Skip to content

You are here:

The German Telecommunications-Telemedia Data Protection Act – Overhaul of the regulations governing the use of cookies

The new Telecommunications-Telemedia Data Protection Act (Telekommunikations-Telemedien-Datenschutz-Gesetz, TTDSG) has been in force since 1.12.2021. The scope of application of the TTDSG is however alongside that of the GDPR. The previous data protection provisions of the Telecommunications Act (Telekommunikationsgesetz, TKG) and the Telemedia Act (Telemediengesetz, TMG) were combined and adapted to European legal requirements. The following overview provides information on the legislative changes whose impact will however be limited for most website operators.

A new element – OTT services are covered by the legislation

Most of the regulations in the previously applicable TMG were transferred to the TTDSG, which is aimed at all telemedia providers. By contrast, a new element is the widening of the definition of the terms telecommunication service providers and telecommunication services. The latter category now also includes – via the term ‘interpersonal communications services’ – so-called over-the-top services (OTT services). The legal definition covers those OTT services that are offered over the internet without the involvement of the internet service provider in the process. This means, primarily, apps for e-mail services, instant messengers and internet telephony offerings, but also smart home devices such as, e.g., light bulbs that can be controlled via Alexa and other voice-controlled systems. 

Consent under Section 25 TDSSG constitutes the most important regulation

Explicit consent for the use of cookies and tracking services is still the most important regulation here for telemedia providers. This requirement has already existed pursuant to the supreme court rulings of the Federal Court of Justice (Bundesgerichtshof, BGH) and the ECJ with respect to the interpretation of Section 15(3) of the Telemedia Act – which was applicable until 30.11.2021 – in conformity with European law (cf. also the BGH ruling of 28.5.2020, case reference: I ZR 7/16). Consent has now been explicitly legally stipulated for the first time in the TTDSG.

As previously, website operators will need to obtain the consent of users in order to be able to store information in the terminal equipment of an end user, or if they wish to have access to this. This will not apply in the case of cookies whose sole purpose is to carry out the transmission of a communication over a public telecommunications network or ones that are strictly necessary for technical purposes.

What are cookies that are necessary for technical purposes?

Cookies that are necessary for technical purposes are all those without which the website would not function. According to the respective EU Directive (Art. 5(3) sentence 2 of the Directive 2002/58/EC – ePrivacy Directive) the following cookies, for example, are necessary for technical purposes:

  • session cookies that store certain settings of a user (e.g., the shopping basket, language settings or login data);
  • flash cookies for delivering media content playback features;
  • cookies that are used by integrated payment service providers (irrespective of any specific payment) insofar as they do not analyse any particular usage behaviour but, instead, are solely for the purpose of preparing potential payments or checking payment authentications.

The personal information management system (PIMS) and the single sign-on solution

Under Section 26 TTDSG, in the future, the intention is to give approval for services that would make it possible for website users to specify the circumstances under which they wish to consent to or reject the use of cookies. This would only need to be done once. Providers of such ‘personal information management services’ (PIMS) would automatically forward this information to all websites. 

Please note: As a result, users would generally gain more control over their personal data and third-parties’ access to their information.

A possible consequence would then be that cookie banners for giving consent would be rendered superfluous.

However, this may still take some time because these services will have to be approved first. Certain requirements will have to be met in order to obtain approval (e.g., no economic self-interest in consent being given on the part of the provider, the provider’s security concept, etc.). A procedure for approving the services is yet to be established.

An example of such a service is mentioned in the preamble to the TTDSG. Several entities band together and organise a facility. It provides so-called single sign-on solutions for the entities via which users can organise their consent. Specifically, this means that those who log into their computers via the single sign-on service would, at the same time, be able to sign in to several services and applications without having to provide their login data separately for each individual service.

Other changes

Furthermore, the TTDSG regulates further aspects such as, e.g., in Section 3 TTDSG where a new provision on the secrecy of telecommunications has expanded the target group of those affected by this regulation. Moreover, Section 4 TTDSG is worth mentioning because it means that legal heirs will now be expressly authorised to access the data of the deceased persons.

Conclusion

The TTDSG has provided greater clarity about the data protection requirements for telemedia and telecommunications services. As regards the content of the legislation, there are only a few changes in the TTDSG, so that it is likely that nothing will change for many website operators. The complicated interpretation, in conformity with European law, of Section 15(3) TMG is now not needed any more and the coexistence of regulations in different legislative acts is likewise a thing of the past.

Recommendation: Against the backdrop of a legal situation that is now clear, we would recommend currently not only reviewing the requirements for consent and the up-to-dateness of your data privacy statement, but moreover setting up an ongoing process to ensure that, in the future, all technical changes with respect to consent and also your data privacy statement are taken into account. Furthermore, it should be noted that there are still plans at the EU level for an ePrivacy Regulation; as a result, there could been new changes that would, at least partially, also relate to the TTDSG. 

Back
Back to top of page