German officials are working on a draft law that would update the TTDSG and change how businesses get users’ permission.
According to the reports, businesses can use consent management services to get permission for multiple websites at once and avoid using cookie banners.
What exactly does that mean for your business? Let’s dive into the details of the new legal situation.
What Is the German Telecommunications-Telemedia Data Protection Act (TTDSG)?
TTDSG is the German abbreviation for the German Federal Act on Privacy in Telecommunications and Telemedia. It regulates electronic communications and telemedia privacy.
It doesn’t regulate how telemedia services are provided or how telecommunication services are provided to end users. It only applies to the secrecy of telecommunication and its confidentiality, which includes using cookies and storing information.
The scope of application of this law combines two pieces of legislation—the Telemedia Act (TMG) and the Telecommunications Act (TKG)—and harmonizes them with the EU’s General Data Protection Regulation and ePrivacy Directive. This is a whole new law, not an amendment of the existing laws.
When the new Telecommunications and Telemedia Data Protection Act was passed and went into effect in December 2021, Germany became the last EU member whose national laws wholly followed the EU privacy rules and the ePrivacy Directive of 2002.
Now Germany goes a bit further by trying to set standards for the work of consent management service providers, such as Secure Privacy.
What Does Germany’s TTDSG Require from Companies?
The TTDSG data protection provisions impose duties regarding cookies and tracking technologies. It makes the Planet49 decision a national law by requiring businesses to get permission from users the first time they visit a website to process their personal information.
Moreover, it requires consent to be:
- Freely given, which means that the user can’t be forced to agree by getting access to content or anything else,
- Specific, in that each processing purpose must be approved independently by the website visitor,
- Informed, which requires the business to tell the website visitor about the processing of personal data when it asks for their permission,
- Unambiguous, which implies that the user must proactively express approval. This means that the consent checkboxes for each purpose must be checked. Even though the checkboxes should not have been marked in the first place, Planet49 was fined for leaving them checked, and,
- Easily revoked, which requires the company to make it simple for the consumer to withdraw consent.
There is an exception to the cookie consent requirement:
- When the cookies are strictly necessary for the functionality of the website, or
- When cookies are necessary to communicate over a public telecommunications network, they must be sent to the user’s terminal equipment.
As a result, the law makes a distinction between two types of cookies:
- Essential cookies. These cookies are strictly required to deliver telecommunications or telemedia services, so you don’t need to get anyone’s permission to use them.
- Non-essential cookies. These cookies require your permission because they are not technically necessary to provide such services. Only use them with the user’s permission. You must not send cookies to their end devices in any other circumstances. This includes Google Analytics cookies, social media pixels, and other tracking technologies that store information but are not necessary for the provision of services.
Also, Article 25 of the TTDSG clarifies that businesses and users can interact with personal information management systems (PIMS), which are platforms for managing consent.
What Does This Mean For You?
This law may apply if you operate online and use cookies and tracking technologies.
Ask yourself the following questions:
- Are you a telecommunication or telemedia provider, as described in the TTDSG?
- Do you operate in Germany?
If the answer to both questions is positive, you need to comply with the law. Now ask yourself:
- Do you have reasons to process personal data?
- Do you have a legal basis to process personal data?
- Do you want to send cookies and tracking technologies to users’ devices to collect personal information?
If the answer to these questions is yes, you need a consent management solution. If you are not sure about the answers, seek advice from your data protection officer or another data protection professional.
If you do not comply, you are under the threat of penalties by the Data Protection and Freedom of Information (BfDI) Commissioner.
Is TTDSG Aligned With the GDPR and the ePrivacy Directive?
Yes, it is fully aligned with the EU data protection laws. Although German authorities have consistently implemented privacy laws diligently, it has all been put on paper. You may have noticed that the above requirements are pretty much the same as the GDPR’s requirements for cookie consent.
The announced draft on the regulation of consent management platforms, aside from aligning the German law with the EU laws, is expected to align it with the long-awaited ePrivacy Regulation (see our 2022 ePrivacy Regulation update) of the European Union.
What Are Consent Management Services?
The Consent Management Services allow website operators to collect consent and pass it to the vendors. For example, if you want to use Google cookies, you need to ask your website visitors for consent, and only if they agree can you use them. Integrating with a CMP means that Google will be informed about each action of your users.
That way, you’ll send cookies only to users who have agreed to receive them. That’s how you comply with the TTDSG, the GDPR, and the ePrivacy Directive.
Your consent management platform will handle everything you need to do to obtain consent. It will provide you with a cookie banner to request consent, log the user’s action, and keep records regarding practices about your storage of information.
As a business owner, all you need to do is configure your CMP solution properly and have peace of mind because it will take care of the rest.
How Does the New Law Affect Consent Management Services?
The limited information we have so far will require us to add a new feature - obtaining consent for multiple websites at once. The guidance deals with when and how consent must be obtained in accordance with Section 25 TTDSG. This would be an interesting regulatory attempt to simplify the consent process.
The user will be allowed to set up their cookie preferences to accept cookies across many websites. For example, the user consents to all website analytics cookies across all websites at once but declines social media cookies all at once at the same time.
The CMPs will play an essential role in the process, as they have the infrastructure to handle the request and obtain consent properly. Individual solutions and plugins may have issues complying with the user’s preferences.
As a result, website operators won’t have to show cookie banners to some users. They will know the user’s preferences when they arrive on the website - but only if the website uses consent management services.
What Are the Benefits of Secure Privacy CMPs for Your Business?
Your business may greatly benefit from using a consent management service because it makes compliance effortless and helps you avoid the hefty fines capped at EUR 20 million or 4% of the annual turnover, whichever is greater.
You don’t have to think about technical improvements to your cookie consent solutions or updates to data protection laws that may apply to your business.
The Secure Privacy consent management solution has it all: it is built per the IAB TCF framework and ensures compliance with the GDPR and TTDSG data privacy provisions. When the new law gets updated, you’ll know in advance which user has consented to what type of cookies, so you may not have to show users cookie banners every single time they visit your website. The Secure Privacy CMP is a complete solution for your business.
