view all news & events

06.10.2021

Legal regulation for the use of cookies

The use of cookies and other tracking tools presents website operators with a variety of challenges. In order to counteract the legal uncertainties that exist in this regard, the German Bundestag passed the Telecommunications and Telemedia Data Protection Act (in short: "Telecommunications Telemedia Data Protection Act - TTDSG") in May 2021. In particular, the Act is intended to bundle the data protection regulations of the Telemedia Act (TMG) and the Telecommunications Act (TKG) into a single law. It will come into force on 1 December 2021.

The use of cookies is indispensable for many website operators. In addition to so-called essential cookies, which make it technically possible to provide the functions of a website, such tools are also used, for example, to present visitors with user-optimised advertising or to allow the website operator to evaluate user behaviour in order to optimise the website.

For operators, this often raises the question of which cookies require user consent and how the so-called cookie banner must be designed. In the meantime, there are numerous different implementations on the market. The TTDSG should now bring clarification.

Everything new from December 2021 or continue as before?

With the TTDSG, the legislator wanted on the one hand to react to the case law that has been handed down in this area so far and finally implement the ePrivacy Directive. This at least puts an end to years of discussions as to whether the German legislator has actually implemented the ePrivacy Directive. However, the law does not contain many more innovations, at least in the area of cookie consent.

Consent required for non-essential cookies!

Section 25 of the TTDSG now clearly requires the consent of the user if information is to be stored on the user's "terminal equipment" or if the website operator wishes to access this stored information. The provision largely corresponds to the wording of Article 5 (3) of the ePrivacy Directive. The term "terminal equipment" of the user is to be understood as any device with an Internet connection. This is intended to guarantee a broad scope of application of the law and protection of users. It should be noted that due to the extension of the scope of application, smart home applications, for example, may also be affected by the consent requirement in the future.

As was already the case under the ePrivacy Directive, however, the use of such cookies remains possible in the scope of application of the TTDSG, even irrespective of the existence of consent, which can be described as essential or necessary. This therefore still requires a differentiation of cookies and website operators must check into which category the cookie used falls.

Recognition of consent management services

As a real innovation, the legislator has introduced a regulation on information management of consents in Section 26 TTDSG. This is intended to create a legal framework that results in the recognition of consent management services. In order to be recognised, such services must in future prove that, in addition to user-friendly and competition-compliant procedures and technical applications for obtaining and managing consent, they have, among other things, no economic self-interest in granting consent and have a qualitative and reliable security concept. However, the recognition procedure required in this context will only be determined by the issuance of a statutory instrument pursuant to Section 26 (2) TTDSG.

Practice Tip:

Even if the newly adopted TTDSG does not provide any far-reaching innovations in terms of legal certainty and clarity in the use of cookies, it can still be described as a concretisation of the previously applicable legal situation. Especially if one considers the current developments of the European Union regarding the standardisation of the legal situation through the enactment of the ePrivacy Regulation, it becomes clear why the German legislator is holding back with far-reaching innovations. Since February 2021, a new draft of the EU Council of Ministers has been available, on the basis of which trilogue negotiations on the concrete wording of the ePrivacy Regulation are now taking place.

As a result, the creation of the TTDSG represents a standardisation of the previous legal situation. When using cookies and other tracking tools, it must continue to be ensured that consent is obtained from the respective user of the website. Only in exceptional cases, e.g. when setting technically necessary cookies, can such user participation be waived. Due to the henceforth broad scope of application of the TTDSG, the aforementioned principles must also be kept in mind outside of "classic" end devices.

Whether and to what extent the consent management services contained in Section 26 TTDSG will actually find favour remains to be seen. At least according to the current status, both providers and users will continue to be confronted with cookie banners. In order to meet the requirements of Section 25 TTDSG, information obligations as well as the concrete design of the consents to be obtained must be taken into account in addition to the visual design of the cookie banners. Since both providers and the websites and apps vary, a concrete concept for the use of cookies must be worked out in each individual case.

Authors

Oliver Hornung

Dr. Oliver Hornung

Partner

visit profile
Franziska Ladiges

Franziska Ladiges

Counsel

visit profile