Guten Morgen from Munich.
“Cookies are so yesterday...” was the headline of an article published in The Privacy Advisor. That was in early 2015, when cross-device tracking became en vogue. A little less than seven years later, on 1 Dec. 2021, Germany’s first-ever “cookie law” will enter into effect. After endless back-and-forth over the last decade, German lawmakers finally agreed on a national law implementing the EU Cookie Directive (2009/136/EC). This directive dates back to 2009. So why – you might ask yourself – is Germany adopting a cookie law almost simultaneously with the demise of third-party cookies? And why has it taken 12 years for lawmakers to come up with such a law?
Some legal history: After multiple failed attempts to implement Article 5(3) of the directive into national law, the EU Commission threatened in 2004 to institute formal infringement proceedings against the German government for not transposing the directive into German national law. Such transposition into national law is necessary for an EU directive to become enforceable. Back then, the German government successfully argued that Article 5(3) of the directive had been implemented into law under Section 15 of the German Telemedia Act. However, the issue with this argument was the provision allowed profiling for marketing purposes on an opt-out basis whereas Article 5(3) of the directive clearly requires opt-in.
Consequently, marketing cookies in Germany were used on an opt-out basis for more than a decade, whereas national law in the rest of Europe required opt-in. So far, so good. But then came the EU General Data Protection Regulation — and with it highly controversial guidance by the joint German supervisory authorities, the DSK, published in mid-2018. Under this guidance, marketing cookies suddenly required opt-in consent in Germany — contrary to the wording of Section 15(3) of the German Telemedia Act. The DSK argued the GDPR would supersede such law. Adding to the confusion in 2020, the German supreme court ruled Section 15(3) of the German Telemedia Act remains applicable next to the GDPR, but that “opt-out” must be interpreted to mean “opt-in.”
Such back and forth was too much even for German lawmakers. The result is a new law that will enter into force in a few months that combines the privacy-related provisions of the German telemedia and telecommunications laws into a new law dubbed the German Telecommunications and Telemedia Data Protection Act. This move is remarkable, particularly as the TTDSG’s shelf life is limited given it will likely become irrelevant with the advent of the EU ePrivacy Regulation, which seems to be around the corner — although it is currently not clear how many corners.
So, what is the TTDSG? Most interestingly for privacy pros and regarding cookies, the new law sticks closely to the wording of Article 5(3) EU ePrivacy Directive. Any “storage of information in the end-user’s terminal equipment or access to information already stored in the terminal equipment” requires prior user opt-in. This means cookies and other tracking technologies that fall under this definition will require prior user consent, i.e., opt-out is no longer an option. Importantly, this applies irrespective of whether personal data is processed. Thus, the TTDSG’s scope extends well beyond web tracking and is relevant also for any sort of connected devices like cars, IoT devices, etc. Also, machine-to-machine communication without personal data processing falls under the scope of the new law.
But important questions remain: In particular, the scope of the very limited exceptions from such opt-in requirements are not clear-cut. Opt-in is not required if the storage of information in end users’ terminal equipment or access to such information is “strictly necessary for the provider […] to provide a […] service explicitly requested by the user.” But what does this mean for analytics services? Will it apply to alternative tracking technologies like device fingerprinting or other cookie-less technologies which will dominate the market shortly? Clearly, German lawmakers missed the opportunity to ensure legal clarity on those relevant questions. At the same time, we see massive enforcements activities from German regulators.
It is no surprise we will look for answers and practical guidance during this years’ IAPP Data Protection Intensive: Deutschland. If you are not registered yet, there is still time to sign-up for the IAPP’s first major conference of the year held in person.
I look forward to seeing you all there!