With the change in the directive from 2009, the European legislator created the well-known “cookie regulation”, according to which the consent of end users must generally be obtained if you want to set cookies on their devices or access cookies that have been set there. For a long time it was unclear and controversial in the legal literature whether the German legislator properly implemented this central provision of the European directive with Section 15 Paragraph 3 TMG.
This was recently confirmed by the Federal Court of Justice (BGH) in the much-discussed Planet49 decision. According to this, the setting of cookies in order to create usage profiles for advertising purposes or market research is only permitted with the consent of the user. However, this decision was made using a legal device: the BGH understood the wording of the German provisions in the TMG basically differently than it was actually written down in the law. In order to avoid such ambiguities in the TTDSG, the German legislator has based the new cookie regulations closely on the wording of the E-Privacy Directive.
Not just cookies
The e-privacy guideline, which also characterizes Paragraphs 25 et seq. TTDSG, speaks of various technologies such as “spyware”, “web bugs” or “hidden identifiers”. What they have in common is that they can penetrate the user’s device without the knowledge of the user in order to gain access to information or to trace user activity. The aim of the e-privacy guideline as well as the cookie regulation of the TTDSG is to protect the user from all these types of device or user identifiers.
The regulation always takes effect when, for example, a company accesses an end device and wants to save information there or access such stored data. If, for example, paragraph 25, paragraph 1, sentence 1 TTDSG speaks of “information in the end user’s terminal equipment” or “access to information that is already stored in the terminal equipment”, this must be understood comprehensively and not just for cookies. The scope of application is therefore quite wide in practice. In general, however, one speaks of “cookie regulation”, which we also do in this article.
The central regulation can be found in Section 25 Paragraph 1 Clause 1 TTDSG. According to this, the storage of cookies on the end user’s device and access to cookies already stored by the end user is only permitted if the company has obtained the end user’s consent beforehand. How this consent must be structured in detail results from the provisions of the GDPR in accordance with Section 25 Paragraph 1 Sentence 2 TTDSG. The European Court of Justice (ECJ) has already ruled several times on the consent requirements under the GDPR. For example, it is not sufficient for the granting of effective consent if the user first has to deselect a checkbox that has already been checked. He must actively give his consent.
The exception: “absolutely necessary cookies”
Old rule of law: There is an exception to every principle. The relevant exception to the general requirement of consent can be found in Section 25 Paragraph 2 Number 2 TTDSG. Consent does not have to be obtained if the storage of or access to cookies already stored by the end user “is absolutely necessary so that the provider of a telemedia service can provide a telemedia service expressly requested by the user”.
The question of what is “absolutely necessary” for a telemedia service expressly requested by the user is currently igniting discussions in the legal world. It is therefore eagerly awaiting which exceptions the Data Protection Conference (DSK), i.e. the body of all German data protection supervisory authorities, will include under the wording in Section 25 Paragraph 2 Number 2 TTDSG. However, an orientation aid published by the DSK is “only” an official assessment that is not yet legally valid. Nonetheless, the DSK thus provides the first guard rails, which in turn would bring a little more legal certainty to the user of the law.
Since Paragraph 25 TTDSG is an implementation of the European E-Privacy Directive, which also had to be implemented in national law in all other EU member states, it is worth taking a look at the assessments of other European data protection supervisory authorities. And some very comprehensive opinions and examples have already emerged from these in recent years.
Up to 300,000 euros fine
The question of the permissible exceptions is also important because, according to the TTDSG, there is a risk of a fine if consent is necessary but not available. A breach of the obligation to consent can cost the website operator up to EUR 300,000. At first glance, this seems like a real relief from the requirements of the GDPR, which provides for fines of up to 20 million euros or, in the case of a company, up to four percent of its total worldwide turnover in the previous year.
Appearances are deceptive, however, as the regulations on fines of the TTDSG only supplement those of the GDPR, but do not replace them. If, for example, a website operator, contrary to the TTDSG, does not obtain consent from the website visitor for the setting of a marketing cookie and this also for the subsequent processing of personal data (e.g. creation of a user profile or disclosure of the profiles to third parties) contrary to the requirements of Failure to do so will result in fines from both regulations.
Another new regulation with regard to cookies can be found in Section 26 TTDSG. According to the standard, companies can now use external services to manage consents given in accordance with Section 25 Paragraph 1 TTDSG. In the professional world, this regulation is discussed under the heading “Personal Information Management System” (PIMS): With a PIMS, users should not only be able to manage the granting of consents, but also their revocation. The advantage lies in the increased transparency with regard to granted consents, especially when visiting websites that require consent (or not) for a wide variety of marketing cookies. The legislator wants to counter the flood of cookie banners on websites.
However, the adopted regulation presupposes that the respective PIMS is recognized by an independent body, i.e. that it is found to be suitable within the meaning of the TTDSG. It is still completely unclear which position this could be. Recognition is linked to the fulfillment of certain requirements. According to the TTDSG, the PIMS must be user-friendly and competitive. The provider must present a security concept that enables the quality and reliability of the service to be assessed.
PIMS as an independent software
The detailed design of the requirements has not yet been clarified, as is the question of which types of PIMS are actually to be included under Section 26 TTDSG. In this regard, the legislature only spoke in general terms of so-called single sign-on solutions from companies grouped together in a foundation.
It would also be conceivable that a PIMS is offered as an independent software that users can install on their systems. Or that a PIMS will come onto the market as an implementation for existing software, for example as a browser plug-in. Both of the forms described already exist (for example, as in the figure above). The decisive factor will be whether they meet the requirements of PIMS according to the TTDSG.
In c’t 26/2021 we show how you can switch from Windows 10 to 11 with just a few clicks of the mouse – and how you can overcome higher hurdles, for example if your PC does not meet the hardware requirements. In addition, we have compiled hand-picked gift tips from the c’t editors on six double pages and tested clever suction bots with object recognition. You will find issue 26/2021 from December 3rd in Heise shop and at the well-stocked newspaper kiosk.