Following a series of proceedings before the Federal Court of Justice and the European Court of Justice in recent years, it has become clear that Germany has never properly implemented the European ePrivacy Directive. This states that the user’s active consent to the setting of cookies must always be obtained. In Germany, this principle has never been enshrined in law, even though the EU directive is more than 10 years old.
TTDSG: Principle of consent to the setting of cookies
Politicians have taken up this issue: In May 2021, the Bundestag passed the draft for a „Telecommunications Telemedia Data Protection Act“ (TTDSG) with the votes of the CDU/CSU and SPD. This was also approved by the Bundesrat.
The new TTDSG regulates, among other things, the aforementioned principle of consent to the setting of cookies for the purpose of data storage. Section 25 states that third parties may only store information on the end user’s device or access stored information if the end user has been informed and has given their consent.
Also included: Exceptions to consent to the setting of cookies.
However, this requirement does not apply without exception. The law also provides for exceptions to the requirement to consent to the setting of cookies. The consent of the respective user is therefore not required if the information is only stored or accessed in order to transmit a message.
Furthermore, the user’s consent is not required if the storage or access to the information is absolutely necessary in order to provide telemedia requested by the end user. This exception therefore applies to the setting of technically necessary cookies.
The TTDSG therefore only provides for narrow exceptions to the principle of consent. In particular, the use of cookies to track user behavior remains subject to consent. Fears that exceptions will be to the detriment of the user are therefore likely to prove unfounded.
Consent services for cookies soon possible?
„We want an end to cookie banners,“ said the CDU/CSU at the beginning of the year. The original draft therefore envisaged that consent could also be given by the end user through appropriate settings in their browser or through an external application.
The adopted version of the TTDSG no longer provides for this possibility. Instead, a regulation has been introduced that creates a legal framework leading to the recognition of consent services. The use of consent services could therefore soon be possible.
TTDSG to come into force by the end of the year
The law is due to come into force on December 1, 2021. The law regulates many things that have already been in practice for a long time. Nevertheless, it brings some innovations, in particular the exemptions and the legal framework for the recognition of consent services. It remains to be seen what impact these changes will have in practice, particularly for website operators. In any case, the opportunity should be taken to compare one’s own use of cookies with the legal requirements and adapt them if necessary.