German Consent Management Ordinance (EinwV): Latest on Evolving Cookie Compliance

Einwilligungsverwaltungsverordnung (EinwV), also known as the German Consent Management Ordinance is introduced as a potential sea change in how user consent is handled. It aims to simplify the online experience and cut through the repetitiveness of cookie banners. Let’s chart a course through its key aspects and what it means for consent management.

Rooted in Section 26(2) of the Telecommunications Digital Services Data Protection Act (TDDDG), Germany’s Consent Management Ordinance (EinwV) lays the groundwork for approved consent management providers.

Imagine these as central hubs where users can save and manage their consent preferences once and have them respected across participating websites. Approved by both the Bundestag and Bundesrat, it’s set to take effect on April 1, 2025.

The TDDG has proposed authorised consent management services that can collect and store consent preferences from consumers as a one-time action. What should businesses know about these approved consent management providers? Let’s find out.

• Choice, not command: Adopting these authorised consent managers isn’t mandatory for websites. Yet, it is good for businesses to know how EinwV might shape consumer expectations and future norms.
  
• No need to change cookies policies: Companies are not yet obliged to change their cookie management tools as long as these tools comply with the requirements of Section 25 of the TDDDG and the GDPR.
  
• Power to the user: User control is the core of this Ordinance. That is, consent services must be open, simple to use, and give users easy routes to change or take back their consent.
  
• GDPR’s position: The EinwV works alongside the GDPR, not instead of it. The GDPR’s data protection rules would still stay front and centre.
  
• The seal of approval: The German data protection authority (BfDI) will “approve” consent platforms meeting strict standards for data safety and rule-following. They will be known as consent management services.
  

Who does the German Consent Management Ordinance affect? 

The Ordinance affects organisations offering goods and services in Germany or collecting any information from Germans. This means it even affects businesses outside the country. However, businesses have the choice of whether to implement EinwV.

The EinwV seeks to enhance the user experience for individuals accessing digital services, such as website visitors, by diminishing the prevalence of recurring cookie consent banners. It introduces a centralised consent management system, conceptually similar to a universal opt-out signal, but designed to facilitate opt-ins. However, this methodology introduces certain legal ambiguities. 

Specifically, there are concerns regarding whether a centralised system can adequately adhere to the GDPR’s stipulation that consent be specific, considering the potentially broad nature of centralised choices in contrast to the necessity for granular consent tailored to distinct types of data processing activities.

Additionally, the German Consent Management Ordinance also impacts the consent management services since they would have to create Ordinance integration signals with CMPs to recognise user signals while complying with privacy laws like German cookie consent requirements, GDPR and the Ordinance.

These aren’t just any platforms; they’re held to a higher standard. The initial step is to earn the approval of the Federal Commissioner for Data Protection and Freedom of Information (BfDI). Participants can apply electronically. Following are some of the criteria for such service:

• Transparency: Give users clear details about data use, who’s involved, and how to withdraw consent.
• User-friendliness: Be built for ease of use, empowering users to manage their choices efficiently.
• Interoperability: Let users export their data settings and switch between approved providers.
• Annual review: Pass an annual review to prove they’re keeping up with data protection best practices.
• Fair:
  • All websites or apps (service providers) must have equal access to the consent management service in real-time.
  • No website or app can be denied access to the service.
  • When showing options to users, websites/apps must be listed in a standard way.
• Technically sound: The service must be built so that websites and browsers can easily recognise that a user is using a recognised consent management service. Websites also need to be able to easily send requests to the service and check a user’s settings.

The Ordinance is expected to take effect on the first day of the next quarter. Additionally, the BfDI has not yet recognised any registered consent management service.

Consider the EinwV as introducing a new layer to the existing consent ecosystem. Your cookie Consent Management Platform (CMP) is a vital component of your compliance strategy. In the future, CMPs like CookieYes may work in harmony with centralised consent managers, translating user choices into actions on websites. This necessitates adapting to and connecting with approved consent hubs while respecting the user preferences that flow from them. It is also essential to provide users with clear information about their data journey. However, one must always prioritise GDPR compliance when managing consent.

Currently, in Germany, websites must obtain users’ valid consent before collecting personal data. Companies should continue using consent management platforms to request this consent.

The new Ordinance introduces an optional requirement for these tools to collaborate with trusted services that can easily share user consent. Ultimately, this will lead to the widespread adoption of advanced CMPs like CookieYes in the future, which are proactive in compliance.

The EinwV isn’t without its critics. Here are some of the popular ones from experts.

• Narrow focus: It mainly covers consent under local law since it is based on section 25(1) of the TDDSG.
• Voluntary adoption: Without a push for widespread use by the authorities, its impact might be limited.
• Possibility of repeated consent requests: Digital service providers are not mandatorily required to honour user decisions made via consent management services. Therefore, businesses can choose to continue using cookie banners.
• Compliance headaches: Added complexity could make proving GDPR compliance even harder.

Regardless of the EinwV’s ultimate success, preparation is key:

• Stay alert: Watch for updates from the BfDI and other regulators.
• Implement a CMP: If you have not already integrated a cookie consent management platform, you are missing out on some important compliance measures.  Start one now with CookieYes to remain proactive and stay ahead of any privacy regulations.
• Reassess your tools: Ensure your CMP is GDPR-compliant and ready to integrate with approved consent managers, just like CookieYes.
• Value user trust: Focus on clear, user-friendly consent experiences.

Germany’s EinwV is an experiment in consent evolution. While its voluntary nature deserves attention, businesses that embrace transparency, prioritise user experience, and uphold GDPR principles will be well-prepared for the changes ahead. Right now, vendors and publishers don’t need to rush into making any changes if you have already implemented a proactive CMP like CookieYes.

By staying agile and informed, you can navigate this shifting landscape with confidence and strengthen your relationship with your customers.