Given those enforcement developments and in addition to the complex issues around international data transfers (which certainly play a role in the context of cookies but are not covered in this cookie update), it is important for companies doing business in Germany to consider the cookie-related developments in Germany. First of all, the new cookies rules provided in the new Telecommunication Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutzgesetz, “TTDSG”) came into effect on 1 December 2021. Second, the German Supervisory Authorities (Datenschutzkonferenz, DSK) have published an updated version of their guidance for telemedia service providers, which includes guidance on cookies (Orientierungshilfe der Aufsichtsbehörden für Anbieter:innen von Telemedien ab dem 1. Dezember 2021, available in German language only, “New Cookie Guidance”). Most recently, the DSK has requested comments on the New Cookie Guidance by March 15, 2022 – emphasizing, however, that although the consultation procedure serves to review and amend the New Cookie Guidance, this will not affect its enforcement by the Supervisory Authorities. Third, the Wiesbaden Administrative Court has held – not surprisingly – that the international data transfer requirements are applicable also in the context of cookies (however, this decision has already been lifted for procedural reasons).
1. New Cookie Rules under the TTDSG in Germany
- Storing information in the end user’s terminal equipment or gaining access to information al-ready stored in the end user’s terminal equipment is only allowed if the end-user consented thereto based on clear and comprehensive information. The information for the end-user and the consent must comply with the requirements of the EU general data protection regulation.
- Consent pursuant to paragraph (1) is not required if
- the sole purpose of storing information in the end-user’s terminal equipment or of gaining access to information already stored in the end-user’s terminal equipment is to carry out the transmission of a communication over a public telecommunication network, or
- storing information in the end-user’s terminal equipment or access to information already stored in the end-user’s terminal equipment is strictly necessary for the provider to make the telemedia service available to the user upon explicit its request.
2. New Cookie Guidance
What the New Cookie Guidance is about and why you should be aware of it
The New Cookie Guidance provides, among other things, insight into
- the scenarios in which section 25 TTDSG applies,
- the DSK’s requirements for valid consent pursuant to section 25 (1) TTDSG for the use of Cookie-like Technology,
- the DSK’s interpretation of the consent exceptions for Cookie-like Technology pursuant to section 25 (2) TTDSG, and
- the DSK’s interpretation of the requirements for the subsequent processing of personal data collected through Cookie-like Technology, since such personal data will then be subject to the requirement of a legal basis under the GDPR.
What applies when – interplay of TTDSG and GDPR
In light of article 95 GDPR (see also EDPB Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, Rc 37 for details) the mere use of Cookie-like Technology shall only be governed by section 25 TTDSG. As summarized above, the TTDSG provides for only two legal bases for the use of Cookie-like Technology: either consent pursuant to section 25 (1) TTDSG or an exception from the consent requirement pursuant to section 25 (2) TTDSG. In particular, the TTDSG does not provide for a balancing of interest test to permit the use of Cookie-like Technology.
Following the collection of information through Cookie-like Technology from an end user’s terminal equipment, such information is typically further processed by the provider or a third party. Such subsequent processing will be subject to the GDPR, to the extent the information collected from the end user’s terminal equipment qualifies as personal data (“Subsequent Processing”).
When does section 25 TTDSG apply
Section 25 TTDSG is technology-neutral. The definition of end user terminal equipment is broad and includes not only laptops and smartphones but also IoT devices, such as smart TV, smart home ap-pliances, alarm systems and connected cars. Furthermore, it covers not only cookies but also similar technologies, such as spyware, web-bugs, hidden identifiers, as well as any other method of obtain-ing information from the end-user device, including access to device ID, advertisement-ID, IMSI, con-tact details, or Mac-address. Moreover, automatic remote software or hardware updates can result in the storage of information on the end-users device and trigger the consent requirement of section 25 TTDSG.
Not covered by section 25 TTDSG is the processing of data that is automatically transmitted by the end user’s terminal when accessing a telemedia services (such as a website). Such data includes typ-ically the public IP-address, URL, browser type and operating system or language settings.
Section 25 TTDSG is not limited to personal data but applies also in cases where non-personal data is concerned.
Requirements for valid consent pursuant to section 25 (1) TTDSG
Section 25 (1) TTDSG does not stipulate its own consent requirements. Instead, it refers to the GDPR (article 6 (1) (a), 7, 8 GDPR). The DSK re-emphasizes the requirements for valid consent in the cookie context as identified by the Court of Justice of the European Union and the EDPB and specifies them. In particular
Consent requires prior disclosure of detailed information about the Cookie-like Technology, inter alia who accesses the end-user’s terminal equipment (or rather, their data), how, for which purposes, the lifespan of the Cookie-like Technology, potential access by third parties as well as any Subsequent Processing activities including their respective purposes.
- Information in the cookie consent banner must be aligned with the information contained in the respective privacy / cookie notice and vice-versa, in particular with respect to the legal basis.
- Layered approaches are possible but the DSK has certain expectations on what information needs to be provided on which layer and on which layer the consent button must be present-ed.
- Clicking accept on the first layer of a cookie consent banner does not result in a valid con-sent if the actual choices for the types of cookies (i.e. which type of cookies are consented to on the first layer) are “hidden” on the second layer.
- Consent requires an unambiguous and clear affirmative action of the end user. The continued us of the website or an opt-out approach cannot amount to such an affirmative action.
- Dark patterns that require users to take extra steps before being able to use a service without enabling all Cookie-like Technologies are incompatible with an unambiguous and clear affirm-ative act of the users, since they are not given an equally clear option not to accept all Cook-ie-like Technology. The implementation of such dark patterns will also affect the assessment whether consent was freely given.
- Denying consent must be as easy as giving consent (for practical relevance see the CNIL’s decision mentioned earlier). Withdrawing consent must be as easy as giving consent in the first place.
- It shall be possible to bundle the TTDSG and GDPR consent together if the consent language makes it sufficiently clear which processing activities are covered by which legal framework.
Exceptions to the consent requirement pursuant to section 25 (2) TTDSG
The consent exceptions in section 25 (2) TTDSG follow the rather restrictive language of article 5 (3) of the ePrivacy Directive quite closely. Thus, the key question remains – what is strictly necessary to make the telemedia service available to the user upon its explicit request?
The most important aspects are:
- The DSK requires a granular view as to what the user requested. Opening a website shall not mean that the user thereby requested to use all features and sub-pages of such website.
- Strictly necessary shall be understood in a technical, not in an economic sense.
- Even if the use of Cookie-like Technology is strictly necessary, this is not absolute and limita-tions regarding when, how long, what and for whom remain applicable.
- Strictly necessary Cookie-like Technology will typically be limited to one session.
- Storage of Cookie-UID shall – in most of the cases – not be necessary.
- The DSK explicitly refrained from mentioning examples of Cookie-like Technology that fall under section 25 (2) TTDSG and do not require consent.
Subsequent Processing of personal data on GDPR legal bases
The Subsequent Processing of personal data that has been collected by means of Cookie-like Tech-nology falls under the GDPR. Hence, controllers must be able to rely on any of the legal bases under GDPR and, accordingly, inform users about these processing activities pursuant to articles 12 et seq. GDPR.
In practice, three legal bases are the most important in this context: Consent (article 6 (1) (a) GDPR), performance of contract (article 6 (1) (b) GDPR) and overriding legitimate interest (article 6 (1) (f) GDPR):
- As a rule of thumb, if the Cookie-like Technology requires consent under the TTDSG, it will typically also require consent under GDPR.
- If an exception under section 25 (2) TTDSG applies, in particular for strictly necessary Cookie-like Technology, then the legal basis in article 6 (1) (b) GDPR or article 6 (1) (f) GDPR applies.
- Where Subsequent Processing requires consent under GDPR, such consent can be bundled with the consent for the use of the Cookie-like Technology and be obtained via the cookie consent banner. The wording for the cookie consent banner must be drafted very carefully to cover all aspects. +
3. Wiesbaden Administrative Court
The New Cookie Guidelines touch very briefly on the issue of international data transfers in the context of cookies and emphasize that in addition to the requirements summarized above, the requirements for international data transfer may apply. The complexity of this requirement was just recently highlighted by a preliminary ruling issued by the Wiesbaden Administrative Court, which held in this specific case that the defendant, a website operator, was violating the GDPR because it used a cookie management tool that relied on the services of a U.S.-based hosting provider and it could not demonstrate compliance with the international data transfer requirements. The decision has meanwhile been lifted by the Hessian Higher Administrative Court for procedural reasons and the matter will now be assessed in a main proceeding. The outcome of this case in the main proceeding will hopefully shed some light on the requirements for international data transfers in the context of cookies.
In the New Cookie Guidelines the DSK takes the view that end-user consent cannot serve as permission under article 49 (1) (a) GDPR for any international data transfers because in the cookie context such transfers are regular and repetitive.
Worth considering is also the EDPB’s guidelines on article 3 GDPR and the interplay with Chapter V GDPR, in particular the notion that the rules for international data transfer do not apply if the controller located outside of the EU collects the data directly from the data subject. For third party cookies dropped by a non-EU provider, this could mean that international data transfer rules do not apply because the third party placing the cookie collects the data directly from the end user’s terminal equipment as opposed to having it transferred.
Osborne Clarke comment
Following the TTDSG and the New Cookie Guidance, website operators should:
- Re-assess the categorization of their Cookie-like Technology in light of section 25 TTDSG to determine to what extent consent is required;
- Assess the legal basis under GDPR for any Subsequent Processing and where necessary document a legitimate interest assessment;
- Revisit the set-up and the entire information and consent wording of the cookie consent banner to ensure it meets the requirements established by the DSK in the New Cookie Guidelines;
- Update the website privacy and cookie notice to properly reflect the use of Cookie-like Technology and the legal basis for processing any personal data in Subsequent Processing;
- Analyse whether third party cookies do not result in an international data transfer subject to the GDPR as the data is collected directly from the end user’s terminal equipment, see EDPB’s guidance on article 3.