On 30th November 2022, the German Data Protection Conference (DSK) published an Updated Guide on the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG).
The new Federal Act of Germany incorporates Article 5(3) of the e-Privacy Directive into the national law that requires data controllers, including telecommunications service providers and Telemedia services providers, to obtain the data subject’s consent prior to the use of non-essential cookies and similar tracking technologies.
The DSK has clarified that the end user’s prior consent is required for the storage of information or access to existing information in the end user’s terminal equipment. This includes the use of cookies, spyware, web bugs, hidden identifiers, and similar tracking technologies that can access information or trace user activity with the exception of strictly necessary cookies and technologies. Such consent must be freely given, specific, informed, and unambiguous as per the requirements of the GDPR and e-Privacy Directive.
Let’s look into a quick overview of the consent requirements highlighted by the DSK that will help websites ensure compliance and design cookie consent banners as per the requirements of the TTDSG:
- The end user’s consent must be obtained prior to the activation of cookies and not when non-essential cookies have already been set or activated on the website.
- Prior to obtaining their consent, end users must be informed of the purposes of data processing, the functional duration of cookies, whether third parties can gain access to their information, the possibility of revoking consent, and that such revocation will not affect the lawfulness of data processing that took place prior to the revocation.
- All information must be communicated to the end user in an easily accessible, transparent, comprehensible and sufficiently recognizable manner. Further, there should not be any contradictions between the information provided to the end users on consent banners and that specified in the platform’s privacy policy.
- The data subject’s silence or inaction, pre-selected checkboxes, or scrolling or browsing through the website content and similar actions do not constitute valid consent as these are not indications of affirmative action on the part of end users.
- Texts such as “Agree”, “I Consent”, and “Accept” can be stated on cookie consent banners to accept non-essential cookies provided the accompanying text of the banner clearly states what specifically the consent is given for. Terms such as “Okay” are not considered appropriate on the cookie consent banner as this term does not constitute an unambiguous declaration by the data subject of his/her choice with respect to the use of cookies.
- It must be possible for website users to continue browsing the website without any unnecessary interruption of the service due to the cookie consent banner. If the cookie consent banner blocks access to the website content, the data subject should be able to reject cookies without any additional clicks (compared to when accepting cookies). Moreover, the cookie consent banner should not hinder access to the company's privacy policy on the webpage.
- If the first information layer of the cookie consent banner consists of an “Accept All” option to allow users to accept non-essential cookies, there must also be an equally prominent “Reject All” button on the same layer of the banner to allow users to reject cookies in the same manner. It is not acceptable that the first information layer contains an “Accept All” button and a “Settings” or a “Further Information” button with no option to reject non-essential cookies.
- The data subject’s consent should be obtained for specific purposes. They should be provided sufficient information about all purposes for which consent is asked and they must be able to accept or reject each purpose separately.
- If the first information layer of the cookie consent banner contains a button that enables users to give consent for all processing purposes, the first layer should then also provide concrete information about all such purposes - generic, vague or general statements such as “cookies are used for the improvement of the user’s experience” are not permitted.
- Data subjects must have the ability to access the website without having to accept non-essential cookies. This means that the end user must have equivalent alternative access to the website offered by the same website publisher without having to accept cookies. In this respect, the DSK published a decision in March 2023, in which it specified that a valid equivalent alternative access will offer, at the minimum, the same service for a fee that is customary in the market. If users subscribe to the payment model, only essential cookies can be placed on their terminal devices.
- Consent withdrawal must not require any additional effort from users and must be as easy as giving consent. Consent withdrawal should also not require users to provide any further information to website operators, such as through a contact form.
In addition to the above consent principles, websites must ensure that personal data processing is lawful and as per the requirements of the GDPR. The user’s choice with respect to cookies and similar tracking technologies must be stored so that the cookie consent banner is not presented to the user again and again. It is not necessary that users are directly identified for this purpose - indirect verification of individuals may also suffice.
The DSK has emphasized that extra care must be adopted while using any cookies or tracking technologies that are involved in cross-border data transfers. It is often observed that EU personal data is being transferred to the US and other inadequate third countries via cookies or tracking technologies without any adequate data protection or implementation of cross-border data transfer tools as required under the GDPR. In such instances, data controllers cannot rely on the user’s consent as the sole basis of the transfer of their data. Therefore, any service that involves cross-border data transfer without adequate data protection should not be used.
Securiti’s Cookie Consent Solution helps organizations comply with applicable cookie consent legal requirements.
Ask for a DEMO to understand how Securiti can help you comply with cookie consent requirements of global privacy laws.
