German Guide on TDDDG: Consent and Cookies

In November 2024, the German Data Protection Conference (DSK) published Version 1.2 of the Guidance from the Supervisory Authorities for Providers of Digital Services. This guidance supplements the EDPB Guidelines 2/2023 on the Technical Scope of Article 5(3) of the ePrivacy Directive. Version 1.1 of this guidance titled Guidance from the Supervisory Authorities for Providers of Telemedia was published back in November 2022.

Section 25 of Germany’s Telecommunications Digital Services Data Protection Act (TDDDG)  incorporates Article 5(3) of the e-Privacy Directive into the national law that requires data controllers, including telecommunications service providers and digital services providers, to obtain the user’s/data subject’s consent prior to the use of non-essential cookies and similar tracking technologies.

The DSK has clarified that the end user’s prior consent is required for the storage of information or access to existing information in the end user’s terminal equipment. This includes the use of cookies, spyware, web bugs, hidden identifiers, and similar tracking technologies that can access information or trace user activity with the exception of strictly necessary cookies and technologies. Such consent must be freely given, specific, informed, and unambiguous as per the requirements of the GDPR and e-Privacy Directive.

General Requirements for Consent

Let’s look into a quick overview of the consent requirements highlighted by the DSK that will help websites ensure compliance and design cookie consent banners as per the requirements of the TDDDG:

• The end user’s consent must be obtained prior to the activation of cookies and not when non-essential cookies have already been set or activated on the website.
• Prior to obtaining their consent, end users must be informed of the purposes of data processing, the functional duration of cookies, and whether third parties can gain access to their information. To this end, it is also necessary that, when accessing the terminal device, sufficient information is provided as to whether and, if so, to what extent the access is used for further data processing processes that are subject to the requirements of the GDPR, whereby the specific purposes of the subsequent processing must be specified precisely. Moreover, the end-user must also be informed regarding the possibility of revoking consent, and that such revocation will not affect the lawfulness of data processing that took place prior to the revocation.
• All information must be communicated to the end user in an easily accessible, transparent, comprehensible and sufficiently recognizable manner. Furthermore, there should not be any contradictions between the information provided to the end users on consent banners and that specified in the platform’s privacy policy.
• The user’s silence or inaction, pre-selected checkboxes, or scrolling or browsing through the website content and similar actions do not constitute valid consent as these are not indications of affirmative action on the part of end users. Therefore, opt-out procedures are always unsuitable to provide effective consent.
• Texts such as “Agree”, “I Consent”, and “Accept” can be stated on cookie consent banners to accept non-essential cookies provided the accompanying text of the banner clearly states what specifically the consent is given for. Terms such as “Okay” are not considered appropriate on the cookie consent banner as this term does not constitute an unambiguous declaration by the user of his/her choice concerning the use of cookies.
• The user’s consent should be obtained for specific purposes. They should be provided sufficient information about all purposes for which consent is asked and they must be able to accept or reject each purpose separately.

General Requirements for Consent Banners

To ensure compliance with Section 25(1) TDDDG and Article 6(1)(a) GDPR, certain key aspects must be observed when obtaining effective consent via a consent banner.

• Typically, when a website or app is accessed for the first time, the consent banner appears as a separate element, irrespective of whether the home page or a subpage is visited. This banner should provide an overview of all device accesses requiring consent under Section 25(1) TDDDG and any processing activities relying on Article 6(1)(a) GDPR. It must also clearly explain the actors involved and their roles, with options presented in a selection menu. Importantly, these options should not be pre-set to "active."
• Consent information can follow the EDPB's tiered approach, but the initial layer must generally provide details such as the specific purposes of processing, whether individual profiles are created and combined with data from other websites, the processing of data outside the EEA, and the number of controllers involved. When third-party services are utilized, vague statements such as "information is passed on to partners" are insufficient. Instead, users must be informed about the exact purposes of processing, especially if it involves creating enriched user profiles for marketing or advertising purposes. These third-party service providers must be individually named, and their processing purposes explicitly described.
• While the consent banner is displayed, no scripts that access user devices or process personal data should run unless the required consent is obtained. Additionally, users must have unobstructed access to the website’s imprint and data protection declaration.
• The banner design should also clarify if consent is required for both TDDDG and GDPR purposes. Supervisory authorities indicate that a first-level rejection option may not always be necessary unless the banner blocks website content or requires user interaction to proceed. Consent banners must not hinder access to website content on smaller displays or mobile devices.

Concrete Design of Consent Banners

• There is no uniform standard for the visual design of consent banners, allowing for flexibility in colours, size, and contrast. However, designs must comply with the principles of effective consent under GDPR, avoiding inappropriate "nudging." Violations typically arise from combined design elements that undermine voluntariness or provide misleading information, trivialize the language, or overwhelm users with excessive information.
• Consent banners must clearly present all choices. For instance, the refusal option should be as visible and accessible as the consent option. Merely changing the colour of the refusal button without clear labelling or placement is insufficient. Options to refuse consent embedded within the body text of the banner or hidden elsewhere lack equivalence to prominently displayed consent buttons.
• If the first information layer of the cookie consent banner consists of an “Accept All” option to allow users to accept non-essential cookies, there must also be an equally prominent “Reject All” button on the same layer of the banner to allow users to reject cookies in the same manner. It is not acceptable that the first information layer contains an “Accept All” button and a “Settings” or a “Further Information” button with no option to reject non-essential cookies.
• To ensure compliance, consent banners must enable users to easily identify and act upon their choices, irrespective of device screen size. Clear labelling, such as “Continue without consent” alongside a “Give consent” button, is necessary. Labels for refusal buttons should be concise and clear. However, buttons labelled ambiguously, such as "Settings or Reject," or those that lead users to another level of the banner are inadequate.
• Users must have the ability to access the website without having to accept non-essential cookies. This means that the end user must have equivalent alternative access to the website offered by the same website publisher without having to accept cookies. In this respect, the DSK published a decision in March 2023, in which it specified that a valid equivalent alternative access will offer, at the minimum, the same service for a fee that is customary in the market. If users subscribe to the payment model, only essential cookies can be placed on their terminal devices.
• Consent withdrawal must not require any additional effort from users and must be as easy as giving consent. Revocation options via other communication channels such as e-mail, fax or letter do not comply with this requirement. Consent withdrawal should also not require users to provide any further information to website operators, such as through a contact form.

In addition to the above consent principles, websites must ensure that personal data processing is lawful and as per the requirements of the GDPR. The user’s choice with respect to cookies and similar tracking technologies must be stored so that the cookie consent banner is not presented to the user again and again. It is not necessary that users are directly identified for this purpose - indirect verification of individuals may also suffice.

The DSK has emphasized that extra care must be adopted while using any cookies or tracking technologies that are involved in cross-border data transfers. It is often observed that EU personal data is being transferred to the US and other inadequate third countries via cookies or tracking technologies without any adequate data protection or implementation of cross-border data transfer tools as required under the GDPR. In such instances, data controllers cannot rely on the user’s consent as the sole basis of the transfer of their data. Therefore, any service that involves cross-border data transfer without adequate data protection should not be used.

Securiti’s Cookie Consent Solution helps organizations comply with applicable cookie consent legal requirements.

Ask for a DEMO to understand how Securiti can help you comply with cookie consent requirements of global privacy laws.