At the turn of the year, we wrote about the ever increasing focus of European data protection authorities on ‘Cookies’, the importance of having good privacy notices and when you should be obtaining consent prior to dropping Cookies on users' devices. Whilst Europe moves ever closer to the adoption of a new ePrivacy Regulation, the focus on non-compliant Cookie use shows no sign of abating.
The German Telecommunications and Telemedia Data Protection Act (TTDSG)
In February 2021, the German Federal Cabinet adopted the Telecommunications and Telemedia Data Protection Act which, amongst other things, was introduced to provide regulation on Cookies. Such legislation implements the EU Directives (particularly the ePrivacy Directive) into German national law. This follows the increase in attention placed on Cookies by data protection authorities to ensure that businesses act in accordance with the data protection rules relating to Cookies – in particular consent.
Oddly, the adoption of this legislation comes ahead of any finalised version of the much expected EU ePrivacy Regulation, and it is an interesting approach taken by the German Federal Cabinet, not least for how it deals with Cookies. Following recent European case law in this area, the legislation categorises Cookies into Cookies that require consent and Cookies that are strictly necessary to provide a telemedia service which the user has requested. Fundamentally, if the user has not consented or if the Cookie is not facilitating communication over a public telecommunications network, or the strictly necessary exception applies, then the business dropping the Cookies will be acting unlawfully.
Why is the German TTDSG important?
There are two main concerns around this:
- there is, in general, a growing trend of greater enforcement on compliance with Cookie rules; and
- the potential for different rules.
Greater enforcement on compliance with Cookie rules
Germany is not the only country to prioritise compliance with Cookie rules. Earlier this year, we wrote about the fines imposed upon Google and Amazon by the CNIL, the French data protection authority. Further to its enforcement action against Google and Amazon, the CNIL has announced that its three main enforcement priorities for 2021 include cybersecurity, security of health data, and Cookies.
In the UK, according to information published by the ICO, the number of complaints relating to Cookies has steadily increased year on year. Extensive guidance on Cookies and compliance with Cookie rules has been published by the ICO. Currently, the ICO has not chosen to prioritise compliance with Cookie rules, with the clear focus being on telemarketing; however, this does not mean that Cookies will not become a priority for the ICO in the future (nor, of course, does it mean any relaxation of compliance more generally).
Impact of differing rules on business
Due to the growing attention placed on compliance with Cookie rules across the EU, any electronic communications services business which has any UK or European (and indeed any other international) aspect to its services should evaluate their current use of Cookies to ensure they comply with the relevant data protection rules. In particular, electronic communications services businesses should ensure compliance with the upcoming ePrivacy Regulations (which will have extraterritorial extent and therefore remain of interest to those in the UK), particularly in relation to consent and Cookie notices. In addition, if your business has an establishment in Germany, you may also need to comply with the TTDSG (which has a more restrictive set of exceptions with regards to Cookies).
How can we help?
For further information on Cookie notices and obtaining consent from users to place Cookies, please get in touch with our specialist GDPR & Cyber Security team.
This article was co-written by Haris Saleem, Trainee Solicitor.