German DPAs advise on cookie compliance under new telecom law

On Dec. 1, 2021, Germany passed the Telecommunications-Telemedia Data Protection Act (it's being called the TTDSG because of its German translation). The law aims to start implementing the forthcoming ePrivacy Regulation provisions, which the EU government has been trying to pass for a few years. 

The law regulates over-the-top (OTT) services like email and messaging services and requires they be covered by telecommunication law. The TTDSG codifies into national law that organizations deploying tracking technologies must gain consent – regardless of whether the data is processed. As Deloitte reports, consent is not required if the tracking technology is used to transmit a message or necessary for the user's service. 

Here is the portion of the TTDSG that applies to cookies: 

Section 25: Protection of privacy in terminal equipment

(1) The storage of information in the end-user's terminal equipment or access to information already stored in the terminal equipment is only permissible if the end-user has consented on the basis of clear and comprehensive information. The information to the end-user and the consent shall be provided in accordance with Regulation (EU) 2016/679.

In late December, the German Data Protection Conference (the group of German data protection authorities) issued guidance on the law. The group said that organizations must differentiate their requests for user consent under the TTDSG and the GDPR. If user consent is obtained in a bundled format (with one click), consent banners must include transparent and specific information. In addition, rejecting consent can't take more clicks than accepting it, and there must be a simple way – on the website – to withdraw consent at any time. 

In addition, information within the consent banner about what's being done with user data has to match the information disclosed in an organization's privacy policy. 

The group also reiterated that website operators remain responsible for obtaining valid consent even if they're using a third-party consent management tool. 

While the new guidance covers several vital areas regarding the proper use of cookies in Germany, examples of sufficient cookies banners have not been provided yet. We'll keep you updated as this additional information becomes available.