A new German data protection law: TTDSG – What you need to know now
on 02.12.2021 by Andrea Kawall, Dr. Ramona Greiner
- The TTDSG regulates provisions on telecommunications secrecy and data protection for telemedia, i.e., websites. It replaces the data protection regulations of the Telemedia Act (TMG) and the Telecommunications Act (TKG), adapts them to the regulations of the GDPR and primarily serves to implement the ePrivacy Directive.
- The aim is primarily to create legal clarity.
- Protection of device integrity: from the 1st of December 2021, websites will need genuine consent from users for cookies and tracking.
- Almost every website thus needs a DSGVO-compliant Consent Banner.
- The TTDSG also applies to messenger services and apps.
Background to the TTSDG
On 01.12.2021, the new German Telecommunications Telemedia Data Protection Act, or TTDSG for short, will come into force after being passed by the Bundestag in May 2021. As the first draft of the TTDSG was completed only in July 2020, one could say it was implemented very quickly. But in fact the opposite is the case: The German legislature is the last of the European legislators to comply with the implementation obligation from the 2009 ePrivacy Directive. The impetus for the swift action was also provided by the supreme court rulings of the European Court of Justice and the Federal Supreme Court, which did not look at the German legislator favourably.
The most important regulations in the TTDSG for website and store operators
Below you will find the most important points to consider when tracking your customers and users on your website or app.
The good news first: There will be no serious changes to the legal situation. Similar to the application of GDPR, the new law implements the practice that has already been in place since the BGH’s Cookie ruling of May 28, 2020. It reconciles the areas lacking clarity in GDPR with the ePrivacy Directive requirements.
Validity and scope
The TTDSG is applicable from the date of entry into force (December 1, 2021) with no transition period. It applies to all companies that have a branch in Germany or offer goods or services in the German market.
It applies independent of technology i.e. it applies in the area of tracking technologies not only to cookies, but also, for example, to the use of browser fingerprinting or the use of local storage.
Focus and differentiation from the GDPR
The TTDSG focuses on storage on users’ end devices and the reading of device identifiers; the processing of personal data, on the other hand, continues to be regulated by the GDPR.
The new TTDSG makes no distinction as to where data is stored (e.g., locally or in the cloud).
Storage/extraction of information without consent.
The TTDSG allows information to be stored in the user’s terminal equipment (setting a cookie) or to access information already stored in the user’s terminal equipment (reading cookies). This can be done without the user’s consent if the storage or access is absolutely necessary so that the telemedia service (website/app) expressly requested by the user, can be provided by the provider.
The subsequent processing of personal data is then also permitted without consent.
Technical necessity of analysis & administration functions
Analysis technologies (cookies) can be considered absolutely necessary if they are used, for example, to measure performance, detect navigation problems, estimate required server capacities or analyze retrieved content.
Tag Management Systems
The use of tag management systems is generally permitted without consent. When using Google Tag Manager (GTM), which is part of Google Universal Analytics, there are concerns regarding consent-free use. The consent-free use of GTM should therefore be clarified with your own legal counsel.
If cookies or other tracking technologies are to be used in accordance with legitimate interest, the legitimate interest must be described and justified in the data protection provisions.
Dynamic purpose limitation of cookies
If a cookie is set to store or read both information that does and does not require consent, and if users do not give their consent, the identifier stored in the cookie may only be used for the purposes that do not require consent. The purposes requiring consent must be omitted. These purposes must be defined in advance, adhered to during use, and users must be informed about them transparently.
This is the case, for example, if the tracking cookie was modified for range measurement when implementing anonymous tracking. If the user agrees to standard tracking that requires consent, the previously set cookie would have to be deleted and replaced. This should then be done whenever the consent is modified in the privacy settings.
Information requirements and consent management
The TTDSG prescribes a comprehensive information obligation only for access requiring consent. Obtaining consent is subject to the same conditions as under GDPR and must be carried out by a confirming action, e.g., on a corresponding button of a consent banner, and it must also be possible to withdraw it again with the same effort. Existing installed consent management platforms can therefore continue to be used as before and may also be used without consent.
Storage periods and criteria
When providing the information, care must be taken to specify not only the storage duration, but also the criteria for the lifetime of the cookies (e.g. automatic deletion by the browser due to inactivity).
Browser settings, PIMS and plug-ins.
The TTDSG does not require that individual settings in the browser (opt-out) be taken into account. However, the TTDSG obliges the future German government to ensure by statutory order that browsers take into account the current consent status of users. This is to be done with the help of Consent Management Services known as PIMS (Personal Information Management Systems). PIMS enables users to clearly document and control their declared consents and objections for the websites they use. The legal ordinance will also contain specifications for the design of PIMS with regard to user-friendliness, conformity with competition law, and technical implementation. The corresponding ordinance is expected to be issued next year. In the meantime, you can find more information on the classification of the ADPC program of the Austrian Data Protection Association noyb as a PIMS here.
Fines and penalties
The TTDSG makes use of its own fine framework with an upper limit of EUR 300,000, which becomes effective in case of violations of the consent requirement. However, the same violation can then no longer be additionally sanctioned by the GDPR.
Outlook: What’s next for data protection law, cookies and tracking?
One of the most exciting points in the TTDSG is the aforementioned PIMS, the design, implementation and use of which are not yet clear. In 2022, an expert commission of the German Federal Ministry of Economics will discuss the technical nature and possible deployment variants of PIMS. By the end of 2022, the commission wants to have passed the technical requirements in parliament, so this change will have to be considered in the foreseeable future. (Source: Tagesspiegel Background Newsletter of 04.11.2021 “Delegated data sovereignty”).
This could mean that by the end of next year, “Consent Management” will be the sole responsibility of users and consents and revocations can be managed centrally with one click – for example in a browser plug-in. This has the potential to make Consent Management Systems on websites obsolete, as the latter will be required to listen to the users’ will according to the PIMS. However, we do not consider the extinction of classic Consent Management Systems to be very likely at present, since a user’s will can ultimately be represented more directly by the targeted opt-in or opt-out on a website, than by global consent or rejection via PIMS. However, it remains to be seen exactly how this will play out. A new wave of success for micro-consents i.e., consents that are requested directly at the respective point on the website, e.g., whether one would like to have the original tweets displayed on news pages, is also quite conceivable.
In addition, the ePrivacy Regulation, which is still being voted on, and the Digital Services Act could also bring some innovations in the future. As you can see: Only change is constant in the world of digital data protection.
Contact us if you would like to shape the change at your company together with us.
This information was developed together with the data protection experts from Bay-Q (http://www.bay-q.com/).