PIMS or Cookie Banner? – Everything you need to know!

PIMS

To cap off the year, a long-announced law finally came into force that completely turned the world of many website operators upside down: the Telecommunications-Telemedia Data Protection Act. Quite a mouthful. That’s why the abbreviated form TTDPA (in German TTDSG) often does the trick.

The purpose of the TTDPA is to clear the way in the German data protection confusion since 1 December 2021. The data protection situation regarding the regulations for telecommunications and telemedia in Germany was anything but clear.

We have already summarised all important information on the TTDPA in detail in a separate article. We recommend that you read this in advance in order to understand and comprehend the background and requirements – especially with regard to cookies.

A special feature of the TTDPA are so-called “PIMS”. They are intended to revolutionize consent management and put an end once and for all to the flood of cookie banners that are often perceived as annoying. Thus, the PIMS model is a true enrichment for data protection.

But how likely is PIMS management? Or is it just wishful thinking? And what exactly are PIMS?

We’ll explain it to you!

We must point out that the following statements do not constitute legal advice. Therefore, we can only give you evaluations from our intensive experience with the EU legal regulations in practice and a technical assessment of the situation.

PIMS – what is it?

“PIMS” is an acronym and stands for “Personal Information Management Services” or also “Privacy Information Management System”. It is an innovative approach by legislators to make consent management on websites more palatable – but rather in theory. We will explain why in the course of this article.

What are PIMS good for?

In short, the concept of PIMS is to banish cookie banners from the vastness of the internet.

PIMS take data protection to the next level. The PIMS model is responsible for managing consent centrally. Unlike cookie banners, which jump out at you when you visit almost any website. Internet users give their consent once in the PIMS and are therefore not asked umpteen times on different websites.

The legal basis for the use of PIMS is § 26 TTDPA. PIMS fall into the category of “recognised services for consent management”. According to this theoretically excellent-sounding regulation, among other things, default settings for data protection can be made and managed at a central location. Browsers should also take into account the settings made by the user. PIMS are to be checked by an independent body. This is to ensure that they actually protect the privacy of users.

When a website is visited, it receives the visitor’s data protection settings stored therein from the central office (e.g. PIMS) by asking the central office for them.

This would fulfil the wish of pretty much every internet user: carefree surfing, without the annoying bombardment of cookie pop-ups. These still exist, but are no longer displayed to the visitor, as the consent is already taken over by the PIMS.

The importance of PIMS for website operators

Now that we have explained that PIMS are a great solution for website visitors, it is important to clarify how they can be an asset for website owners.

For website operators, PIMS do not bring too many advantages.

PIMS signal must be read out

Inserting PIMS is one thing, reading them is another. This raises the question of an obligation to read out PIMS signals. If we take a look at the Do Not Track header, which sounds great in theory, we see that this is more wishful thinking than an obligatory command for website operators.

As a website operator, you should read out the signal as of 2021. But you don’t have to if you don’t want to.

Cookie banner for visitors without PIMS

As a website operator, you cannot assume that every one of your visitors uses PIMS. It is therefore essential to place a fully compliant cookie banner on your website – ideally with a fancy cookie notice by Real Cookie Banner, as flesh-and-blood users also give consent in addition to PIMS 😉 The cookie banner should be designed in such a way that it is easy to read and understand.

Consent management system is still needed

Even though the PIMS model makes cookie banners invisible to website visitors, they must still be present in a privacy-compliant manner.

Since 2009, the year in which the ePrivacy Directive was introduced throughout the EU, Article 66 stipulates that website operators must obtain the active and informed consent of their visitors to set cookies and process personal data. However, the implementation of this in German law has been difficult to date. This is now regulated in the TTDPA.

In addition, consent must be obtained in accordance with Art. 6 GDPR for the processing of personal data such as the IP address.

On your website, the signal of the PIMS must therefore be evaluated correctly, or consent must be obtained in a cookie banner from users who do not use PIMS, in order to really load Google Analytics, for example, only after consent has been given. Loading at the right time is still up to the website operator.

How realistic is the implementation of the PIMS model?

As already mentioned several times, PIMS management is theoretically a brilliant idea. Finally, no more annoying cookie banners 🥳 But as with so many brilliant ideas, in our opinion and experience it will also fail here in terms of implementation – at least in the near future. We explain the reasons for this in the following.

Formal requirement for PIMS

According to TTDPA § 26, PIMS must fulfil certain requirements, such as no economic self-interest of the providers or a security concept of the provider. These requirements must be certified by an independent body in a so-called recognition procedure.

This is a great idea for quality assurance. But, at the time of the introduction of the TTDPA, the federal government still has to determine in the form of the procedure for recognizing the services. This will probably take several years. Thus, only then can PIMS be launched in the sense of the law.

Funding of PIMS

PIMS providers must ensure that the data is only used within the framework of the user’s pre-set preferences. On the other hand, PIMS providers themselves must also be trustworthy and present a detailed security concept. This is regulated in TTDPA § 26. Accordingly, the providers must be checked and an economic interest in the consents must be ruled out.

So how do PIMS finance themselves? They must not have an economic interest in the consents, but at the same time they must distribute a system for obtaining consents as their main product. Creative business models are needed here on how PIMS could refinance themselves, because many end users will not be expected to pay a monthly fee for the use of a PIMS.

Germany against the world (and the EU) with PIMS

A technical standard for PIMS would have to be implemented uniformly in all systems, websites, apps etc. For websites, every browser would have to implement the standard for obtaining consent or a PIMS plug-in would have to be available and every website would have to be able to process the signal. It sounds absurd that Germany is developing a world standard here, while the EU, as a much larger institution, is not managing to get such a standard off the ground.

The contradiction between EU law and German law speaks against an EU-wide mandatory enforcement of the PIMS model. For example, non-German website operators in the EU (or with an EU target group) would also have to apply the TTDPA and thus the legal basis of PIMS. Will a shop operator from Sweden really make an effort to comply exclusively with German laws, or does he run the risk of theoretically being sued in Germany?

Concept has already failed in the past

The ePrivacy Directive (Directive 2009/136/EC) already proposes a kind of PIMS in Art. 66. Privacy settings should be able to be specified centrally in the browser settings. Since its adoption in 2009, however, there has been no technical standard for this. Do Not Track as a technical standard for rejecting tracking tools has failed because website operators have no legal obligation to evaluate the signal.

If you look at the market share of browsers worldwide in 2021, you will see that Google Chrome is the leader with over 65% market share. Does Google have an interest in making data protection particularly easy for internet users, when their main business model is to collect as much data as possible and serve personalized advertising? Hardly! Therefore, until a legal obligation is imposed, they will certainly not commit to building a PIMS directly into their browser for all users.

Deficient duty to inform and incorrect evaluation Inclusions

Compliance with the consent and information requirements for data processing under the PIMS model proves to be difficult – especially since this is not currently the case either. Website operators often use different privacy notices on their websites for the use of the same service (e.g. Google Maps). The website operators simply lack the necessary knowledge. As a result, services are not correctly identified – e.g. as essential, although this is not the case.

The website operator would now not only have to correctly assess the services he uses, but also the signals of the PIMS would have to be assessed by the website operator. Only if both are correctly assessed and the right service is activated in response to the signal could real added value in data protection be produced. Large companies with legal departments can manage this. How a small blogger is supposed to manage that remains an open question.

EU-wide PIMS through ePrivacy Regulation

However, the spread of PIMS in the future – apart from the TTDSG – is not completely absurd. Because at the latest with the introduction of the ePrivacy Regulation to replace the current ePrivacy Directive, PIMS could even become a reality. Whether they will make it into the final version of the ePrivacy Regulation, however, is not yet certain as of December 2021.

The ePrivacy Regulation will once again regulate the handling of cookie banners, cookies and similar technologies. Therefore, it could also be that PIMS or similar models will be specified in the ePrivacy Regulation and have to be implemented EU-wide.

However, it is most likely that an ePrivacy Regulation will only be introduced towards the end of 2023 (or later). After that, technical standards, PIMS as real products and real penalties for non-use or misuse of PIMS will have to find their way into life within the EU. This may take another few years.

Until then, it’s: Wait and see, drink tea and endure the Cookie Banner avalanche 😉

To make the cookie madness more bearable for you as a website operator and also for your visitors, the cookie consent plugin Real Cookie Banner provides a remedy. You can manage the consent of your visitors to the setting of cookies and the processing of personal data quickly and easily in line with data protection regulations. With the help of numerous (design) settings and support from Germany, we make everyday life on the internet much easier for you and your visitors!