Cookies - TDDDG - Bundestag - new law

Here you will learn how the new TDDDG imposes new obligations on you as a website operator when using tracking and other scripts and when using cookies, how extremely high the fines can be for misconduct AND how you can get a grip on the problem!

The impact should not be underestimated, because the most important thing is that the "legitimate self-interest" no longer exists in the form, this can quickly become very expensive - but read more...

The most important passage in the TDDDG in § 25 reads:

The storage of information in the end user's terminal equipment or access to information already stored in the terminal equipment is only permitted if the end user has consented on the basis of clear and comprehensive information. The information to the end user and the consent shall be provided in accordance with Regulation (EU) 2016/679.

Note: Regulation (EU) 2016/679 is the GDPR. Here is the PDF with the original text of the amendment that was finally voted - https://dip21.bundestag.de/dip21/btd/19/298/1929839.pdf - the § 25 can be found on page 56. This is a preliminary version that will still be replaced by a proofread version, as soon as it is available we will of course link it here.

This concerns beside Cookies of course also

  • Local Storage,
  • Session storage
  • as well as database data

In other words, all data that is stored in the browser.

  1. if the sole purpose of storing information in the end user's terminal equipment or the sole purpose of accessing information already stored in the end user's terminal equipment is to carry out the transmission of a message over a public telecommunications network, or
  2. if the storage of information in the end user's terminal equipment or the access to information already stored in the end user's terminal equipment is strictly necessary in order for the provider of a telemedia service to provide a telemedia service expressly requested by the user

The new high fines in the TDDDG

If website operators fail to take this into account, they face high fines - up to EUR 300,000 can be imposed as fines. Presumably, this amount will only be imposed in individual cases, which is then at the discretion of the fine office

§ Section 26 Rules on fines

(1) It shall be an administrative offense for anyone who intentionally or negligently ... stores or accesses information in contravention of the first sentence of Section 25 (1).

(2) The administrative offense may in the cases of paragraph 1 number 2, 3, 9, 11, 12 and 13 with a fine of up to three hundred thousand euros, ....

Again, this can be found in the aforementioned PDF, this time on pages 59 to 60 - https://dip21.bundestag.de/dip21/btd/19/298/1929839.pdf

What to do

As an operator, you need to make sure that no more data is set in visitors' browsers without explicit consent. For this you need CCM19, our tool permanently scans your site and effectively helps you to ensure that only data for which consent has been given is stored in the visitor's browser.

Is your website affected? Test it now for free!

If it concerns you, you can test here with our Cookie Scanner directly. If cookies or other elements appear in the result that are not exclusively listed under the category "technically necessary", you need a cookie banner from CCM19

When does it apply?

The law comes into effect on 01.12.2021 - so there is not much time left until then to get the problem under control.

According to Section 26 of the new TDDDG, there are to be providers who are to manage consent across pages, for visitors to websites - so-called PIMS (Personal Information Management Systems). This perfectly sensible option is intended to reduce the number of cookie banner displays and to cut them back significantly over time.

The exact design is to be regulated in the course of the next few years by an additional regulation, the technical and legal requirements will probably not be available until 2023/24.

In fact, you need it more than ever - because due to the fine situation, you now have to be very careful. Even in cooperation with the above mentioned PIMS, there is no way to do without banners. For 3 important reasons that are obvious.

1. There is always and will always be a certain percentage of visitors who do not use any of the PIMS, for whatever reason. For these, despite everything, a banner must be kept.

2. Site operators are obliged to take into account the settings of PIMS, i.e. when playing scripts and cookies, the settings of end users must be taken into account. Since there will be quite a number of PIMS, you still need a corresponding manager that processes these data of the PIMS and in case of doubt then again requests data that are not specified by the settings of the PIMS.

3. It remains to be seen whether it is at all technically possible to present these consents across domains without losing one's own anonymity, i.e. whether the PIMS are at all feasible as the legislator had in mind.

In other words: For you as an operator it will not be easier, but much more complicated, as long as you do not use a suitable cookie banner software like CCM19.

You have questions or need more information?

We are happy to help you, just write to us - we will get back to you as soon as possible


Here you can send us your request by form - we will answer your request as soon as possible

Please fill in all fields marked with an asterisk (*). We are looking forward to your message.

Auguststr. 4, 53229 Bonn