On 30th November 2022, the German Data Protection Conference (DSK) published an Updated Guide on the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG).
The new Federal Act of Germany incorporates Article 5(3) of the e-Privacy Directive into the national law that requires data controllers, including telecommunications service providers and Telemedia services providers, to obtain the data subject’s consent prior to the use of non-essential cookies and similar tracking technologies.
Let’s look into a quick overview of the consent requirements highlighted by the DSK that will help websites ensure compliance and design cookie consent banners as per the requirements of the TTDSG:
- The end user’s consent must be obtained prior to the activation of cookies and not when non-essential cookies have already been set or activated on the website.
- Prior to obtaining their consent, end users must be informed of the purposes of data processing, the functional duration of cookies, whether third parties can gain access to their information, the possibility of revoking consent, and that such revocation will not affect the lawfulness of data processing that took place prior to the revocation.
- The data subject’s silence or inaction, pre-selected checkboxes, or scrolling or browsing through the website content and similar actions do not constitute valid consent as these are not indications of affirmative action on the part of end users.
- If the first information layer of the cookie consent banner consists of an “Accept All” option to allow users to accept non-essential cookies, there must also be an equally prominent “Reject All” button on the same layer of the banner to allow users to reject cookies in the same manner. It is not acceptable that the first information layer contains an “Accept All” button and a “Settings” or a “Further Information” button with no option to reject non-essential cookies.
- The data subject’s consent should be obtained for specific purposes. They should be provided sufficient information about all purposes for which consent is asked and they must be able to accept or reject each purpose separately.
- If the first information layer of the cookie consent banner contains a button that enables users to give consent for all processing purposes, the first layer should then also provide concrete information about all such purposes - generic, vague or general statements such as “cookies are used for the improvement of the user’s experience” are not permitted.
- Data subjects must have the ability to access the website without having to accept non-essential cookies. This means that the end user must have equivalent alternative access to the website offered by the same website publisher without having to accept cookies. In this respect, the DSK published a decision in March 2023, in which it specified that a valid equivalent alternative access will offer, at the minimum, the same service for a fee that is customary in the market. If users subscribe to the payment model, only essential cookies can be placed on their terminal devices.
- Consent withdrawal must not require any additional effort from users and must be as easy as giving consent. Consent withdrawal should also not require users to provide any further information to website operators, such as through a contact form.
In addition to the above consent principles, websites must ensure that personal data processing is lawful and as per the requirements of the GDPR. The user’s choice with respect to cookies and similar tracking technologies must be stored so that the cookie consent banner is not presented to the user again and again. It is not necessary that users are directly identified for this purpose - indirect verification of individuals may also suffice.
The DSK has emphasized that extra care must be adopted while using any cookies or tracking technologies that are involved in cross-border data transfers. It is often observed that EU personal data is being transferred to the US and other inadequate third countries via cookies or tracking technologies without any adequate data protection or implementation of cross-border data transfer tools as required under the GDPR. In such instances, data controllers cannot rely on the user’s consent as the sole basis of the transfer of their data. Therefore, any service that involves cross-border data transfer without adequate data protection should not be used.
Securiti’s Cookie Consent Solution helps organizations comply with applicable cookie consent legal requirements.
Ask for a DEMO to understand how Securiti can help you comply with cookie consent requirements of global privacy laws.