On December 20, 2024, the Bundesrat (German Federal Council), approved an ordinance pursuant to Section 26 Paragraph 2 of the Telecommunications Digital Services Data Protection Act (TDDDG) and amending the Special Telecommunications Fee Ordinance (DE, PDF). Officially, the update is the “Verordnung über Dienste zur Einwilligungsverwaltung nach dem Telekommunikation-DigitaleDienste-Datenschutz-Gesetz (Einwilligungsverwaltungsverordnung – EinwV)”.
The goal of this ordinance is to reduce the “flood” of consent banners displayed on websites to German residents. We delve into what this new law says, when it comes into effect, and how your business can navigate the requirements.
What is the TDDDG?
The Telecommunications Digital Services Data Protection Act (TDDDG in German, TTDPA in English) covers similar territory to the General Data Protection Regulation (GDPR) regarding data handling, privacy, and user rights, but gets into more detail in certain areas.
The TDDDG came into effect in Germany in December 2021. It shares the scope of the ePrivacy Directive for requirements regarding use of consent management solutions, and applies to any company offering goods or services in Germany if they access information (not just personal data) stored on a user’s device, or store information on users’ devices.
The regulation requires informed and explicit user consent for the use of more digital technologies, and storage of and access to data stored on or collected from users’ devices, in line with the GDPR’s consent requirements. It is permissible to use bundled consent to cover both regulations when providing users with notification and consent choices, though in many cases there will be two legal bases required: one for the GDPR and one for the TDDDG.
What is the new cookie-related ordinance in the TDDDG?
The new ordinance comes into effect April 1, 2025, giving affected organizations three months for preparation and implementation if they choose. It’s meant “to protect Internet users from disruptive and misleading consent requests” by reducing the number of cookie banners or comparable displays that users are faced with regularly. The Bundesrat has recommended that the ordinance undergo evaluation within two years.
The goal is for users to make one-time decisions about cookie consent using a consent management solution, with the information they provide centrally stored and used over time to signal the individual’s consent preferences to any digital services collecting data. As a result, users will not be presented with cookie banners over and over when they visit different websites.
Additionally, the ordinance is meant to strengthen web users’ freedom of choice regarding access to their personal data online. Explicit and informed consent from users for data collection and use via cookies remains a requirement. The core strategy in achieving the ordinance’s goals while making use of existing consent management solutions is the introduction of “recognized consent management services”. To become a “recognized” service, there is an annual certification process.
However, it is unclear whether this strategy supports the overarching goals of data privacy and specific regulatory requirements, particularly as it centers ID-based solutions.
The requirements of the ordinance are voluntary for both website operators, who can choose if they want to implement the new framework, and for users, who can choose if they want to engage with these services and save consent choices for reuse.
What is the certification approval process for the new ordinance?
To become a “recognized consent management service” under the new regulation, a company offering a consent management services must undergo an approval process that is overseen by the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) — the Federal Data Protection Commissioner.
The process requires demonstrating compliance with current data protection laws, like the GDPR, and passing security audits. The estimated annual administrative costs to maintain certification are €79,000, which may be out of reach for smaller companies providing consent management solutions. However, as noted, the requirements of the ordinance are voluntary.
Who does the new cookie-related ordinance affect?
The regulation applies to website operators and digital service providers that collect consent under 25 TDDDG (DE).
Internet users can benefit from a more streamlined process for managing consent and cookie preferences online, and an improved user experience overall when browsing. Consent preferences set once and centrally stored with a recognized consent management service will automatically be signalled to subsequent websites users visit, so they will see fewer cookie banners pop up.
Website operations and digital service providers would continue to need to respect the user’s consent selection, so using a consent management platform (CMP) is important. Also, recognized consent management services would need to signal user consent to the CMP that a website operator has implemented, thus a compatible CMP is necessary.
Consent management service providers will have to develop solutions that can pass the certification requirements and enable compliance with the ordinance and other relevant data privacy regulations and frameworks like the GDPR and ePrivacy Directive. Consent management services will need to work with CMPs to pass the user consent signal information. Providers can benefit from increased business from organizations that want to implement a recognized service.
How can companies comply with the cookie control ordinance?
Website operators and digital service providers in Germany and throughout the EU already need to respect users’ privacy and rights and obtain explicit and informed consent for collecting and processing data. So organizations already using a CMP will need to continue to do so. (Those who are still not using one are taking increasingly large risks with their revenue, legal standing, brand reputation, and customer retention.)
Because the ordinance’s requirements are voluntary, companies can continue to use their existing CMP, which likely displays consent banners to users infrequently but at specific intervals, e.g. first visit to the site, after the consent expires, if the user clears their browser cache, etc.
If a website operator wants to comply with the ordinance, they will also need to ensure their CMP can seamlessly accept and process consent information signals from users who have set them using a recognized consent management service. Usercentrics specializes in smooth integrations that enable consent information to be obtained in a user-friendly manner and signaled throughout your tech and marketing ecosystem.
As of yet some ambiguity remains regarding how the functionality will be required to work, if there are standards, etc. that recognized consent management services and CMPs will need to meet, etc. The ordinance also does not specify for how long a user’s consent information remains valid.
Of note is that the ordinance’s mechanism with recognized consent management services is a new proposal, as it uses an opt-in model. To date there have only been opt-out solutions, like Global Privacy Control (GPC) or other universal opt-out mechanism (UOOM). Recognizing such signals is not universal, but has been finding traction in more of the newer data privacy regulations passed, e.g. at the state level in the United States.
There are tools to signal consent information that work with CMPs, like Google Consent Mode, but are not relevant to the ordinance’s requirements. They don’t function on the user’s side, as they forward consent choices that users’ have made with the CMP through to services like Google Ads.
How Usercentrics can help you manage user consent
No consent management services have been certified yet, as the ordinance was only passed in late December 2024. However, it will be critical for any recognized consent management services to work well with CMPs to ensure legally compliant processing of users’ consent choices. Maintaining good user experience with seamless functionality is also important for happy website visitors, as well as for interaction and consent rates.
It will be important for companies to use a CMP like Usercentrics CMP that enables compliant and secure collection, storage, and signaling of consent information. It also enables a full range of integrations and is updated regularly for the latest regulatory and technology changes and requirements. We will continue to update on this ordinance and its requirements as more information becomes available.
This new ordinance does not mean CMPs are no longer needed for consent management. Quite the opposite; it points to the need for companies to implement a CMP backed by constantly evolving technology and legal expertise. This enables companies to maintain privacy compliance, marketing monetization, and positive user experiences no matter what changes the future brings from regulators, influential tech platforms, or elsewhere.
