Gdpr Tmg Tkg And Now Ttdsg What Does The New German Ttdsg Bring
Management Summary
GDPR, TMG, TKG and now TTDSG: a tribute to the Fantastic Four or what does the new German TTDSG bring?
This article focuses on the consent requirement for cookies and on a completely new regulation for services for the technical management of such consent – called PIMS.
Article 25 TTDSG “Protection of privacy in terminal devices”
The new regulation on the consent requirement does not come as a complete surprise. After the ECJ Planet 49 decision, the active and voluntary consent of users for non-essential cookies became absolutely necessary in Germany. The new wording of the law now reads as follows:
“The storage of information in the end-user’s terminal equipment or access to information already stored in the end-user’s terminal equipment shall only be permitted if the end-user has consented on the basis of clear and comprehensive information. The end-user’s information and consent must be provided in accordance with Regulation (EU) 2016/679.”
The wording is intentionally broad to cover not only cookies, but also any other similar technologies used to store data in the user’s browser or device. The term “end device” is also broadly defined to include all internet-capable devices, such as smart devices in the sense of the Internet of Things.
CONCLUSION: If you want to use cookies (or comparable information) in Germany, you must inform users about all circumstances according to the TTDSG. Users must actively and voluntarily consent to the use of cookies. Voluntariness requires that the provision of the service must not be made dependent on the granting of consent. The consent must also be revocable at any time.
Consent is not required in only two cases:
- for cookies that are strictly necessary to provide the service requested by the user; or
- for cookies that are used exclusively to transmit messages.
Regardless of this clear new regulation in German law, to fulfill the above obligations, namely information, consent and revocation management, cookie banners and consent management tools, which are individualized for each website, have become established.
Article 26 TTDSG: “Recognized services for consent management, end user settings”
The TTDSG is now presenting a new approach to consent management: Personal Information Management Systems (PIMS) should enable end users to specify “centrally” specifications for their consent or rejection to the setting of cookies. These specifications can then be queried by the individual websites from the PIMS and the cookies can be implemented accordingly.
However, these PIMS must first be recognized by an independent body and meet all the requirements mentioned in this article.
Are the German PIMS now the end of cookie banners?
Probably not, because several aspects of the overall picture cannot be overlooked:
German websites can be accessed by users from anywhere. However, not all users – and certainly not outside of Germany – can be “forced” to use German PIMS when they surf German websites.
And above all, a practical difficulty remains: How can the individual information obligations, including disclosure of all recipients per category of cookies, be fulfilled? This will probably require individual banners for each website. Or even if one wanted to consider it permissible in principle to provide information centrally to the PIMS, information about all possible cookies does not appear to correspond to the transparency requirement.
CONCLUSION: At least for the time being, the individual cookie banner remains the holistic solution that can fulfill the information obligations together with the management of the respective consent or rejection. Of course, the cookie banner must be implemented in accordance with the law.
