Following a series of proceedings before the Federal Court of Justice and the European Court of Justice in recent years, it has become clear that Germany has never properly implemented the European ePrivacy Directive. This states that the user’s active consent to the setting of cookies must be obtained without fail. In Germany, this principle has never been enshrined in law, although the EU directive is more than 10 years old.

TTDSG: Principle of consent to the setting of cookies

Politicians have taken up this issue: In May 2021, the Bundestag passed the draft for a “Telecommunications Telemedia Data Protection Act” (TTDSG) with the votes of the CDU/CSU and SPD. The approval of the Federal Council also followed.

The new TTDSG regulates, among other things, the aforementioned principle of consent to the setting of cookies for the purpose of data storage. Section 25 of the TTDSG states that third parties may only store information on the end user’s device or access stored information if the end user has been informed of this and has given their consent.

Also included: Exceptions to consent to the setting of cookies

However, this requirement does not apply without exception. The law also provides for exceptions to the requirement to consent to the setting of cookies. The consent of the respective user is therefore not required if the information is only stored or accessed in order to transmit a message.

Furthermore, the user’s consent is not required if the storage or access to the information is absolutely necessary in order to provide telemedia requested by the end user. This exception therefore applies to the setting of technically necessary cookies.

The TTDSG therefore only provides for narrow exceptions to the principle of consent. In particular, the use of cookies to track user behavior remains subject to consent. Fears that exceptions will be to the detriment of the user are therefore likely to prove unfounded.

Consent services for cookies soon possible?

“We want an end to cookie banners,” said the CDU/CSU at the beginning of the year. The original draft therefore envisaged that consent could also be given by the end user through appropriate settings in their browser or through an external application.

The adopted version of the TTDSG no longer provides for this possibility. Instead, a regulation is introduced that creates a legal framework that leads to the recognition of consent services. The use of consent services could therefore soon be possible.

TTDSG to come into force by the end of the year

The law is due to come into force on December 1, 2021. The law regulates many things that have already been in practice for a long time. Nevertheless, it brings some innovations, in particular the exemptions and the legal framework for the recognition of consent services. It remains to be seen what impact these changes will have in practice, particularly for website operators. In any case, the opportunity should be taken to compare one’s own use of cookies with the legal requirements and adapt them if necessary.

TTDSG and its impact on the digital advertising industry

The entry into force of the TTDSG has far-reaching consequences, particularly in the advertising industry, as advertisers and website operators must now comply with the obligation to obtain consent for cookies. Companies that rely on usage-based advertising must adhere to the strict requirements of the TTDSG and offer users transparent consent options. A central point of the TTDSG is that cookies that are set for marketing or analysis purposes are only permitted with the express consent of the user. This measure ensures greater control by consumers and at the same time increases the pressure on website operators to provide clear and comprehensible information on the use of cookies.

Legal certainty through TTDSG for website operators and companies

The TTDSG finally creates legal certainty for website operators and companies that rely on the processing of user data. Prior to the introduction of the TTDSG, many were unsure how the European ePrivacy Directive should be implemented correctly. The new law now clearly regulates what information may be stored on users’ end devices and under what conditions consent is required. Especially for creative companies and entrepreneurs who use their websites for communication and marketing, the TTDSG provides a reliable basis for effectively implementing data protection guidelines and ensuring user-friendliness at the same time. Website operators should therefore carefully examine the requirements of the TTDSG and adapt their cookie policies accordingly in order to avoid legal risks and strengthen user trust.