TDDDG/TTDSG: Cookie law for website operators in Germany

TTDSG - Cookie Law for Germany

The TDDDG (Telecommunications Digital Services Data Protection Act; former TTDSG; in German: Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz) will regulate a number of areas of data protection in Germany as of December 1st, 2021. In particular, the use of cookies and tracking technologies will be regulated much more clearly than before in the “cookie law”. For website operators who already comply with supreme court rulings of recent years, not much will change in practice regarding cookies. All other website operators should act now to avoid easily enforceable fines of up to €300,000 plus fines under the GDPR. You can learn everything important about the privacy law TDDDG in relation to cookie consent management in our article!

We must point out that the following statements do not constitute legal advice. Therefore, we can only give you evaluations from our intensive experience with the EU legal regulations in practice and a technical assessment of the situation.

The most important facts summarized briefly and compactly
  1. TDDDG regulates the handling of cookies and tracking technologies in German law as of December 1st, 2021
  2. Opt-in cookie banners such as Real Cookie Banner will thus become mandatory for almost all websites.
  3. Easier enforceable fines of up to €300,000 can be imposed under the TDDDG for not obtaining consent or insufficiently obtaining consent.

What is the TDDDG?

The Telecommunications Digital Services Data Protection Act (TDDDG for short) is a new law that comes into force in Germany. The purpose of the law is to achieve a compromise between privacy in the digital world and digital business models (including the collection of data). It also aims to eliminate confusion regarding regulations in various laws surrounding data protection.

So far, regulations of the Telemedia Act (TMG, now called DDG), the Telecommunications Act (TKG), the ePrivacy Directive (Directive 2009/136/EC) and the General Data Protection Regulation (GDPR) in Germany must interact to regulate important issues such as the use of cookies on the internet. In addition, there were supreme court decisions by the ECJ and German Federal Court of Justice (FCJ), which interpreted the provisions in its interaction. This resulted in factual rules, which, however, were not clearly represented in German laws.

In addition to dealing with cookies and tracking technologies, the TDDDG newly regulates telecommunications secrecy, wiretapping prohibitions, and the rights of heirs of the end user of telecommunications services or telemedia, as well as other aspects. In the following, however, we will only deal with the aspect of “cookies and tracking technologies”, as the TDDDG as the new cookie law in Germany particularly affects many website operators.

For whom and from when does the TDDDG apply?

The TDDDG was passed by the Bundestag (parliament of Germany) in May 2021 and comes into force on December 1st, 2021. This means that from this effective date, all regulations of this law apply and must be fully complied with.

According to § 1 para. 3 TDDDG, the new law applies to “all companies and persons who have an establishment or provide or participate in the provision of services or make goods available on the market within the scope of this law […]” (translated into English).

In practical terms, this means that all persons and companies with a registered office in Germany must comply with the TDDDG. Furthermore, the very existence of a branch office of a company in Germany is sufficient to be covered by the TDDDG. It does not matter whether this branch has anything to do with e.g. tracking on the website or not. In addition, companies outside Germany must also comply with the TDDDG if they provide services in Germany or are involved in doing so. Practically, this could be an online store that sells its goods in Germany.

TDDDG: The Cookie Law for Germany

You, as a website operator, are now probably wondering what the TDDDG means for you specifically. Do you have to give up your beloved 🍪🍪🍪 and tracking on your website (for users in Germany) due to the new cookie law? To understand this, we first need to get an overview of the regulations that applied before the introduction of the TDDDG.

What is the legal basis on which you have had to obtain consent so far?

When tracking on the internet, there are two different data that you as a website operator process or let be processed, which are relevant with regard to consent:

  • Cookies: According to the ePrivacy Directive (Directive 2009/136/EC) Art. 66, consent is required to set and read cookies and cookie-like technologies, unless they are essential for the operation of the website. Practically, this means that you are allowed to set cookies to store the shopping cart in an online store without consent (because without the shopping cart, no customer could make purchases in your store). An analytics tool on your website – such as Google Analytics – on the other hand, is only allowed to set cookies after the website visitor has given explicit consent.
  • Personal data: To process personal data, you need a legal basis according to Art. 6 GDPR. Often, only consent comes into question, as the most common alternative, legitimate interest, is only applicable within very narrow limits. What is absurd here is that the IP address of your website visitors counts as personal data in many cases. We explained in more detail when and why IP addresses are considered personal data in our article on personal data. In practical terms, this means that you often need consent to share IP addresses by embedding scripts from external services. You should obtain consent, for example, if you embed Google Fonts or YouTube on your website.

What you need consent for, we have explained for you in a separate article more detailed and with more examples.

All this sounds to you like the legal situation is actually already clear? If it were that simple, the TDDDG would probably not exist as a cookie law in its current form!

The ePrivacy Directive from 2009 is – as the name suggests – a directive. Directives from the EU are not laws. Instead, they must be implemented into national law by all EU member states within 24 months of their adoption. This did not happen regarding cookies in Germany until the TDDDG (12 years later). The German legislator assumed that the right to object to cookies described in § 15 para. 3 TMG (now called DDG) is equivalent to active consent to cookies. With a little common sense, you could have seen that this is not quite the same thing 😉

The ECJ then clarified on October 1st, 2019 in Case C-673/17 that the German special way of an opt-out procedure is not in line with the ePrivacy Directive – who would have thought that before the court ruling. Since then, it can be assumed that only the opt-in procedure (explicit consent) to non-essential cookies is permissible. This was also confirmed for Germany by the German Federal Court of Justice (FCJ) on May 28th, 2020 (Az. I ZR 7/16 – Cookie Consent II). With this, it was factually already decided in May 2020 that non-essential cookies and similar technologies may only be set after the consent of the website visitor.

Many questions like: Whether this applies only to websites or also to, for example, apps, what can be classified as essential, what a cookie banner should look like and much more, however, remained open. A multitude of court decisions and statements by state data protection authorities created more and more clarity, but no cookie privacy law in which all this was codified.

Collecting cookie consents according to the TDDDG

In addition to consents for the processing of personal data under the GDPR, the TDDDG now specifies for the first time in Germany how consents to set and read cookies and similar technologies must look. Therefore, this aspect of the TDDDG could be called the Cookie Law for Germany, which finally provides legal clarity.

To this end, § 25 para. 1 TDDDG states (translation into English):

Storing information in the end user’s terminal equipment or accessing information already stored in the terminal equipment is only permitted if the end user has consented on the basis of clear and comprehensive information. The information to the end user and the consent shall be provided in accordance with Regulation (EU) 2016/679 [(GDPR)].

In practical terms, this means that consent is required to set and read all cookies and similar technologies. When this is not required – commonly known as essential or necessary cookies – is clearly defined in Section § 25 para. 2 TDDDG (translation into English):

Consent under paragraph 1 is not required,

    1. if the sole purpose of storing information in the end user’s terminal equipment or the sole purpose of accessing information already stored in the end user’s terminal equipment is to carry out the transmission of a communication over a public telecommunications network; or
    2. if the storage of information in the end user’s terminal equipment or the access to information already stored in the end user’s terminal equipment is strictly necessary for the provider of a telemedia service to provide a telemedia service expressly requested by the user

Practically, this means again that cookies, etc. may be set without consent, if otherwise:

    1. Technically, no transmission of data would be possible.
    2. The basic functionality of the service (e.g. the website) that the user has called up could no longer be provided (the shopping cart example in an online store from above). However, “expressly requested telemedia service” clarifies that if I access a website, I cannot expect it to embed a YouTube video, for example. If the embedded video sets cookies, consent is always required for this. If I call this video directly on YouTube – that is, I call the service explicitly – the same cookies can be considered essential.

In general, you can find rules about when you need a cookie banner in § 25 TDDDG. How to correctly obtain consent (in a cookie banner) should be governed by the GDPR. Thus, the design of cookie banners, if they have already complied with the applicable regulations in previous years, does not change significantly.

What do you have to do now as a website operator?

Let’s put the legal blah-blah aside and get to the point: as a website operator, what do you need to do specifically to comply with the requirements of the new cookie law in Germany?

  1. No cookie banner present: You don’t yet have an (annoying) cookie banner that allows your website visitors to agree or to reject cookies? Then you should definitely check if your website or services like Google Analytics, YouTube or Google Maps that you embed in your website use cookies and similar technologies. We’ve explained how to find all services and cookies on your website in a separate article. If you use cookies, you should read more about how to classify them and, if necessary, use a cookie banner like Real Cookie Banner on your website.
  2. Cookie banner already exists: Do you already have a cookie banner on your website? According to § 25 TDDDG, the website visitor (translation into English) “must [consent] on the basis of clear and comprehensive information”. This means that you must inform your website visitor about which cookies and similar information (e.g. in the local storage of the browser) are stored, for how long, for what purpose, by whom and where. Your visitors must also be informed about their rights. His or her consent to each individual service is optional (which is what the cookie banner must offer) and he or she can change or revoke the consent at any time. Also, you should inform your visitor if you want to include services from countries with insufficient level of data protection – like the USA – (e.g. all Google and Facebook services), so that your website visitors are aware of the potential dangers. Moreover, don’t forget that you need to take steps to protect minors according to Art. 8 GDPR, so that only visitors who are already legally authorized to do so can consent on your website. Does your current cookie banner at least meet these requirements? If not, you should improve as soon as possible or switch to an alternative like Real Cookie Banner.

New legal term: terminal equipment

The specifications of the ePrivacy Directive on setting and reading did not previously refer exclusively to cookies, but explicitly mentioned them in the legal text. Cookies are a technology that is usually used in web browsers during transmission in the HTTP protocol. Therefore, it was not definitively clear until now whether consent was also required to set cookie-like information, e.g. in apps.

This is now a thing of the past! In § 25 TDDDG, the new cookie law talks about (translated into English) “storing information in the terminal equipment”. With the new term “terminal equipment”, the legislator means any type of device in which information can be stored in any technical form.

In practical terms, this means that smarthome devices (e.g. kitchen appliances, radiator thermostats), Internet of Things (IoT), apps on cell phones, and also email and messenger services will in future need a cookie banner if they want to store information on the device.

So unboxing the new Thermomix will become even more of a data protection rodeo: Not only will it have to ask you for your consent to the T&Cs and privacy policy, but in the future it will also have to ask you for your consent to store data like cookies. In addition, cookie consent must be renewed according to current legal opinion. So in the future, the Thermomix will have to interrupt your cooking experience about once a year with a lovingly designed cookie banner for renewed consent. At least, if it doesn’t want to store or read essential information on your Thermomix hardware. This makes cooking fun! 👨‍🍳

Personal Information Management Systems (PIMS) as a better alternative to cookie banners

It sucks to be constantly bombarded with cookie banners! The German legislator has also recognized this and has invented Personal Information Management Systems (short: PIMS) on paper.

PIMS allow you to choose once which cookies you want to allow and which personal data processing you want to consent to. The PIMS then automatically passes on your decision to the website or your new Thermomix, giving you more control over your personal data and third-party access to it. All without being constantly nagged by cookie banners. According to § 26 TDDDG, PIMS must be verified by an independent institution to ensure that they really protect your privacy and don’t just have a placebo effect like some cookie banners.

Sounds like a great idea, doesn’t it? Yes, even we as cookie banner creators would be happy if this cookie banner madness would come to an end! In reality, however, we are skeptical whether the idea of PIMS can gain a foothold. There are several reasons for this:

  1. Already failed in the past: The ePrivacy Directive (Directive 2009/136/EC) Art. 66 already proposes a kind of PIMS in. Privacy settings should be able to be specified centrally in the browser settings. However, since its passing in 2009, there is no technical standard for this. Do Not Track as a technical standard to reject tracking tools has failed because website operators have no legal obligation to evaluate the signal.
  2. Germany vs. the world: A technical standard of this kind would have to be implemented uniformly in all systems, websites, apps, etc. For websites, every browser would have to implement the standard for obtaining consent and every website must be able to process the signal. The fact that Germany is developing a world standard here, while the EU, as a much larger institution, is failing to get such a standard off the ground, sounds outlandish.
  3. Formal requirements: According to the law, PIMS must meet certain requirements, such as no economic self-interest of the providers or a security concept of the provider. These requirements must be certified in a certification procedure by an independent authority. At the time of the introduction of the TDDDG, the German government must still determine the form of the procedure for certifying the services. This will probably take several more years. Thus, only then can PIMS in the sense of the law can launch.

Because of these accompanying circumstances, we think it is questionable whether PIMS will ever arrive in reality. If this should indeed happen, they would be an enormous relief for end users. From the perspective of website operators, however, it would not change much. They would still have to classify services used, explain them in more detail in their privacy policy and create a technical interface that may only set or read cookies and process personal data if consent has been given for this. It would be a kind of invisible cookie banner that website operators would have to set up.

TDDDG fines: up to €300,000 easily enforceable

Data protection law was long described as a toothless law. There were penalties in theory, but they could hardly be imposed in practice. This was also true for the cookie consent requirement in recent years.

Until now, violations of the supreme court decisions of the ECJ and German Federal Court of Justice (FCJ) could not be effectively punished with official fines. Among other things, it was unclear which office was allowed to impose the fines – typical German bureaucracy 😉

⚠️ This is now a thing of the past. Missing or faulty cookie banners can be punished with up to €300,000 from December 1st, 2021 according to § 28 para. 2 TDDDG. Supervision of this has been given to the Federal Commissioner for Data Protection and Freedom of Information (BfDI), which comprehensively monitors the handling of personal data. The authority now also has the power to impose fines under the TDDDG. If regulations have been violated that do not relate to the processing of personal data, the Federal Network Agency now has oversight over this.

So, it can quickly become expensive to have no or an insufficient cookie banner!

It is important to understand that the fines under the TDDDG do not replace the fines of theoretically up to EUR 20 million or 4% of the total worldwide annual revenue generated in the previous fiscal year under Art. 83 GDPR. EUR 100 million fine against Google has already been imposed this way for setting cookies in an unlawful manner and using the personal data collected for advertising purposes. Currently, however, GDPR fines are primarily imposed on big players. Therefore, we estimate the real risk for average website operators to be moderate. However, it can still hit you unexpectedly!

It should not be forgotten that warnings can also be issued by competitors due to incorrect and faulty cookie banners. The courts are not yet in agreement whether data protection violations can be warned off under the Unfair Competition Act (UWG) in Germany. As of November 2021, however, there are increasingly more decisions for warning letters. Until this question has been clarified by the highest court, a large wave of warning letters is not to be expected. Competitors, however, who count on too small war a chest on your part, could take advantage of this ambiguity and generate for the time being crushing coses for you.

In summary, there are now three attack scenarios through the new cookie law in Germany, in which an insufficient or missing cookie banner can fly around your ears: 💥

    1. Fine according to TDDDG: There are clear responsibilities and with up to EUR 300,000 fine a clear calculation framework, with which real fines can be imposed. For average website operators, this new threat should be the most relevant in practice.
    2. Fine after GDPR: Furthermore, fines can be imposed for the incorrect handling of personal data (as a result of improperly set cookies). However, currently mainly larger companies are targeted by the authorities.
    3. Warnings: It remains unclear whether warnings are permissible under the UWG. In individual cases, however, it may be permissible and costs either way until the final verdict a bar of money, for which not every war chest is equipped.

TDDDG as a cookie law transitional solution: the ePrivacy Regulation is coming!

For now, we have gained more clarity in Germany with the TDDDG. But the big one, the overarching cookie law, is yet to come! The EU wants to replace the ePrivacy Directive with the ePrivacy Regulation.

A directive must first be adopted into national law by the EU member states. It provides a rough framework that each country defines in detail for itself. A regulation, on the other hand, becomes directly applicable law in all EU member states and applies 24 months after its passage. Although the member states can use so-called opening clauses to change the regulation in certain aspects for their country, the majority of the legal framework is the same throughout the EU. Since EU law overrides national law, the ePrivacy Regulation will override the rules from the TDDDG in Germany.

The ePrivacy regulation was originally supposed to be introduced in 2018 together with the GDPR. However, the EU was unable to reach an agreement, so that the ePrivacy Regulation had not yet been passed as of November 2021.

When the ePrivacy regulation comes, it will once again reorganize the use of cookies and similar technologies, tracking on the internet and some other topics. The current drafts indicate that the use of cookie banners and similar cookie consent solutions will change once again.

Due to the still pending legislation, it is expected that website operators will have to act regarding the ePrivacy regulation by the end of 2023 at the earliest.

Summary: TDDDG creates more clarity for website operators in Germany

As of December 1st, 2021, the TDDDG (at that time still under the name TTDSG) is the new cookie law in Germany, which website operators should follow until the ePrivacy Regulation comes into force across the EU at the end of 2023 at the earliest.

The requirements of the TDDDG apply not only to individuals and companies in Germany, but also to companies with (non-active) branches in Germany and companies abroad that sell in Germany, for example.

Consents to set non-essential cookies and similar information are unavoidable. Consents for the processing of personal data should also not be forgotten. In this respect, the TDDDG is based on the already familiar requirements of the ePrivacy Directive and the GDPR.

Consents must now be explicitly obtained not only on websites, but also in apps, smart home devices, Internet-of-Things devices and all other technical terminal equipment that can read and write data on the devices.

With the concept of Personal Information Management Systems (PIMS), German lawmakers are trying to create a welcome alternative to bombardment with cookie banners. However, we assume that the concept will not catch on in reality, as there are too many technical as well as bureaucratic hurdles.

Having a correct cookie banner and respecting the privacy (of website visitors) is now worthwhile, as otherwise fines of up to EUR 300,000 may be imposed under the TDDDG. The new fines can be imposed much faster than before due to clear responsibilities.

Operators of websites should therefore definitely check whether they still need a cookie banner, or their existing cookie banner meets the requirements largely already known since 2019. If not, quick and conscientious improvement or a switch to an alternative prepared for the TDDDG such as Real Cookie Banner is advisable.

It is expected that the TDDDG will lead to even more cookie banners in Germany. At the same time, we assume that the new requirements will also lead to more cookie banners that provide more data protection. Because an insufficient cookie banner can have real consequences from now on.