German DPAs advise on cookie compliance under new telecom law

  • by Osano Staff
  • · posted on January 12, 2022
  • · 1 min read
German DPAs advise on cookie compliance under new telecom law

On Dec. 1, 2021, Germany passed the Telecommunications-Telemedia Data Protection Act (it's being called the TTDSG because of its German translation). The law aims to start implementing the forthcoming ePrivacy Regulation provisions, which the EU government has been trying to pass for a few years. 

The law regulates over-the-top (OTT) services like email and messaging services and requires they be covered by telecommunication law. The TTDSG codifies into national law that organizations deploying tracking technologies must gain consent – regardless of whether the data is processed. As Deloitte reports, consent is not required if the tracking technology is used to transmit a message or necessary for the user's service. 

Here is the portion of the TTDSG that applies to cookies: 

Curious about privacy? Find out how Osano automates compliance & saves you time! Learn more

Section 25: Protection of privacy in terminal equipment

(1) The storage of information in the end-user's terminal equipment or access to information already stored in the terminal equipment is only permissible if the end-user has consented on the basis of clear and comprehensive information. The information to the end-user and the consent shall be provided in accordance with Regulation (EU) 2016/679.

In late December, the German Data Protection Conference (the group of German data protection authorities) issued guidance on the law. The group said that organizations must differentiate their requests for user consent under the TTDSG and the GDPR. If user consent is obtained in a bundled format (with one click), consent banners must include transparent and specific information. In addition, rejecting consent can't take more clicks than accepting it, and there must be a simple way – on the website – to withdraw consent at any time. 

Try Osano Free!

In addition, information within the consent banner about what's being done with user data has to match the information disclosed in an organization's privacy policy. 

The group also reiterated that website operators remain responsible for obtaining valid consent even if they're using a third-party consent management tool. 

While the new guidance covers several vital areas regarding the proper use of cookies in Germany, examples of sufficient cookies banners have not been provided yet. We'll keep you updated as this additional information becomes available. 

About The Author · Osano Staff

The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”