On December 1, 2021, a new data protection law will come into effect in Germany. It’s called the Telecommunications and Telemedia Data Protection Act (TTDPA, or TTDSG in German). TTDPA is a shortened version of “Act to Regulate Data Protection and Privacy in Telecommunications and Telemedia”.
We will look at what is changing for companies and what needs to be done now.
- All technologies, except those that are “strictly necessary” may only be set on the basis of having obtained explicit consent.
- The scope of application of the Consent Management Platform has been extended.
- The TTDPA also applies to apps, messenger services, smart home devices, the IoT, etc.
What does the TTDPA change for companies?
The good news is that for companies that already obtain and manage consent via a Consent Management Platform (CMP), hardly anything will change. The requirements for obtaining consent remain the same and continue to be based on the provisions of the GDPR.
The scope for Consent Management Platform use has expanded
More technologies now require consent
According to the TTDPA, all technologies that access the user’s device require consent before they are used, regardless of whether or not personal data processing is involved.
The reason behind this is that Section 25 of the TTDPA regulates more than the protection of personal data.
As a result, storage of or access to information that is not personal data is also subject to consent, so the scope of application for CMP use has expanded.
⇨ This means that as of December 1st, 2021, companies based in Germany or companies offering goods or services to the German market will have to obtain consent for a greater number of technologies than before. Particularly for those where information is read or stored on the user’s device. (For a more detailed explanation, see below.)
As a Usercentrics customer, this is what you need to do now.
1. Check which Data Processing Services are in use on your website with the help of our DPS Scanner.
2. Add the services to the CMP that access user devices. To do this, use the Add button in the audit results. In the case of unknown technologies, you will need to determine which category you would like to add them to.
3. Check the current categorization of all your services that use services/technologies like cookies, local storage or other storage locations on users’ devices. The reason for this is that consent must now be obtained for these services as part of the scope of the TTDPA. Technologies may have to be moved from the “Essential” category to the “Marketing” or “Functional” categories.
When is consent not required?
- essential technical cookies and information
- cookies and information used exclusively for the transmission of messages via a public telecommunications network
Please keep in mind: You will have to check if any Data Processing Services fall under exceptional circumstances, and thus do not require consent. Usercentrics cannot provide legal advice or tell you if the service is “necessary”, “technically necessary” or “essential”.
Expansion of data protection scope to include end user equipment
The TTDPA expands the scope of application of data protection because the requirements apply to all items defined as “end user equipment” (user devices).
What is meant by “end user equipment”?
End user equipment is:
“any device connected directly or indirectly to the interface of a public telecommunications network for the purpose of sending, processing or receiving messages. This includes, for example, laptops, tablets, smartphones, smart TVs, voice assistants, connected devices belonging to the Internet of Things (IoT) that exchange information automatically or with only minor human involvement in the context of machine-to-machine communication (M2M). For example, such as connected cars.”
This means that all technologies operating on a user’s device require consent, whether or not personal data is processed.
⇨ Therefore, anyone using cookies or other tracking technologies will need explicit consent from users in Germany and, consequently, they will need to implement a functional cookie banner or Consent Management Platform.
What else is new?
Personal Information Management Systems and Single Sign-on Solutions – what does the future hold?
Personal Information Management Systems (PIMS) are services designed to enable users to set one-time conditions for consent or refusal to let websites collect personal data. The PIMS provider automatically forwards this information to all websites the user accesses. The goal is convenience, consistent application of preferences and to give users more control over their personal data and third-party access to information.
Although PIMS are not explicitly mentioned within the TTDPA, here the legislature has already provided a legal framework for possible innovations. Supplementary documents also indicate that Single Sign-on (SSO) Solutions are included in addition to PIMS.
Section 26 of the TTDPA is intended to create a reliable and credible framework for the recognition of such services so that end users also entrust their consent to them. However, these services must first be officially recognized, for which certain conditions must be met (no economic self-interest on the part of the provider, security concept of the provider, etc.). The procedure for recognizing the services would also have to be defined by the federal government in the form of a legal ordinance.
In the future, whether the browser vendor or new technology players will have to provide a PIMS – and what the cooperation between them might look like – is still unknown. However, the immediate relationship between responsible parties and users still has priority. Therefore, cookie banners will still be helpful for obtaining consent in an era of PIMS.
Frequently Asked Questions (FAQ)
What is the objective of the TTDPA?
With the TTDPA, the data protection provisions from the Telecommunications Act (TKG) and Telemedia Act (TMG) are merging.This coexistence has repeatedly led to legal uncertainties in the past, which this change aims to resolve. The TTDPA also incorporates corresponding provisions of the ePrivacy Directive into German law.
When does the TTDPA come into effect?
The law was passed by the German Parliament on May 20, 2021. It comes into effect on December 1, 2021.
Who is affected by the TTDPA?
The TTDPA affects all companies based in Germany or companies that offer goods or services to the German market.
What happens in the event of a violation of the TTDPA?
A violation of the TTDPA can be punished with a fine of up to €300,000. However, if the action or negligence in question violates both the TTDPA and GDPR, a double penalty will not be issued.
DISCLAIMER: These statements do not constitute legal advice. If you have any legal questions, you should consult a specialist lawyer. The implementation of a data protection-compliant implementation of a CMP is ultimately at the discretion of the respective data protection officer or legal department.