The law regulates over-the-top (OTT) services like email and messaging services and requires they be covered by telecommunication law. The TTDSG codifies into national law that organizations deploying tracking technologies must gain consent – regardless of whether the data is processed. As Deloitte reports, consent is not required if the tracking technology is used to transmit a message or necessary for the user's service.
Here is the portion of the TTDSG that applies to cookies:
Section 25: Protection of privacy in terminal equipment
(1) The storage of information in the end-user's terminal equipment or access to information already stored in the terminal equipment is only permissible if the end-user has consented on the basis of clear and comprehensive information. The information to the end-user and the consent shall be provided in accordance with Regulation (EU) 2016/679.
In late December, the German Data Protection Conference (the group of German data protection authorities) issued guidance on the law. The group said that organizations must differentiate their requests for user consent under the TTDSG and the GDPR. If user consent is obtained in a bundled format (with one click), consent banners must include transparent and specific information. In addition, rejecting consent can't take more clicks than accepting it, and there must be a simple way – on the website – to withdraw consent at any time.
The group also reiterated that website operators remain responsible for obtaining valid consent even if they're using a third-party consent management tool.