Will Germany make the “reject all” button mandatory? New guidance from the German data protection authorities on consent for tracking cookies and other technologies

Just before the end of the year, the German Data Protection Conference (Datenschutzkon­fe­renz, DSK) seized the opportunity to publish a “Christmas present” in the shape of a new “guidance for telemedia providers” that deals with the legal situation after the introduction of the German Telecommunications Telemedia Data Protection Act (Telekommunikations-Telemedien-Datenschutz-Gesetz, TTDSG) on 1 December 2021.

We want to take a look at how this new guidance affects the online marketing industry, in particular the DSK’s interpretation of the rules concerning the use of cookies and other technologies, especially on the question of consent management.

Important: The guidance has only been published in a draft version so far. There will still be a public consultation process, after which the text may still change. According to the DSK, more detailed information about this process will follow later this month.

It is also worth mentioning that paid models (such as those used by Spiegel Online or now also on bild.de) are explicitly not covered by the guidance.

Consent under TTDSG and DSGVO can be obtained together

Unsurprisingly, the tracking consents required under the TTDSG and the GDPRcan be obtained together through one and the same action according to the DSK. However, this requires that it is made clear to users that their declaration of consent refers both to storage on and reading out information from the terminal equipment and to the subsequent data processing. In addition, information on both legal bases­ must be provided separately. This means that even more and clearer information must be provided in the consent banners in the future.

More information about the use of cookies and similar technologies is required

Users should also be informed transparently and comprehensibly via the consent banner about who accesses their terminal equipment in what form, for what purpose and for how long, and who can read out the information. Likewise, the user must be informed about the extent to­ which the information read out is processed for further data processing purposes. It is not sufficient to provide only vague information about the purposes (such as “marketing purposes” or “improving the user experience”).

Although corresponding information can still be provided on a second level of the consent banner­­, if there is the possibility to consent to ­different purposes on the first level, you also need to provide sufficient information on this level. The DSK remains silent on how this can be implemented in a practicable and clear manner.

The importance of informed consent to the DSK also becomes clear in the following sections of the new guidance.

The DSK clarifies that an “OK” button does not constitute an unambiguous declaration of intent in the sense of consent. Even “accept” or “I agree” is only sufficient for effective consent if the consent text clearly states what is being consented to.

Two equivalent options must be offered

The consent banner should be designed in such a way that the end user has two equivalent options with the same communication effect. If the user can only make a voluntary and informed decision with additional effort in terms of clicks and/or­ attention, this precludes effective consent in the eyes of the DSK.

Two equivalent options can therefore regularly only be assumed if an “accept all” and a “reject” or “not now” button are offered as options on the first level of the consent platform.

The DSK also calls for a consent management system that allows users to give granular partial consent along the lines of the IAB TCF 2.0.

The same applies to revoking consent. It must also be possible in the same way as giving consent (for example, through a button on the website).

Analytics cookies as “absolutely necessary”?

For the exception for “absolutely necessary” cookies under sec. 25(2)(2) TTDSG, the DSK makes a distinction between the provision of a basic service, additional functions and general functions. A purely economic necessity is not sufficient.

For various reasons, the DSK expressly does not comment on whether analytics cookies that serve to measure audiences (as well as other special categories of cookies) can be classified as “absolutely necessary” under certain conditions and are thus exempt from the consent requirement under sec. 25(2)(2) TTDSG. This is justified by the fact that in the case of analytics cookies, much depends on the specific purpose for which audience measurement is used in the individual case.

This means that the DSK does not follow the example of other supervisory authorities, such as the French supervisory authority CNIL, which takes the position that analytics cookies can be exempted from consent if

  • the cookies are only used to create anonymous statistics,
  • that are absolutely necessary for the proper functioning of the service, and
  • are intended exclusively for the operator of the website or app in question.

The DSK only informs us that, in addition to the question of whether cookies are “absolutely necessary”, time, content and personal dimensions must also be taken into account and provides us with relevant criteria:

  • time of access: The cookie read-out and placement process may only begin when the specific function is actually used.
  • content of the information: The information that is stored and read out must be absolutely necessary for the function.
  • storage periods: The information may only be stored and read out for as long as absolutely necessary.
  • readability of the information: It must be technically ensured that the information can only be read by the provider; in the case of third-party cookies, that the information can only be used for the website accessed by the user.

Rejection of the “Axel Springer model” for international data transfers
Finally, the DSK also states that personal data processed in connection with tracking users on websites or in apps cannot be transferred to data recipients outside the EU on the basis of consent pursuant to art. 49(1)(a) GDPR. This is because the scope of such data transfers would regularly contradict the character of art. 49 GDPR meant for exceptional cases only.

The DSK thus rejects the so-called “Axel Springer model” for international data transfers. Whether this view will prevail, in particular whether it can be reconciled with the wording of art. 49(1)(2) GDPR remains to be seen.

What you need to do now

For the time being, we can wait for the consultation process and the final version of the guidance – at the same time, we are already aware of supervisory procedures that have apparently been initiated on the basis of the positions described here.

We also need to stress again that the new guidance does not have any binding character in itself. It only documents the opinion of the German supervisory authorities. Instead, it remains to be seen how the courts will interpret the law. The relevant industry associations have justifiedly questioned a number of the DSK’s positions, arguing that such a strict interpretation does not follow from the letter of the GDPR.

In addition, many requirements, such as the correct design of the individual buttons (in particular avoiding excessive nudging), no pre-checked boxes or opt-outs or the possibility to simply reject cookies that are not necessary, have already been good practice for quite some time and should therefore not be new for you and should not require substantial changes.

In the new guidance, however, the DSK is in some cases setting even stricter requirements for consent management. The new TTDSG law only serves as an excuse – the DSK wants to convince businesses to expand the amount of information provided to the user and to change the options displayed in the consent banner­.

If you want to avoid being the subject of any proceedings with the German supervisory authorities, we therefore advise you to review your consent management practices in accordance with the new guidance, and adjust it, where necessary.

The fines of 150 million and 60 million euros imposed on Google and Facebook in France a few days ago can serve as a cautionary example, as both businesses were fined for not making it as easy for their users to reject cookies as it was to give consent.

We will continue monitor these developments for you and inform you, if necessary. As always, we will be happy to advise you on all necessary steps, in particular on ensuring a compliant consent management. 
(Dr. Frank Eickmeier, Dr. Lukas Mezger UNVERZAGT Rechtsanwälte)