TTDSG – new law on cookies and co.
The use of cookies after the TTDSG comes into force
On December 1, 2021, the TTDSG (Telecommunications and Telemedia Data Protection Act) came into force.
The TTDSG is designed to prevent unwanted access to sensitive data of Internet users that they have stored on terminal devices such as computers, tablets or cell phones.
The new law has significant consequences in the use of technologies such as cookies.
TTDSG, GDPR and EPVO
It was unclear for a long time whether and to what extent data protection regulations would apply in the area of electronic media. In particular, there was uncertainty with regard to the question of when prior consent from website visitors is required for the use of cookies.
The TTDSG, the special legal regulation for the area of electronic communications with regard to the processing of personal data, now provides more certainty on this issue.
As long as the ePrivacy Regulation (EPVO) has not yet entered into force, the TTDSG is relevant for the setting of cookies, among other things. It replaces the data protection regulations of the Telemedia Act (TMG) and combines the data protection regulations of the General Data Protection Regulation (GDPR) and special regulations of the EPVO in a new law for the purpose of legal certainty.
Required consent according to § 25 para. 1 TTDSG
According to § 25 TTDSG, the use of cookies is only permitted with the consent of the end user. This does not apply to cookies that are absolutely necessary for the provision of the website and its functions.
Websites that use cookies that are not necessary must inform visitors that no personal data may be transferred to the website operator or third parties without the consent of the respective end user. Marketing cookies (used to display appropriate advertisements to visitors) and tracking cookies (store how a user interacts with a website) are examples of non-essential cookies.
If non-essential cookies are used, explicit consent must be obtained from the end user. A simple pop-up window is not sufficient for this purpose. It is necessary that the cookie technologies used are listed in detail in a cookie banner. In addition, the user must have the option to select which cookies may be used and which may not, as well as to revoke his settings at any time.
A further consent according to the DSGVO (Art. 6 para. 1 lit. a)) may be necessary if personal data is processed.
Both consents can be obtained at the same time.
Section 25 (1) TTDSG sets out the principle of requiring consent as follows:
“(1) The storage of information in the end user’s terminal equipment or access to information already stored in the terminal equipment shall only be permitted if the end user has consented on the basis of clear and comprehensive information.”
Exceptions to the requirement for consent
Exceptions to the requirement of consent are provided for “strictly necessary” cookies. § Section 25(1) TTDSG, where these exceptions are regulated, is to be interpreted narrowly. It follows from the explanatory memorandum to the law that necessity is to be understood as technical, but not economic necessity.
Technically necessary cookies are all cookies without which a website would not function per se. These are, for example, session cookies (for shopping cart contents or language versions of a website), cookies that are exclusively necessary for payment processes or cookies that are used to grant or revoke consent.
§ Section 25(2) TTDSG formulates narrowly defined exceptions to the requirement of consent:
“(2) Consent under paragraph (1) is not required,
if the sole purpose of storing information in the end user’s terminal equipment or the sole purpose of accessing information already stored in the end user’s terminal equipment is to carry out the transmission of a communication over a public telecommunications network; or
if the storage of information in the end user’s terminal equipment or the access to information already stored in the end user’s terminal equipment is strictly necessary for the provider of a telemedia service to provide a telemedia service expressly requested by the user.”
Consequences of Violation of Section 25 TTDSG
If a website operator fails to obtain the consent required under the TTDSG, it risks the following:
- The TTDSG threatens fines. If the required consent is not obtained, fines of up to 300,000 euros may be imposed.
- In addition, fines of up to 20 million euros or up to four percent of turnover may be imposed for violating the GDPR.
- Finally, a warning may be issued if a cookie banner with the required information is not used on the website.