After only three weeks of “law[es] On Regulating Data Protection and Privacy Protection in Telecommunications and Remote Communications Media” (TTDSG), the Conference on Independent Data Protection Oversight Bodies of Federal and State Governments, or the Data Protection Conference (DSK) for short, has a 33-page “Guidance Guide” […] for media providers from December 1, 2021.” It supersedes an earlier version of the TV Media Guide from 2019.
The term guidance aid should be taken literally. For all operators of “Terminal Equipment within the meaning of Clause 25 of the TTDSG”, this is a valuable guide on how to implement the new regulations in the TTDSG in practice. With them, the German data protection authorities also define the criteria that must be applied when checking compliance with legal requirements. However, it is ultimately only the courts that have the task of interpreting the requirements of the TTDSG. However, in doing so, they should be guided by the recommendations of the DSK.
It is not set in stone
Another warning Senior data protection officials put themselves first: “This guide is expressly subject to a future – and possibly different – understanding of relevant regulations by the European Data Protection Commission (EDSA), by relevant European case law and changes in the European legal framework. The topic of “Cookie Banners & Company” remains therefore There may still be changes in the future data protection authorities’ view of focus and detail.
The focus of the guidance manual is on privacy protection in terminal equipment in accordance with Section 25 TTDSG. Pursuant to Article 2 (2) No. 6 TTDSG, “Terminal Device” means any device connected directly or indirectly to a public telecommunications network interface to send, process or receive messages.
This regulation is rightly referred to as the ‘TTDSG Central Standard’. “In this regard, the regulation has been drafted in a technology-neutral manner, so that all technologies and processes by which information can be stored and read are recorded.” Getting there is under control.
More than just cookies
On the other hand, this makes it clear that Section 25 TTDSG does not only apply to cookies. Web storage objects, auto-update functions, and “access to hardware identifiers, advertising identification numbers, phone numbers, SIM serial numbers (IMSI), contacts, call lists, Bluetooth beacons or SMS connections” are also logged. It also reads the MAC address etc.
According to the help directive for the use of Internet browsers, user consent is not required for the public IP address of the terminal, the address of the accessed website (URL), the user agent string with the browser version, operating system and language set. However, reading the terminal device properties or creating a fingerprint actually requires approval.
DSK also states that so-called advertising cookies are only suitable for combining multiple consents if information is provided for all data processing purposes. If the information collected by cookies, for example, needs further processing, the consent must also include such “follow-up processing”.
The DSK lists the requirements for consent to process information according to Article 25 of the TTDSG as follows: “End user consent: within the end device, time of approval, notification of consent, unambiguous procedure and clear confirmation, depending on the specific case, voluntary expression of will” Possibility to withdraw Consent, which should be as simple as giving it.” The DSK particularly focuses on detailed questions such as how to give user consent effectively. There must be active action, and silence is not enough. This also applies to simply scrolling down or browsing a website as well as clicking above content.
Doing nothing is not consent!
When checking consents based on the TTDSG, according to the DSK, it depends on “how the buttons for granting consent and other action options are named and designed and what additional information is provided”. Agrees in this context that “In addition, end users can legitimately expect that they can simply remain inactive if they do not wish to consent”.
DSK critically evaluates cases in which the user is presented with two options for action. As an illustrative example, a frequently encountered situation is described where the user’s Accept All button and additional options such as “Settings”, “More Information” or “Details” are shown. This DSK is not legally compatible, because the “communication effect” of the two options is not equivalent.
The voluntary nature of consent is also very important. This is given only if no coercion is exercised on the user. “Such a compulsion can be assumed if a banner or other graphic element of a consent query blocks access to the website as a whole or parts of the content and the banner cannot simply be closed without a decision.”
DSK also takes a position on the use of consent management platforms: “Website operators have many configuration options, so that in no case are lawful consents obtained automatically by simply using CMP. The responsibility for the effectiveness of the consent obtained remains with the relevant provider. : Inside Media View”.
The famous exception to the rule
The router also handles exceptions to a user consent requirement, such as what is given for example when a “remote media service is provided”. It is not possible to determine whether the remote media service is explicitly requested by the user on the basis of “internal and personal situation” only. Strict standards also apply to the “absolutely necessary” requirement.
Only what is related to the “media service functionality” can be required in this sense. From the DSK’s point of view, the critical criteria for determining whether these two requirements are met in individual cases are summarized in the guidance aid in the form of a checklist.
The DSK also expresses itself in its guidance on the relationship between TTDSG and DSGVO: “Unlike the provisions of the DS-GVO, Article 25 of the TTDSG protects privacy and confidentiality when terminal equipment is used.” For the subsequent processing of personal data obtained via this terminal equipment, the General Data Protection Regulation (GDPR) regulations are in turn applied. Ultimately, this is consistent, as the TTDSG records all “information regardless of personal reference” and is therefore more far-reaching than the GDPR.
Once website operators not only set technically required cookies or access information only from end users’ devices, Section 25 of the TTDSG has recently come into force. Requirements for cookies, retrieving MAC addresses and ultimately all information on a user’s device are subject to new legal requirements. Senior data protection officials described how to interpret this in a guidance guide. Anyone noticing this should be protected from legal injustice at this point.
The fact that the guidelines are sometimes surprisingly strict becomes apparent when reading the guidance help at the latest. One thing is clear: cookie banners, which most internet users find annoying, aren’t going away anytime soon. On the contrary: the requirements are now more precise, which, in turn, form the basis of warnings, prohibitions, and the like.