TTDSG: The New German Cookie Law

The German Parliament adopted the law Telecommunications and Telemedia Data Protection Act in May 2021. The Act will regulate privacy and data protection in Germany. The law, also known as TTDSG (Telekommunikation-Telemedien-Datenschutzgesetz) provides new rules on cookies and similar technologies.

The TTDSG will come into force on 1 December 2021. You can read the official version here. (in German)

The law intends to unify the various privacy regulations in Germany — the General Data Protection Regulation (GDPR), the Telemedia Act (TMG) 2007, and the Telecommunications Act (TKG) 1996 in Germany. The TTDSG includes a consent requirement that is consistent with the ePrivacy Directive. It will supplement the governing cookie consent requirements of the European Union. 

Section 24 of the TTDSG implements Article 5(3) of the ePrivacy Directive as well as the Planet49 judgement and the German Supreme Court judgment of May. For a quick recap, the Planet49 judgement ruled that valid consent is one that is explicit i.e. consent should be actively given and be specific. For instance, pre-ticked boxes or browsing a site does not amount to valid consent (more on Planet49 judgement here). 

In 2020, a German Federal Court (BGH) judgement aligned with the Planet49 decision that websites in Germany must follow the European cookie rules and should obtain cookie consent unless they do not use cookies at all or only use strictly necessary cookies.

The new law will require websites to request consent for cookies and other tracking technologies that store information on or read information from users’ devices.

• Section 24 of the TTDSG states that cookies can only be used on a website if the visitor has given their informed and clear consent. This consent should be in accordance with GDPR cookie consent i.e. Article 4 and Article 7. 

• There are only two categories of cookies under TTDSG:
  • Cookies that are strictly necessary cookies 
  • Cookies that require consent 

The Act does not define the exact scope of strictly necessary cookies. This means the use cases provided by the Article 29 Working Party such as shopping cart cookies, authentication cookies, load balancing session cookies etc. will continue to be categorized as strictly necessary cookies. 

• The legal basis of legitimate interests, as defined in Article 6(1) GDPR cannot be used anymore.

• The TTDSG not only covers cookies but broadens its scope to include “storage of information of the terminal equipment of an end user”. TTDSG will also cover communications via phone or internet, and the internet of things, in particular smart home equipment. 

• The TTDSG will apply for organizations that have an establishment in Germany, provide services or contribute to the provision of services. A broad interpretation will mean that the law will apply to any website that targets German users.

• The maximum fine for a violation of Section 24 TTDSG is €300,000. For the unlawful processing of personal data of users via the storage of cookies or using the data stored, the adequate provisions of the GDPR are applicable, which means significantly higher fines can be imposed. Depending on the nature of violation and the sector, fines will be imposed by the relevant state data protection authority or the federal Commissioner for Data Protection and Information Security.

While the new TTDSG aligns with the ePrivacy Directive, it does not include all the cookie consent exemptions included in the ePrivacy Regulation. For instance, the draft ePrivacy Regulation exempts cookies and similar technologies that are used for first-party analytics, security purposes, and software updates. It also provides for the data collected from cookies to be re-used under certain conditions. 

As the law follows the provisions of the GDPR and ePrivacy Directive, EU cookie consent requirements will be applicable to German websites or websites that cater to German residents. 

• Users must be presented with clear information about cookie usage and should be able to accept or reject the use of cookies.
• Don’t use pre-ticked boxes or ‘on’ toggles in a cookie banner as it does not represent a free choice. 
• Allow users to give specific, granular consent for different categories of cookies.
• Set cookies only after users have consented. Third-party cookies should be blocked till the user clicks on ‘accept’.
• Do not display a notice-only cookie banner as continuing to use a website or scrolling cannot be inferred as valid consent.
• Cookie consent banners should use user-friendly language and provide transparent information about cookie usage.
• Display your cookie policy or privacy policy on the cookie banner so users are informed before consenting.
• Record all user consents so that website owners can demonstrate proof of consent in case of scrutiny by the Federal Commissioner. 
• Users should be able to revoke/withdraw their consent at any time after they have given consent. 

Generate a compliant cookie banner with CookieYes cookie consent solution. Create the banner as per your website’s design and style. Change the content, colour, layout, branding and add full CSS customizations. 

CookieYes banner can be displayed in 30+ languages such as  English, French, German, Italian, Spanish, and Swedish. You can auto-block over 90 third-party cookies like Google Analytics, Facebook Pixel until the user gives consent. Record all user consents for proof of compliance in the consent log and export it whenever required. 

Scan your cookies periodically for any newly added or removed cookies. Generate a cookie policy that gets auto-updated with each scan. You can also generate a custom privacy policy with our Privacy Policy Generator.

Take CookieYes for a test drive with a 14-day free trial! Sign up for free today.