GDPR and the new TTDSG, how should German companies adapt?

German TTDSG cookie law came into force in December 2021 and companies all across Germany are wondering what implications it has on their business. In this blog, we will explain the TTDSG in simple English and highlight some of the differences to previous GDPR regulations.
July 2020 in Web Analytics, by Justin Schmidt
connection-image black background

What is the TTDSG?

The TTDSG stands for “Act to Regulate Data Protection and Privacy in Telecommunications and Telemedia” and applies from the 1st of December 2021. It is the German implementation of the EU ePrivacy Directive and its later modifications, which comes with a delay of nearly 10 years since the EU member states pledged to adopt cookie consent back in 2009. 

It regulates the storing and accessing of information in the terminal equipment of an end user, or, in other words, the process of placing and reading browser cookies. It clearly states that informed consent is necessary for these interactions. There are only two exceptions to this rule:

  1. Cookies needed for transmission of the communication
  2. Those cookies that are strictly necessary for the provision of an information society service that has been explicitly requested by the user

 

With the TTDSG, the meaning of “informed consent” is now defined as requiring an active confirmation by the user, which takes into consideration the recent court ruling of the European Court of Justice in the “Planet-49” case.

The TTDSG is limited to end-users and only protects terminal equipment, which includes computers but also smart devices and more.

 

How does the TTDSG differ from GDPR

Many have wondered why another law on privacy is necessary in the light of the prevailing GDPR. Although there are some cases in which these two regulations intersect, they are based on a different framework. While the purpose of the GDPR is to protect a user’s personal data, the TTDSG specifically deals with the use of cookies.

This becomes clearer when examining some examples. Imagine a hacker steals business secrets from a server. Since the data only contains corporate non-personal information, the GDPR is not applicable. The GDPR only applies when personal data is affected.

In some cases, both GDPR and TTDSG are applicable, but they protect you in a different way. If there was, for example, a leak of health data from a hospital server, the TTDSG would protect the hospital’s server while the GDPR is protecting the patient’s health data.

These different protection goals can be summarized as follows.

The TTDSG is a cookie law and therefore protects device integrity. The transmission of communication and the provision of an online service are exempt from the rule.

The GDPR is a data protection law and protects personal data. Data collected with a legitimate interest or those required to be collected by law are exempt.

TTDSG requires immediate action: Are you ready?

TTDSG affects the setup of your consent management platform (CMP). This refers to the graphic interface which gives the user the option to opt in to some or all of the cookies of a website. The choice is then communicated to the server and those cookies can only be stored after consent was given.

 

On most websites, cookie preferences are divided into essential, functional and marketing cookies. With TTDSG, essential cookies, such as shopping cart and language preference cookies, can remain mandatory. However, functional cookies, including basic web tracking, now require informed consent, just as marketing cookies already did in the past. This means that opt-out solutions are no longer possible.

 

Furthermore, we recommend that you check your consent management for completeness. Could it be that you added some cookies since the last time you updated the cookie consent banner? It may also be the case that some cookies need to be reclassified.

Free consent management check-up

Contact us now to schedule a free first consultation!

Consequences of not complying with privacy regulations

In the years since GDPR came into force, many companies have wondered whether they comply with the legal requirements and what the consequences of non-compliance look like. Since 2019, there is clear guidance from the German conference on data protection that illustrates how fines are calculated.

The maximum fine is set 20 million Euros or 4% of the company’s yearly revenue (the higher amount applies). So far, the highest fine ever paid in Germany was a 35 million Euro fine against H&M.

The TTDSG includes provisions for monetary fines and prison sentences when negligence can be proven, although the fines are much lower in nominal terms at a maximum of 300,000 Euros.

Benefits of a consent management platform

The first step to cookie compliance is to invest in a consent management setup. A consent management platform is a practical tool that ensures a great user experience while complying with legal frameworks.

There are 3 major reasons for using a CMP:

1. Essential for compliance

Consent management systems provide a much-needed structure that clearly lists all cookies and similar technologies deployed on a website. The CMP can be considered the most vital tool for complying with existing and new regulations.

2. Fosters customer relationships

Customers are becoming more and more privacy-conscious. Companies now need to provide much needed transparency to establish trust. A consent management platform can give customers a clear overview of what third-party services are in use. Users can then make use of a granular selection instead of seeing broad terms such as “marketing cookies”.

3. Customizable

Every company has their own identity and their website should reflect this. Your CMP can be implemented to be as unintrusive as possible. You can consider how your content is displayed and decide on a form factor that fits the flow of your website.

Our offer: Finding your ideal consent management platform

Whether you already have a Consent Management system or start from the scratch – we provide the complete setup, make it GDPR-compliant and ensure a smooth transition. Based on your individual requirements, we help you select and evaluate the best-fitting Consent-Tools and ensure that your marketing technologies, such as A/B/n tests and personalization, perform well with the opt-in-/opt-out-function of your Consent Management.

About the author

Justin has experience in BI, Digital Analytics & Consent Management.

He and the team is ready to support you in Web Analytics & Consent Management area!

Justin Schmidt

Disclaimer
Please do not consider any content of this blog to be legal advice. Our service portfolio includes checking how consent management platforms are implemented on your website, but we do not provide GDPR legal consultations.
Sources
DSGVO: Strafen bei Verstößen gegen den Datenschutz. (2021). Retrieved 9 December 2021, from https://www.dqs.de/blog/datenschutz/dsgvo-strafen/

 

Hanloser, S. (2021). What’s the Latest With ePrivacy & the German TTDSG. Retrieved 9 December 2021, from https://www.youtube.com/watch?v=bsnNVDYLMY0

 

Top 3 Benefits to Utilizing a Consent Management Platform (CMP) – Omeda. (2021). Retrieved 9 December 2021, from https://www.omeda.com/top-3-benefits-to-utilizing-a-consent-management-platform-cmp/

 

TTDSG: Neues Datenschutzgesetz als Alternative zur ePrivacy-VO?. (2021). Retrieved 9 December 2021, from https://www.dr-datenschutz.de/ttdsg-neues-datenschutzgesetz-als-alternative-zur-eprivacy-vo/

 

Was ist das TTDSG? Was wird im TTDSG geregelt?. (2021). Retrieved 9 December 2021, from https://keyed.de/blog/was-ist-das-telekommunikation-telemedien-datenschutzgesetz-ttdsg/

 

What Is Consent Management? The Ultimate Guide (2021). (2021). Retrieved 9 December 2021, from https://exponea.com/blog/consent-management/

 

What is the TTDSG?. (2021). Retrieved 9 December 2021, from https://www.robin-data.io/en/data-protection-academy/wiki/german-telecommunication-and-telemedia-privacy-law

Interested in our service?
Contact us!