TTDPA explained

In May of this year, the German Bundestag passed the new Telecommunications and Telemedia Data Protection Act.

The TTDPA will come into force on December 1, 2021. The question arises as to how the new regulations will affect business operations and what needs to be done to comply with the new rules.

Schrems Timeline

The Big Picture: Cookie Rules

The previous data protection landscape in Germany was characterized by fragmented rules for cookies. Cookie rules were based in particular on the following provisions and decisions:

– TMG (Telemedia Act, 2007);
– TKG (Telecommunications Act, 2004);
– Planet49 Ruling, 2019 (active consent opt-in);
– Fashion ID Ruling, 2019 (joint control);
– EU ePrivacy Directive.

Further complications in cookie regulations were caused by the July 2020 ruling of the European Court of Justice (ECJ) in Facebook Ireland Ltd. v. Maximillian Schrems (Schrems II). The ECJ’s decision in Schrems II invalidated the U.S.-EU Privacy Shield. The effect of this decision was that there was a high risk of non-compliance (with data protection laws) when using third-party cookies. Before the decision, the Privacy Shield protected data transferred from the EU to the US. Now, without the Privacy Shield, website operators must ensure that additional safeguards are in place to protect data. The ruling makes third-party cookie providers, such as Facebook and Google, non-compliant unless additional measures are taken to protect data in transit.

In February 2021, German data protection authorities launched a Coordinated Audit of International Data Transfers. As part of the audit, selected German companies were sent a questionnaire examining their internal procedures for international data transfers. Among other things, the questionnaire refers to the use of service providers for sending e-mails, hosting websites, web tracking, managing applicant data, and exchanging customer and employee data within the Group.

It should be noted that in March of this year, the activist organization noyb, led by Maximillian Schrems, filed draft complaints regarding 560 websites in 33 countries, including Germany, for so-called “unlawful cookie banners.”

The adoption of the TTDPA is a significant change for data protection regulation in Germany, as it consolidates fragmented cookie rules into one law. The law redirects the focus of data protection to web and user tracking. It is also an important step in aligning with the upcoming Europe-wide legal reform initiated by the Digital Services Act and the ePrivacy Regulation.

Consolidated cookie rules (Germany)

The TTDPA aims to integrate the EU ePrivacy Directive into the German legal system and align it more closely with the GDPR.The TTDPA applies to all companies and individuals that have an establishment in Germany or that offer or participate in the provision of services or goods on the German market. The scope of the TTDPA includes not only personal data, but all information collected through the use of telemedia and telecommunications services, i.e., all information collected, processed or stored via a terminal device (terminal equipment).

Article 25 of the TTDPA, entitled “Protection of privacy of terminal equipment”, regulates the use of cookies. It introduces two categories of cookies: 1) cookies that are set with consent and 2) cookies that do not require consent. This means that legitimate interest can no longer be used as a basis for setting a cookie on a user’s device.

Under the TTDPA, user consent is not required in two types of situations:

When the sole purpose of the cookie (to access or store information on the user’s device) is to transmit a message over a public telecommunications network; or
if the cookie is strictly necessary for the telemedia service provider to provide a telemedia service expressly requested by the user.

The TTDPA itself does not define the scope of absolutely necessary cookies. What is necessary must be made dependent on the individual cases. The ‘necessity’ toolkit provided by the European Data Protection Board in 2017 helps to clarify whether the setting of a cookie is “strictly necessary”.

Examples of cookies that may fall into the “strictly necessary” category include:

• User input cookies (e.g., shopping cart, online forms)
• Authentication cookies (e.g., log-in cookies)
• Load balancing session cookies and user-facing security cookies (e.g., to ensure that user requests are sent to a specific web server and to log failed login attempts)
• Session cookies for multimedia players (e.g., to store technical data required for media playback)
• Cookies for user preference customization (e.g., to store language and country preferences)
• Cookies for CMP reporting (to store opt-in and opt-out)
• AdServer cookies: country and language targeting
• Tag management system cookies (to activate the system)
•  1st-party analytics cookies (aggregated statistical information)
• Chat bots, feedback tools (once initiated by the user)
• Content sharing cookies from social plug-ins (e.g. to share content with “friends” – only in case the website visitors are logged in to the corresponding network and the cookies do not have a storage period beyond closing the web browser, otherwise consent is required)

The result of the ” necessity test ” could be that 1st party cookies can be considered strictly necessary, while for 3rd party cookies consent is most likely required. The TTDPA refers to the GDPR to describe the legal requirements for obtaining proper consent (see Section 7 and Recital 32). Accordingly, consent must be given “voluntarily, for the specific case, in an informed manner and unambiguously.”

Effects and implications of the TTDPA

The adoption of the TTDPA sends a clear signal to market participants in Germany that the “preparation time” for compliance with data protection laws is over and that German data protection authorities will vigorously enforce compliance with both the GDPR and the TTDPA.

Failure to comply with data protection laws can result in significant fines of up to €300,000 for administrative violations under the TTDPA. If the breach is related to personal data, e.g. if proper consent was not obtained, the fine will be levied under the GDPR and can be up to 4% of annual turnover. Non-compliance leads not only to financial losses, but also to reputational damage and loss of trust among end users and business partners.

The explicit reference between the GDPR and the TTDPA to the issue of consent requirements actually emphasizes the urgency of having a transparent and GDPR-compliant consent management system that clearly segments consent and non-consent. It is still necessary to ensure that consent is based on active opt-in and that end-users are fully informed about the circumstances of data processing, in particular the legal basis, the purposes of processing, the functioning time of cookies and access by third parties.

Controlling the collection, processing and transfer of user data, including when cookies and tracking technologies are used, has become a priority for companies. Minimizing reliance on 3rd party data, using 1st party data, and deciding the scope and purpose of any international data transfer will be critical to mitigating the risk of non-compliance.

JENTIS offers unique technology that enables its customers to minimize the risks of non-compliance with TTDPA, DSGVO, Schrems II and other data protection regulations. Here’s how:

1st party data collection – ready for the post 3rd party cookie era

Be prepared for the end of 3rd party cookies and the new tracking era. With us, you collect all your first party data on your website. Once you have the data, we will help you pass it on to your respective tools. Only 1st party cookies can be classified as “strictly necessary”. Third party cookies require consent.

Important: This new way of tracking is the only feasible one in the future – if done right, it can bring huge benefits in online marketing and on-site website innovation. If you don’t transform your tracking, your entire martech stack will lack the data to do its job, and your performance will deteriorate very quickly.

Full control over data flow

A differentiator of JENTIS is that our tracking allows you to own your customer data first. Then, you can decide which tool gets which data, and even modify it before it is forwarded. JENTIS mitigates risk by putting customers in the role of controllers who have full control over their data and can decide what data is needed for the business. All other data can be customized with JENTIS based on consent and data category to anonymize or pseudonymize as appropriate.

TTDPA – compliant data tracking

The JENTIS tool can ensure a company’s TTDPA compliance. Very specifically, we are currently the only solution that can hash the IP address, which is clearly considered personal data, still within the EU using JENTIS (e.g., the last 3 digits), thus fulfilling the most important requirement of anonymization. The advantage of data control is also that you can decide where and in what form the data is transmitted. With JENTIS, customers can pseudonymize or even anonymize data before passing it on to third parties. This adds an additional layer of data protection and avoids the legal risk of non-compliance with the Schrems II decision.

Link: Facebook Ireland Ltd. v. Maximillian Schrems.