In Germany, the utilization of cookies is tightly regulated to safeguard user privacy and data rights. German guidelines outline specific rules and regulations that businesses and website operators must adhere to when employing cookies. Let’s delve into these key regulations to ensure a comprehensive understanding of cookie usage within the German legal framework. This article combines the requirements mandated by:
- Data Protection Authority, Datenschutzkonferenz (DSK) guidelines (in German) addressing Section 25 of the TTDSG
Scope of the guidelines
If only non-personal data is involved, TTDSG is used. When personal and non-personal data are both used, both TTDSG and GDPR are used. TTDSG is prioritized for storing/accessing data on/from devices, while GDPR is for further processing.
Germany’s cookie consent requirements
The cornerstone of using cookies as per German guidelines is obtaining clear and direct approval from users. As outlined in Section 25 of TTDSG (which implements the cookie consent requirements of the EU ePrivacy Directive), any action involving the storage or retrieval of information on a user’s device, which includes cookies, requires explicit consent from the user. The validity of the consent is determined by the following factors:
- Freely given: Do not coerce users into giving consent. Give them a real and free choice to do so.
- Informed: Transparently communicate the purpose and scope of data collection associated with cookies, ensuring users are fully aware of what they agree to. Users should be notified about the parties accessing their device, the form and purpose of access, the duration of cookie storage, and any third-party involvement.
- Specific: Consent should be specific to the purpose. If there are multiple purposes, each of them should have separate, distinguished consent requests.
- Unambiguous: Users should be able to actively consent to the use of their data with their full knowledge; there shouldn’t be any hidden or ambiguous means of collecting consent.
Let’s look at the specific requirements in detail:
Time of consent
Before placing any cookies on a device, it’s crucial to ask for the user’s consent. Avoid setting cookies without getting their permission first.
Affirmative and unambiguous action
- Obtaining consent for data processing activities, such as cookie usage, must involve clear and explicit actions by the user that leave no room for ambiguity.
- Silence, pre-selected options, or user inactivity cannot serve as valid forms of consent. Likewise, merely using a website or app—engaging in actions like scrolling, clicking, or exploring content—does not equate to effective consent for data access or storage on a user’s device.
Clear accept and reject choices
- The language used for consent options, such as “Agree” or “Accept,” should be straightforward and accompanied by clear and concise information regarding the specific data processing based on the granted consent. Terms like “Okay” will not be treated as valid consent as it does not indicate an unambiguous action.
- Present users with equal choices for giving or rejecting consent, otherwise it will be deemed invalid. So these two options should have equal prominence on the cookie banner.
- Vague or unclear language that might confuse users about the nature of the consent they are providing is not acceptable. Additionally, combining affirmative options like “Accept all” with less prominent alternatives such as “Settings” or “Details” could potentially lead to invalid consent.
Layered approach requirements
- Consent banners can offer multiple layers of information. Users can access detailed information by clicking on a button or link in the first banner level, leading to the second layer.
- Providing vague initial information is inadequate. If the first layer has a consent button, it must include specific details about the reasons for data collection.
- Clicking “accept” on the initial layer isn’t valid consent if detailed cookie information and separate consent choices are available in the second layer. This additional choice info must be clearly presented in the first layer.
- The first layer should allow rejecting cookies as easily as accepting them.
- It’s important for the first layer to sufficiently explain why consent is necessary.
Cookies walls and alternatives
- The use of cookie walls is generally not allowed, as they violate the principle of “voluntary consent.” However, it’s acceptable if the website provides a “reject cookies” button that closes the notification (without additional clicks) and allows users to continue navigating the site.
- Alternatively, certain websites may implement “paywalls” – granting access to the website without requiring cookie acceptance, for a fee. The requirement to provide users with clear information still applies.
Bundled consent (combining TTDSG and GDPR consent ) is allowed as long websites are transparent about what they do with the data collected upon consent. And, when requesting such consent, it should be clear that users are agreeing to multiple things at once.
Use of third-party cookies
The German guidelines do not put a strong emphasis on identifying and listing third-party entities. However, they do mention that if third parties have the ability to access data, this information must be disclosed. Furthermore, if a website has taken measures to block third-party cookies, it is not allowed to be used in a way that bypasses any technical settings (such as the “Do Not Track” feature) that users have activated on their devices to protect their personal data.
Freedom to withdraw consent
Proof of consent
Store the granted consent for verification purposes, i.e. to show evidence of consent obtained. Subsequent visits should not prompt the consent banner again, and the consent data should be securely retained. The law, however, doesn’t specify how long the cookie consent should last.
Cookie consent exemption
Consent is not required
- when the only purpose of storing or accessing information on the user’s device is to send a communication over a public telecommunication network.
- if storing or accessing information on the user’s device is strictly necessary for the provider to offer a Telemedia service that the user explicitly requested. This means cookies that are strictly necessary for a website are exempt from requiring consent.
Consent is also not required if the processing is required to protect the legitimate interests of the business or third parties, but only if those interests outweigh the rights and freedoms of the individual.
Complying with German cookie consent rules: a checklist
- Add a cookie banner to the website to obtain user consent to use tracking cookies
- Obtain consent before placing cookies on the user’s device
- Ensure the consent notice uses clear language to describe the type and purpose of cookies and the implications of accepting or rejecting them
- Avoid using pre-selected checkboxes or pre-enabled options for cookie consent
- Provide a close button on the cookie banner for easy dismissal without extra clicks
- Clearly distinguish between the “accept” and “reject” buttons on the banner
- Offer a consent option for each category of cookies
- Record consent only when the user clicks the accept button; closing the banner or inactivity does not indicate opt-in consent
- Enable users to revoke consent as effortlessly as granting it
- Utilize content-blocking banners only if they can be dismissed in one step
- Do not display the banner to returning users who have previously given consent
How CookieYes helps to comply with cookie laws?
CookieYes provides an all-in-one cookie consent management platform to add a GDPR and TTDSG-compliant cookie banner with:
- Customizable consent notice with clear Accept/Reject buttons
- Option to add close button
- Granular consent options and consent withdrawal
- Consent logs for compliance
- Auto-translation to German
- Scans site to identify and block third-party cookies until consent given
- Google-certified CMP for IAB TCF v2.2 compliance