply with the TTSDG?
Remember, the consent must be:
- Freely given
- Unambiguous, and
- Easily withdrawn.
In addition, you are required to keep records of all the obtained consents.
Secure Privacy can provide you with a ready-made SaaS for compliant consent collection according to the TTSDG and the GDPR. Sign up for a free trial here.
You can read about the Swiss Federal Data Protection Act.
Want to try
Get your free cookie banner up and running today!
The Ultimate Guide to GDPR Data Breach Responses
If you think that data breaches only happen to someone else, think again. Data breaches have happened to all types of businesses - from small ecommerce stores to large corporations such as Microsoft and it could happen to you as well. Read about GDPR Data Breach Responses here.
What Is a Data Protection Officer and Do You Need One?
When a business operator realizes they need to comply with the GDPR or any other data protection law, one of the first questions to pop up in their head is - Do I need a DPO? Learn all about DPOs here.
- Data Protection
How to implement an Online Data Protection Strategy
When a company operates online within the European Union, or when its website visitors come from the EU, the company must comply with the General Data Protection Regulation (GDPR). The GDPR was created to protect citizens' personal data and restrict abuses.
- Data Protection