In May this year, the German Bundestag adopted the new law regulating protection of data in the field of telecommunications and telemedia.
The TTDSG (Telekommunikation- Telemedien-Datenschutzgesetz) will come into force on 1 December 2021. New regulations come with challenges for businesses, the question arises how it would affect the business operations and what one needs to do to comply with the new rules.
Cookie Rules Big Picture
The Data Protection Landscape in Germany up until now was laid out in fragmented rules regulating cookies. In particular, cookie rules were guided by the following provisions and decisions:
– TMG (Telemediengesetz, 2007);
– TKG (Telekommunikationsgesetz, 2004);
– Planet49 Ruling, 2019 (active opt in for consent);
– Fashion ID Ruling, 2019 (joint controllership);
– EU ePrivacy directive.
Further complications to the cookies’ regulations were brought in July 2020 by the Ruling of the European Court of Justice (ECJ) in the case Facebook Ireland Ltd. v. Maximillian Schrems (Schrems II). The ECJ Schrems II decision annulled the U.S.-EU Privacy Shield. The effect of this decision resulted in high non-compliance risk when using third party cookies. Prior to the decision, Privacy Shield ‘protected’ the data transferred from the EU to the U.S. Without the Privacy Shield the website owners have to make sure that there are additional safeguards to protect the data. The decision makes third party cookie providers, such as Facebook and Google, non-compliant if additional measures to protect the data in transit are not in place.
In February 2021, the German data protection authorities launched a coordinated audit of international data transfers. As part of the Audit, selected German companies received a questionnaire inquiring into the international data transfer practices. Among other things, the questionnaire covered the use of service providers for sending e-mails, hosting websites, web tracking, managing applicant data and the intra-group exchange of customer data and employee data.
It is worth noting that in March this year noyb, the activist organisation led by Maximillian Schrems, filed draft complaints in relation to 560 websites in 33 countries, including Germany, for so-called “unlawful cookie banners.”
Adoption of the TTDSG is a significant change for data protection regulation in Germany because it consolidates the fragmented cookie rules into legal provisions of one law. The law returns the focus of data protection to web and user tracking. It is also an important transition step to conform with the upcoming European wide legal reform in progress brought by the Digital Services Act and ePrivacy Regulation.
Consolidated Cookie Rules (Germany)
TTDSG is designed to incorporate the EU ePrivacy Directive into the German legal framework and bring it into closer alignment with the GDPR. The TTDSG applies to all companies and persons who have a representative office in Germany or who provide or participate in the provision of services or goods on the German market. The scope of TTDSG includes not only personal data, but all information collected through the use of telemedia and telecommunications services, meaning any information collected, processed or stored on a terminal equipment.
According to TTDSG, user consent is not required in two types of situations:
- If the sole purpose of setting a cookie (accessing or storing information on the user device) is to carry out the transmission of a message via a public telecommunications network; or
- If setting a cookie is absolutely necessary for the provider of a telemedia service to be able to provide a telemedia service expressly requested by the user.
The TTDSG itself does not define the scope of strictly necessary Cookies. What is necessary is to be determined on a case-by-case basis. The ‘Necessity’ Toolkit made available by the European Data Protection Board in 2017 helps to clarify if the setting of a cookie is ‘strictly necessary’. The examples of cookies that may fall into the category of ‘strictly necessary’ so far included:
- User input cookies (e.g. shopping cart cookies, online forms).
- Authentication cookies (e.g. log-in cookies)
- Load balancing session cookies and user-oriented security cookies (e.g. to ensure that user requests are sent to a specific web server and for logging failed login attempts)
- Multimedia player session cookies (e.g. to store technical data necessary for media playback)
- User interface customisation cookies (e.g. to store language and country settings)
- Consent Management Reporting cookies (to store opt-in and opt-out)
- AdServer cookies: country and language targeting
- Tag management system cookies (to enable the system)
- 1st Party analytics cookies (aggregated statistical information)
- Chat-bots, feedback tools (once initiated by the user)
- Content sharing cookies of social plug-ins (e.g. to share content with “friends” – only in the case that website visitors are logged in to the relevant network and the cookies do not have a storage period beyond closing the web browser, otherwise consent is required).
While the result of the ‘necessity’ test may be that 1st party cookies could be viewed as strictly necessary, the 3rd party cookies will most likely require consent. TTDSG refers to GDPR for legal requirements of obtaining proper consent (see § 7 and Recital 32). Accordingly, the consent must be ‘freely given, specific, informed and unambiguous’.
Effects and implications of TTDSG
Adoption of the TTDSG sends a clear signal to market participants in Germany that the ‘preparation time’ for compliance with data protection laws is over and that German data protection authorities will be vigorous in enforcing compliance with both, GDPR and TTDSG.
Non-compliance with the data protection laws may result in significant fines of up to 300.000 Euro for administrative breaches under the TTDSG. It is to be noted that if the breach is connected to personal data, for example, failure to obtain proper consent, the fine will be charged under the GDRP and can become as high as 4% of annual turnover. Non compliance causes not only financial losses, but also comes with reputational damage and loss of trust by end users and business partners.
The explicit reference between GDPR and TTDSG on the subject of consent requirements in effect emphasises the urgency for a transparent and GDPR compliant consent management system enabling clear segmentation of consent and non-consent. It is important to continue to ensure that the consent is based on active opt-in and that comprehensive information about the circumstances of the data processing, in particular the legal basis, the processing purposes, the functional duration of the cookies and access by third parties is provided to the end users.
The need to be able to control the data collection, processing and transfer of user data, including from using cookies and tracking technologies, has become the priority for businesses. Minimizing reliance on 3rd party data, using 1st party data and being the decision maker for the scope and purpose in connection with every international data transfer will become crucial in mitigating the risk of non-compliance.
JENTIS offers a unique technology to help its Customers mitigate the risks from non-compliance with TTDSG, GDPR, Schrems II and other data protection rules. Here is how:
1st party data collection – getting ready for the post 3rd party cookie era.
Be prepared for the end of 3rd party cookies and the new tracking era. With us, you collect all your first party data on your website. Once you have the data, we’ll help you pass it on to your respective tools. Only 1st party cookies can qualify as ‘strictly necessary’. 3rd party cookies will require consent.
Important: This new way of tracking is the only feasible one in the future – if done right, it can bring huge benefits in online marketing and on-site website innovation. If you don’t transform your tracking, your entire martech stack will lack the data to do its job, and your performance will deteriorate very quickly.
Control over data flow.
A differentiator of JENTIS is that our tracking allows you to own your customer data first-hand. After that, you can decide which tool gets which data, and modify it before it’s forwarded to anyone else to boot. JENTIS facilitates risk mitigation by placing the customer as the controller who has full control over their data, who can decide what data is required for the business. JENTIS can be used to individually adjust any other data depending on the consent and data category in order to anonymize or pseudonymize it if necessary.
DSGVO compliant data tracking.
The JENTIS tool can ensure a company’s compliance with the GDPR. Specifically, we are currently the only solution that can hash the IP address, which is clearly considered personal data, within the EU using JENTIS (e.g., the last 3 digits) and thus fulfill the most important requirement of anonymization. Having control also has the added benefit of being able to decide where and in what form the data is sent. With JENTIS, customers can pseudonymize or even anonymize data before sharing it with third parties, which adds an extra layer of data protection and helps avoid the legal risk of non-compliance with Schrems II decision.