Cookies - TTDSG - Bundestag - new law
Today on 20.05.2021, the German Bundestag passed the new TTDSG that regulates the use and consent of cookies and any other information in the browser of the visitor. To note here are especially the fines that come into play here
The relevant passage in the TTDSG from the new § 25 reads:
The storage of information in the end-user's terminal equipment or access to information already stored in the terminal equipment is only permitted if the end-user has consented on the basis of clear and comprehensive information. The information to the end-user and the consent shall be provided in accordance with Regulation (EU) 2016/679.
Here is the PDF with the original text of the amendment that was finally voted - https://dip21.bundestag.de/dip21/btd/19/298/1929839.pdf - the § 25 can be found on page 56. This is a preliminary version that will still be replaced by a proofread version, as soon as it is available we will of course link it here.
This concerns beside Cookies of course also
- Local Storage,
- Session storage
- as well as database data
So all data that are stored in the browser.
Consent according to paragraph 1 is not required
- where the sole purpose of storing information in the end user's terminal equipment or the sole purpose of accessing information already stored in the end user's terminal equipment is to carry out the transmission of a communication over a public telecommunications network; or
- where the storage of information in the terminal equipment of the end-user or the access to information already stored in the terminal equipment of the end-user is strictly necessary in order for the provider of a telemedia service to be able to provide a telemedia service explicitly requested by the user
High fines threaten in the new TTDSG
If website operators do not take this into account, there is a threat of high fines - up to EUR 300,000 can be imposed as fines. Presumably, this amount will only be imposed in individual cases, which is then at the discretion of the fine authority
§ 26 Rules on fines
(1) It is an administrative offence to wilfully or negligently ... stores or accesses information in contravention of section 25, paragraph 1, sentence 1.
(2) The administrative offence can be punished in the cases of the paragraph 1 number 2, 3, 9, 11, 12 and 13 with a fine up to three hundred thousand euro, .....
Again, this can be found in the aforementioned PDF, this time on pages 59 to 60 - https://dip21.bundestag.de/dip21/btd/19/298/1929839.pdf
What to do
As an operator, you need to make sure that no more data is set in visitors' browsers without explicit consent. For this you need CCM19, our tool permanently scans your site and effectively helps you to ensure that only data for which consent has been given is stored in the visitor's browser.
Is your website affected? Test it now for free!
You can test whether you are affected directly here with our Cookie Scanner. If cookies or other elements appear in the results that are not exclusively listed under the category "technically necessary", you need a cookie banner from CCM19
From when does this apply?
The law comes into force on 01.12.2021 - so there are still a few months until then to get the problem under control.
Extended management of consent
According to Section 26 of the new TTDSG, there are to be providers who are to manage consent across pages, for visitors to websites - so-called PIMS (Personal Information Management Systems). This quite sensible option should reduce the number of cookie banner displays and, over time, significantly reduce them.
The exact design is to be regulated in the course of the next few months by an additional regulation, CCM19 will in any case go through the application process as well as the expected interfaces to other providers to build both the operators and the visitors and of course the new law as optimally as possible to do justice and of course to give all our customers long-term security.
Basic question: Do website operators no longer need a cookie banner?
In fact, they need it more than ever - because of the fine situation you have to be very careful now. Even in cooperation with the above mentioned PIMS, there is no way to do without banners. For 2 different reasons.
1. There is always and will always be a certain percentage of visitors who do not use any of the PIMS, for whatever reason. For these a banner must be held out in spite of everything.
2. Site operators are obliged to take into account the settings of the PIMS, i.e. the settings of the end users must be taken into account when playing out the scripts and cookies. Since there will be quite a number of PIMS, you still need a corresponding manager that processes these data of the PIMS and in case of doubt then again requests data that are not specified by the settings of the PIMS.
3. In any case, it remains to be seen whether it is at all technically possible to present these consents across domains without losing one's own anonymity, i.e. whether the PIMS are at all feasible as the legislator had in mind.
In other words: For you as an operator, it will not be easier but much more complicated as long as you do not use a cookie banner software like CCM19.
Here you can find the PM of the Bundestag: https://www.bundestag.de/dokumente/textarchiv/2021/kw20-de-datenschutz-840228