On December 1, 2021, a new data protection law came into effect in Germany. It’s called the Telecommunications and Telemedia Data Protection Act (TTDPA, or TTDSG in German). TTDPA is a shortened version of “Act to Regulate Data Protection and Privacy in Telecommunications and Telemedia”.
We will look at what has changed for companies and what needs to be done.
Guidelines for the TTDPA
On December 20th, 2021, the Datenschutzkonferenz (DSK), the board of the German Data Protection Authority, published guidelines for the TTDPA (in German). These guidelines provide further information and clarification about the TTDPA and how organizations should implement it.
Key points from the TTDPA Guidelines
- The TTDPA applies to any organization providing goods and services in Germany.
- It applies whether the data collected is considered personal information or not. This differs from the GDPR.
- Bundled consent with a single “accept” button can cover both the GDPR and TTDPA requirements. The user must be informed about two distinct consent requests: access (under the TTDPA) and processing (under the GDPR) in order for consent to be valid, e.g. device access and data processing for marketing purposes.
- Valid consent under the TTDPA has the same requirements as the GDPR (explicit, freely given, granular, etc.)
- If an “accept” option is placed on the first layer, then all purposes for data collection/processing must also be stated in the first layer. However, it is not necessary to provide the option to make a granular decision in the first layer.
- Valid consent requires an equally prominent and accessible way to explicitly opt out or deny consent, e.g. making a choice in browser settings is not enough. If there is an “accept” button or link, there would have to be a “deny/reject” button or link equal in appearance and accessibility (e.g. same number of clicks). Nudging or other dark patterns prevent valid consent.
- To fulfill the requirement of providing all necessary information so the user clearly knows what they are consenting to, it must be provided in the same manner as the GDPR, including the legal bases in use for the TTDPA.
- Cookie walls are not explicitly prohibited, but the “deny/reject” option requirements must be met.
- Exceptions to the TTDPA (Section 25 II TTDPA) need to be decided on a case by case basis. E.g. that services need to be technically necessary and wanted by the user, such as user-oriented additional functions like a shopping cart or fraud prevention.
What does the TTDPA change for companies?
The good news is that for companies that already obtain and manage consent via a Consent Management Platform (CMP), not much changes. The requirements for obtaining consent remain the same and continue to be based on the provisions of the GDPR.
The scope for Consent Management Platform use has expanded
Requirements for valid consent
For consent to be valid the data subject needs to be informed. The TTDPA requirements for consent are the same as the ones for GDPR (Recital 32). The legal basis for data processing under the TTDPA must be made available to website visitors. This could be in the banner or in the privacy policy, for example.
Note that in most cases a service will have two legal bases: one for GDPR and one for TTDPA. In some cases, e.g. when no personal data is processed, the GDPR will not apply. However, in those cases the TTDPA legal basis will still be required.
More technologies now require consent
According to the TTDPA, all technologies that access the user’s device require consent before they are used, regardless of whether or not personal data processing is involved.
The reason behind this is that Section 25 of the TTDPA regulates more than the protection of personal data.
As a result, storage of or access to information that is not personal data is also subject to consent, so the scope of application for CMP use has expanded.
⇨ This means that as of December 1st, 2021, companies based in Germany or companies offering goods or services to the German market have to obtain consent for a greater number of technologies than before. Particularly for those where information is read from or stored on the user’s device.
Obtaining consent from users
Under the TTDPA, consent must be obtained both for accessing the user’s device and for processing data obtained from it. However, it is not necessary to provide two separate “accept” options (along with “deny/reject” options) to users to obtain these consents. One option is sufficient, as long as the user is informed in the first layer that the consent is for both accessing their device and for data processing.
However, there must also be an equal option to deny both device access and data processing. The “deny/reject” option should use the same design and function as the “accept” option.
One button, link, etc. should not be more prominent or easily accessible than the other, otherwise consent cannot be considered to be freely given, per legal consent requirements. Both options should require the same number of clicks and be available on the same layer. E.g. do not put the “accept” option on the first layer and the “deny/reject” option in the second layer.
“Nudging”, like making one option more prominent or accessible over another is increasingly considered manipulative user experience by authorities, and under some regulations is illegal. (Learn more: What are dark patterns and how do they affect consent?)
As a Usercentrics customer, this is what you need to do now.
1. Check which Data Processing Services are in use on your website with the help of our DPS Scanner.
2. Add the services to the CMP that access user devices. To do this, use the Add button in the audit results. In the case of unknown technologies, you will need to determine which category you would like to add them to.
3. Check the current categorization of all your services that use services/technologies like cookies, local storage or other storage locations on users’ devices. The reason for this is that consent must now be obtained for these services as part of the scope of the TTDPA. Technologies may have to be moved from the “Essential” category to the “Marketing” or “Functional” categories.
4. Section 25(2) TTDPA mentions that the requirements for consent to be valid are the same as the ones set out by the GDPR (Art. 13 GDPR). One of the most important requirements of this article is the legal basis. It is thus recommended to provide information about the TTDPA legal basis to the user.
When is consent not required?
According to Section 25 TTDPA, website operators require explicit user consent for the use of cookies and tracking services. However, pursuant to Section 25(2) TTDPA, the following scenarios are exempt from the consent requirement:
- essential technical cookies and information
- cookies and information used exclusively for the transmission of messages via a public telecommunications network
Please keep in mind: You will have to check if any Data Processing Services fall under exceptional circumstances, and thus do not require consent. Usercentrics cannot provide legal advice or tell you if the service is “necessary”, “technically necessary” or “essential”.
Expansion of data protection scope to include end user equipment
The TTDPA expands the scope of application of data protection because the requirements apply to all items defined as “end user equipment” (user devices).
What is meant by “end user equipment”?
End user equipment is:
“any device connected directly or indirectly to the interface of a public telecommunications network for the purpose of sending, processing or receiving messages. This includes, for example, laptops, tablets, smartphones, smart TVs, voice assistants, connected devices belonging to the Internet of Things (IoT) that exchange information automatically or with only minor human involvement in the context of machine-to-machine communication (M2M). For example, such as connected cars.”
This means that all technologies operating on a user’s device require consent, whether or not personal data is processed.
Therefore, anyone using cookies or other tracking technologies will need explicit consent from users in Germany and, consequently, they will need to implement a functional cookie banner or Consent Management Platform.
What else is new?
Personal Information Management Systems and Single Sign-on Solutions – what does the future hold?
Personal Information Management Systems (PIMS) are services designed to enable users to set one-time conditions for consent or refusal to let websites collect personal data. The PIMS provider automatically forwards this information to all websites the user accesses. The goal is convenience, consistent application of preferences and to give users more control over their personal data and third-party access to information.
Although PIMS are not explicitly mentioned within the TTDPA, here the legislature has already provided a legal framework for possible innovations. Supplementary documents also indicate that Single Sign-on (SSO) Solutions are included in addition to PIMS.
Section 26 of the TTDPA is intended to create a reliable and credible framework for the recognition of such services so that end users also entrust their consent to them. However, these services must first be officially recognized, for which certain conditions must be met (no economic self-interest on the part of the provider, security concept of the provider, etc.). The procedure for recognizing the services would also have to be defined by the federal government in the form of a legal ordinance.
In the future, whether the browser vendor or new technology players will have to provide a PIMS – and what the cooperation between them might look like – is still unknown. However, the immediate relationship between responsible parties and users still has priority. Therefore, cookie banners will still be helpful for obtaining consent in an era of PIMS.
Frequently Asked Questions (FAQ)
With the TTDPA, the data protection provisions from the Telecommunications Act (TKG) and Telemedia Act (TMG) are merging. This coexistence has repeatedly led to legal uncertainties in the past, which this change aims to resolve. The TTDPA also incorporates corresponding provisions of the ePrivacy Directive into German law.
The law was passed by the German Parliament on May 20, 2021. It came into effect on December 1, 2021.
The TTDPA affects all companies based in Germany or companies that offer goods or services to the German market.
A violation of the TTDPA can be punished with a fine of up to € 300,000. However, if the action or negligence in question violates both the TTDPA and GDPR, a double penalty will not be issued.
For companies already using a Consent Management Platform (CMP) to obtain and manage user consent, not much changes with the TTDPA. Consent requirements continue to be based on GDPR provisions. Companies that are not GDPR-compliant or not using a CMP should begin looking into those requirements, which should take care of most TTDPA requirements as well.
DISCLAIMER: These statements do not constitute legal advice. If you have any legal questions, you should consult a specialist lawyer. The implementation of a data protection-compliant implementation of a consent management platform is ultimately at the discretion of the respective data protection officer or legal department.