Selected aspects covered in the Guidelines

Consent under the TTDSG and relation to consent under the GDPR

It is generally possible to gain consent at once for both storing information or gaining access to information stored in the terminal equipment and the subsequent data processing covered by the GDPR only. However, the consent text has to make it visible that the consent counts for both the processing of personal data covered by the GDPR and the storing or gaining access to information stored in the terminal equipment regulated in the TTDSG. It must also be visible that via one action (for example, clicking on a button) two forms of consent are given.

The German authorities take the standpoint that if the processing of personal data is not mentioned, the consent only covers the part regulated under Section 25 of the TTDSG. Consent under the TTDSG and GDPR generally have the same requirements, because Section 25 of the TTDSG refers to the GDPR's consent requirements regarding provision of information and the formal requirements. According to the Guidelines, this also leads to Articles 4(11), 7, and 8 of the GDPR being applicable for consent that covers only the TTDSG part.

Need to inform users

The Guidelines further explain that, in practice, the authorities notice a lot of inconsistencies between information provided in cookie banners and information in data protection notices and privacy policies (for example, different purposes, different provider of website tools, and different legal bases). The DSK explains that when both the TTDSG and GDPR apply, companies need to separately inform about the legal basis under the TTDSG on the one hand, and under the GDPR on the other hand. Consent needs to qualify as 'informed' and the TTDSG does not mention which information needs to be provided. The Guidelines state that companies must meet the following requirements:

• any storage and access activities must be transparent and comprehensible;

• information must be provided regarding who accesses the respective terminal equipment, in what form and for what purpose, what functional duration the cookies have, and whether third parties can gain access to them;
• information must be provided regarding to what extent access to information serves further data processing that is subject to the requirements of the GDPR and the purposes of further data processing; and
• information must be provided regarding the fact that revoking consent does not affect the legitimacy of the previous processing (Article 7(3)(3) of the GDPR).

Companies obtaining consent have to ensure that the consent text is in line with the legal requirements. The Guidelines also mention that in cases where consent management tools are used, the website operator, and not the provider of the consent management tool, is liable for any breaches of obligations in connection with obtaining valid consent.

Other requirements relating to consent

Consent must be given through an unambiguous indication by a statement or by a clear affirmative action. Consent must be 'specific'. This implies that users know exactly for what they give their consent. With reference to page 16 of the WP29's Opinion 03/2013 on purpose limitation, the German authorities name 'improving users' experience', 'marketing purposes', 'IT-security purposes', or 'future research' as examples for too general purposes that prevent valid consent.

According to the Guidelines, users need to be able to give and deny consent for different purposes separately. The authorities also refer to Recital 43 of the GDPR and state that if there is no option to deny or give consent for different purposes, this is also problematic in the context of the 'freely given' criterion. According to the Guidelines, consent is also not freely given when users are forced to make a decision (not forced to consent, but already if users need to make a decision and cannot simply close the banner): 'it can be assumed that such a constraint exists if a banner or other graphic element for requesting consent blocks access to the website as a whole or parts of the content and the banner cannot simply be closed without a decision being made'.

According to the German authorities, consent is also not freely given, if users need to make more clicks to deny cookies than to consent. The imprint and data protection notice cannot be blocked by the cookie banner. Those areas need to be accessible for users at all times. In cases where users have to make a decision regarding cookies before being able to use the website itself, it must be as easy to deny consent as it is to provide consent in terms of clicks. The German authorities state that this follows Recital 32(6) of the GDPR, which provides that if the data subject's consent is to be given in response to a request by electronic means, the request must be clear, concise, and not unnecessarily disruptive to the use of the service in question.

Obligation to demonstrate that consent was given

Companies need to be able to demonstrate that consent was given in line with the legal requirements. The Guidelines stress that to be able to demonstrate that consent was given in a valid way, companies need to use buttons on the first layer of a cookie banner with the same 'communication effect'. If the users are not offered equivalent options for giving or refusing consent, the requirements for effective consent are regularly not met (the 'unambiguous indication by a statement or by a clear affirmative action' criterion). To be able to demonstrate that consent was given in a valid way, companies need to offer equally designed options for making different choices (the 'freely given' criterion).

The German authorities make the following strict conclusions relating to storing information on a consent given by a certain user: in relation to the storage of consent given by website users, the fulfilment of the obligation to demonstrate that consent was given pursuant to Section 25(1)(2) of the TTDSG in conjunction with Article 7(1) of the GDPR and Article 5(2) of the GDPR does not require long-living unique identifier ('UID') cookies. As a rule, it is sufficient to be able to prove that and which processes have been implemented to obtain consent and store the result in a cookie without UID or other excessive information.

On the one hand, one can appreciate the acknowledgment that companies are generally able to demonstrate compliance when demonstrating processes, instead of having to proof that something particular applies to a certain individual user. On the other hand, it is very strict to conclude that companies should not be allowed to use UID cookies.

When thinking about an access request made by a website user who consented to a cookie banner, it is in most cases necessary to have an identifier to fulfil the request. Otherwise, Article 11 of the GDPR is likely an applicable exemption and data subjects will have a hard time providing data enabling the controller to fulfil data subject rights. Interestingly, the German authorities base their assumption on the need to not store UID cookies for fulfilling Article 7(1) of the GDPR on Article 11(1) of the GDPR themselves. According to the Guidelines, companies should also not store information on a denied consent with the help of a UID cookies. In cases where users do not provide consent, this fact should be stored on the respective end devices without using a user ID or similar, in order to prevent a renewed request to provide a declaration of will from being displayed.

Layered approach in cookie banners

It is very common to use a layered approach in cookie banners. According to the Guidelines, companies may in general use a layered approach in their cookie banner. However, it would be too vague to merely provide generic or general information about the purposes on the first layer, such as phrases like 'to provide you with a better user experience, we use cookies'. Companies need to provide detailed information on the purposes on the first layer if there is a consent button on the first layer. The German authorities also refer to the principle of fairness under Article 5(1)(a) of the GDPR in the context of a layered approach: 'if no objective reason can be presented for why, for example, a rejection option with the same effort is not offered on the first layer of a cookie banner, this constitutes an attempt to exert influence on the end users in an unfair manner.'

When users have to click on 'more details', or something similar, to be able to understand what the consent covers and if the text on the first layer does not sufficiently inform about the scope of the consent, this also regularly prevents valid consent. The DSK explains that in cases where users cannot deny the usage of cookies on the first layer of the cookie banner, users clicking on an 'agree' (or something similar) button do not necessarily want to give their consent, but may only want to make the cookie banner go away. In those scenarios, according to the authorities it is problematic if the only two options offered do not have the same 'communication effect'. If the users are not offered equivalent options for giving or refusing consent, the requirements for effective consent are regularly not met, according to the German authorities.

Data processing under the GDPR

The Guidelines also include a separate section on data processing under the GDPR. It is mentioned several times that the integration of a third-party tool also requires the operator of a service to have a legal basis for sharing the data with the third party. Examples named for such third-party tools are providers of ads, fonts, scripts, city maps, videos, photos, and content of social media services. The DSK does not make own statements regarding Article 6(1)(b) of the GDPR, but only provides a reference to the EDPB's Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects and states that those are also relevant in this context.

According to the Guidelines, there is not a lot of room for applying Article 6(1)(f) of the GDPR for the data processing under the GDPR: 'in the context of tracking, the requirements of Article 6(1)(f) of the GDPR are only met in a few constellations in practice'. According to the German authorities, Article 6(1)(f) of the GDPR does not work as a legal basis for sharing data with providers of website tools if those providers use data for their own purposes, but assume to be processors and not joint controllers.

Next steps for companies

Even though the Guidelines are rather strict from a company's perspective, it is fair to say that the Guidelines include a lot of good legal arguments for a rather strict interpretation. It is also not surprising that the DSK is not arguing in favour of an economic approach to necessity. Companies falling in scope of the TTDSG should definitely take a very close look at the Guidelines to consider the view of the German data protection authorities.

Overall, the way the Guidelines differentiate between basic services and additional services makes sense even though it is an 'invention' made in this publication and not something included in the law as such. It is likely that the Guidelines will be updated after the public consultation, following which it will be interesting to see how they will change.

Philipp Quiel Counsel
[email protected]
Piltz Legal, Berlin