The Telecommunications Telemedia Data Protection Act (TTDPA): what’s changed for companies

On December 1, 2021, a new data protection law came into effect in Germany. It’s called the Telecommunications and Telemedia Data Protection Act (TTDPA, or TTDSG in German). TTDPA is a shortened version of “Act to Regulate Data Protection and Privacy in Telecommunications and Telemedia”.

We will look at what has changed for companies and what needs to be done.

On December 20th, 2021, the Datenschutzkonferenz (DSK), the board of the German Data Protection Authority, published guidelines for the TTDPA (in German). These guidelines provide further information and clarification about the TTDPA and how organizations should implement it.

The good news is that for companies that already obtain and manage consent via a Consent Management Platform (CMP), not much changes. The requirements for obtaining consent remain the same and continue to be based on the provisions of the GDPR.

Requirements for valid consent

For consent to be valid the data subject needs to be informed. The TTDPA requirements for consent are the same as the ones for GDPR (Recital 32). The legal basis for data processing under the TTDPA must be made available to website visitors. This could be in the banner or in the privacy policy, for example.

Note that in most cases a service will have two legal bases: one for GDPR and one for TTDPA. In some cases, e.g. when no personal data is processed, the GDPR will not apply. However, in those cases the TTDPA legal basis will still be required.

More technologies now require consent

According to the TTDPA, all technologies that access the user’s device require consent before they are used, regardless of whether or not personal data processing is involved.

The reason behind this is that Section 25 of the TTDPA regulates more than the protection of personal data.

As a result, storage of or access to information that is not personal data is also subject to consent, so the scope of application for CMP use has expanded.

⇨ This means that as of December 1st, 2021, companies based in Germany or companies offering goods or services to the German market have to obtain consent for a greater number of technologies than before. Particularly for those where information is read from or stored on the user’s device.

Obtaining consent from users

Under the TTDPA, consent must be obtained both for accessing the user’s device and for processing data obtained from it. However, it is not necessary to provide two separate “accept” options (along with “deny/reject” options) to users to obtain these consents. One option is sufficient, as long as the user is informed in the first layer that the consent is for both accessing their device and for data processing.

However, there must also be an equal option to deny both device access and data processing. The “deny/reject” option should use the same design and function as the “accept” option.

One button, link, etc. should not be more prominent or easily accessible than the other, otherwise consent cannot be considered to be freely given, per legal consent requirements. Both options should require the same number of clicks and be available on the same layer. E.g. do not put the “accept” option on the first layer and the “deny/reject” option in the second layer.

“Nudging”, like making one option more prominent or accessible over another is increasingly considered manipulative user experience by authorities, and under some regulations is illegal. (Learn more: What are dark patterns and how do they affect consent?)

As a Usercentrics customer, this is what you need to do now.

1. Check which Data Processing Services are in use on your website with the help of our DPS Scanner.

2. Add the services to the CMP that access user devices. To do this, use the Add button in the audit results. In the case of unknown technologies, you will need to determine which category you would like to add them to.

3. Check the current categorization of all your services that use services/technologies like cookies, local storage or other storage locations on users’ devices. The reason for this is that consent must now be obtained for these services as part of the scope of the TTDPA. Technologies may have to be moved from the “Essential” category to the “Marketing” or “Functional” categories.

4. Section 25(2) TTDPA mentions that the requirements for consent to be valid are the same as the ones set out by the GDPR (Art. 13 GDPR). One of the most important requirements of this article is the legal basis. It is thus recommended to provide information about the TTDPA legal basis to the user.

When is consent not required?

According to Section 25 TTDPA, website operators require explicit user consent for the use of cookies and tracking services. However, pursuant to Section 25(2) TTDPA, the following scenarios are exempt from the consent requirement:

• essential technical cookies and information
• cookies and information used exclusively for the transmission of messages via a public telecommunications network

Please keep in mind: You will have to check if any Data Processing Services fall under exceptional circumstances, and thus do not require consent. Usercentrics cannot provide legal advice or tell you if the service is “necessary”, “technically necessary” or “essential”.

The TTDPA expands the scope of application of data protection because the requirements apply to all items defined as “end user equipment” (user devices).

What is meant by “end user equipment”?

End user equipment is:

“any device connected directly or indirectly to the interface of a public telecommunications network for the purpose of sending, processing or receiving messages. This includes, for example, laptops, tablets, smartphones, smart TVs, voice assistants, connected devices belonging to the Internet of Things (IoT) that exchange information automatically or with only minor human involvement in the context of machine-to-machine communication (M2M). For example, such as connected cars.”

This means that all technologies operating on a user’s device require consent, whether or not personal data is processed.

Therefore, anyone using cookies or other tracking technologies will need explicit consent from users in Germany and, consequently, they will need to implement a functional cookie banner or Consent Management Platform.

Personal Information Management Systems and Single Sign-on Solutions – what does the future hold?

Although PIMS are not explicitly mentioned within the TTDPA, here the legislature has already provided a legal framework for possible innovations. Supplementary documents also indicate that Single Sign-on (SSO) Solutions are included in addition to PIMS.

Section 26 of the TTDPA is intended to create a reliable and credible framework for the recognition of such services so that end users also entrust their consent to them. However, these services must first be officially recognized, for which certain conditions must be met (no economic self-interest on the part of the provider, security concept of the provider, etc.). The procedure for recognizing the services would also have to be defined by the federal government in the form of a legal ordinance.

In the future, whether the browser vendor or new technology players will have to provide a PIMS – and what the cooperation between them might look like – is still unknown. However, the immediate relationship between responsible parties and users still has priority. Therefore, cookie banners will still be helpful for obtaining consent in an era of PIMS.

DISCLAIMER: These statements do not constitute legal advice. If you have any legal questions, you should consult a specialist lawyer. The implementation of a data protection-compliant implementation of a consent management platform is ultimately at the discretion of the respective data protection officer or legal department.