On 22 December 2021, the conference of German data protection supervisory authorities (“DSK”) published its Guidance for Providers of Telemedia Services (Orientierungshilfe für Anbieter von Telemedien). Particularly relevant for providers of websites and mobile applications, the Guidance is largely devoted to the “cookie provision” of the German Telecommunication and Telemedia Privacy Act (TTDSG), which came into force on 1 December 2021. The publication focuses on the consent requirement for cookies and similar technologies, as well as relevant exceptions, introduced by the law.
Required consent and exceptions under the TTDSG
Section 25 of the TTDSG provides that the storage of information on an end user’s device, or access to information already stored on such a device, shall be permitted only with consent of the end user. Exceptions are listed in Section 25(2), which stipulates that consent is not required if:
- The sole purpose of storing information on the end user’s device, or accessing information already stored on the end user’s device, is to carry out the transmission of a message over a public telecommunications network; or
- The storage of information on the end user’s device, or the access to information already stored on the end user’s device, is “absolutely necessary” for providing a “service expressly requested by the user”.
The DSK explains the scope of the second exception as follows:
- Service expressly requested by the user: A service (for example, a website) may be “expressly requested” by a user simply by accessing and using it. However, the DSK notes that such a “request” does not automatically include all additional features that may be embedded in the website or other service.
- Absolutely necessary: According to the DSK, a cookie must be technically necessary for the specific service expressly requested by the user.
The DSK’s advice on cookie banner design
Absolutely necessary cookies: To the extent that storage of or access to information on an end user’s device falls under one of the exceptions in Section 25(2), the DSK advises providers not to request consent. The DSK reasons that such a cookie banner requesting consent would unnecessarily interfere with the service. Further, the DSK asserts that a request for consent would be misleading in these circumstances, since the user does not in fact have a choice.
Cookies requiring consent: When storage or access requires consent under Section 25, the DSK notes:
- Consent must be actively given. Opt-out mechanisms, browser settings accepting cookies generally, and the ongoing use of a mobile application or website after notice do not constitute active consent according to the DSK.
- Consent must be free. “Nudging” can invalidate otherwise valid consent. The DSK asserts that such nudging already exists when rejecting cookies requires more clicks than accepting them. Users should be able to continue using the service without accepting, or even actively declining, cookies.
- Consent must be informed. According to the DSK, a cookie banner should provide an overview of all processing operations that require consent, adequately explained, and including the names and functions of any relevant third-parties. Additionally, access to necessary information, such as the imprint (= mandatory information on the provider of the service) and privacy policy, must not be hindered by the consent banner.
The DSK emphasizes that, as long as the user has not given his consent, his device must not be accessed by technologies requiring consent.
Data transfers
For all processing activities, processors must check whether such activities involve a transfer of personal data to any third countries outside the European Economic Area without an equivalent level of data protection. The DSK opines that Article 49 of the GDPR, which allows transfers without appropriate safeguards on the basis of consent, cannot be used to justify transfers of personal data processed in connection with the regular tracking of user behavior on websites or in mobile applications. According to the DSK, the scope and regularity of such transfers cannot be reconciled with the character of Article 49 of the GDPR, as an exception to the general rules regarding data transfers, and the requirements of Article 44 GDPR.
Sanctions
Intentional and negligent violations of Section 25 of the TTDSG constitute administrative offenses, subject to a penalty of up to EUR 10,000.00. This is much lower than the fines that can be imposed under the GDPR. However, the DSK emphasizes repeatedly that the lawfulness of any subsequent processing of information collected through cookies or other tracking mechanisms, but without further involving the end user device, is subject to the GDPR.
Possible future developments
This DSK Guidance is subject to any publications by the European Data Protection Board on the same issue and to any changes of European law, namely, by a future E-Privacy Regulation, if and when it is adopted. It is not binding on courts.