Back to blog

TTDSG – how to make sure your analytics complies with the German law

Analytics Data privacy & security GDPR

Written by

Published January 30, 2023

TTDSG – how to make sure your analytics complies with the German law

Germany’s new Telecommunications Telemedia Data Protection Act (TTDSG) came into effect in December 2021. It applies to all companies that do business in Germany, even organizations located outside the country.

The regulation merges the data protection regulations in telemedia and telecommunications, previously scattered across various German laws. Among other things, TTDSG regulates confidentiality and privacy protection when using internet-ready terminal infrastructures such as websites, messenger services, or smart home devices. The law also modifies the legal framework for using cookies and similar technologies. It implements the requirements featured in the ePrivacy directive and is enforced in addition to the General Data Protection Regulation (GDPR).

If your company processes the data in Germany, you need to make sure your data collection satisfies the requirements of the law.

Our article will show you how to make your marketing stack TTDSG-compliant. You’ll also discover a simple method for collecting anonymous data under German regulation.

What does TTDSG mean for your data collection?

TTDSG is a local implementation of ePrivacy directive and a GDPR supplementation for the German market in the area of telemedia.

Following the ePrivacy directive, TTDSG applies to both personal and non-personal data. If no personal data is processed then only TTDSG applies. If both personal and non-personal data is processed, then both TTDSG and GDPR apply. The new German regulation also clarifies all organizational and technical security requirements for companies that transfer data between countries.

TTDSG requirements have a great impact on the way that companies operate, including their choice of analytics vendor. For example, Google Analytics doesn’t comply with the German law. According to noyb, legislation such as the Cloud Act enables US authorities to view data collected by US-based companies on their worldwide servers, including data from EU citizens. The Austrian, French, Italian, and Dutch data protection authorities (DPA) also follow this statement, ruling that using Google Analytics is incompatible with GDPR.

To discover further details about various DPA statements, read our article: Is Google Analytics (3 & 4) GDPR-compliant?

All this makes it incredibly challenging for Google to gain a foothold in Europe. As a result, the need for a privacy-friendly analytics platform is growing.

How to collect anonymous data under TTDSG?

After the law came into force on December 1, 2021, many companies asked themselves how to collect anonymous data legally. Until now, they mostly have used fingerprinting or event-based methods that only guaranteed limited datasets. What’s more, most analytics vendors have advertised this method as “consent-free”. This might have worked under GDPR, but TTSDG states that consent is required for reading any information from an end-user’s device.

That being said, the website or any tool installed on that website cannot read data from the device without consent. This includes:

  • screen resolution
  • browser configuration
  • installed plugins
  • system fonts
  • and many others

Such data was used to generate the so-called fingerprint and to assign the performed events to each session. This information could lead to identifying the visitor indirectly – thus, it is also classified as personal data.

pro tip

There are two exceptions to this rule. The data can be stored in the end user’s device if:

  • The sole purpose of storing information or accessing information already stored in the end user’s device is to transmit communication over a public telecommunications network
  • The storage of information in the end user’s device or the access to information already stored in the end user’s device is necessary to provide a telemedia service requested by the user.

Consent forms, also known as cookie consent banners, are crucial when you want to collect accurate and complete data about your visitors’ behavior. TTDSG does not introduce any changes in this regard compared to GDPR. 

However, German law clearly puts consent first in data collection. Each website needs to inform visitors about the fact of collecting data, whether it’s personal or not, and allow them to decline or accept such a request. 

In short, to comply with TTDSG, you need to receive visitors’ consent to even store cookies or access their device data like screen resolution, browser plugins, and the like.

Companies should continue to seek consent in an informative, voluntary, unambiguous, and specific way.

Cookie consent banners should allow visitors to reject or accept cookies easily, or completely ignore the banner to avoid cookie walls. Also, it’s important to offer visitors access to the privacy policy, so they can change or revise their decision at any time.

Finally, legal requirements are crucial, but so is the design. Here are some examples of how well-designed cookie banners should look like:

Example number 1

In this cookie consent banner, the company informs visitors directly about necessary cookies and asks for direct, voluntary, and unambiguous consent. The user must flip the switch and confirm the action by clicking ‘Save’.

Example number 2

This cookie consent banner is composed of two parts. The first part allows visitors to choose whether to accept or reject all cookies immediately. The second part contains ‘Advanced settings’ that let visitors agree on selected cookies and change or revise their decision. This banner meets all the necessary guidelines and allows accepting and rejecting cookies with a single click.

Watch out for dark patterns

Many companies still do not have consent banners that comply with data protection regulations. They use dark patterns that make refusing consent much more difficult for visitors. They take various forms, such as pressure, operational coercion, obstacles, sneaking, and misdirection, that can cause people to make irrational decisions.

To learn more about dark patterns and the best ways to avoid them, read our article: When design goes awry – How dark patterns conflict with GDPR and CCPA

However, some companies still put non-compliant banners on their website simply because they have little knowledge about legal requirements. Either they display a simple cookie banner or forms that definitely need optimization. 

That’s why companies should choose a consent manager that could help them align with privacy regulations. 

According to § 26 of TTDSG, the consent manager should provide user-friendly technical applications for obtaining consent. It should also allow visitors to manage consent, making it easy to change or revise their decision. All this should be done without neglecting data security. 

To know more about cookie consent regulations across Europe, read our article: Everything you need to know about cookie consent in the EU

Piwik PRO Analytics Suite offers an integrated consent manager which doesn’t trigger tags unless visitors give their consent. It also allows you to share all consents with the entire marketing stack and work in accordance with data protection regulations.

Piwik PRO delivers a customer and data-centric TTDSG-compliant platform

The CNIL’s (France’s Data Protection Authority) consent exemption for Piwik PRO Analytics Suite proves that the platform meets the highest data privacy standards. The French data protection authority has added Piwik PRO to its list of analytics platforms that can be used without consent once the user chooses certain settings. It means that if you configure Piwik PRO correctly and limit the data collection, you don’t have to ask for users’ consent. 

Piwik PRO Analytics Suite came up with an option for customers who want a solution that stitches the user session based on the data available within the HTTP request without accessing the end-user terminal.

This solution is not perfect, as many users may share the same traits of the HTTP request. As a result, Piwik PRO bundles their clickstream under a single visit.

Another possibility is to disable collecting end-user data that requires consent under TTDSG by simply pressing a switch. The rest happens by itself.

When deciding on the tracking setup, you should discuss your options with the privacy team. You can also choose other options, such as IP masking, anonymization, and consent, that may be bundled together with this TTDSG toggle. 

In the end, we also recommend running your data protection impact assessment (DPIA), according to GDPR par. § 9 section 2.

TTDSG: Conclusion

As Europe is expanding its collection of new privacy regulations, such as TTDSG, Google Analytics and other US-based cloud services will have even more difficulties operating in Europe. At the same time, privacy-friendly analytics platforms are becoming more and more relevant as they allow companies to collect customer data and comply with applicable laws.

We hope that our article has cleared up some of your concerns about TTDS-compliant customer data collection. In case of any more questions, you can contact us anytime.

We also encourage you to try Piwik PRO Core – the free version of Piwik PRO Analytics Suite.


Natalia Chronowska

Content Marketer

A content writer with a flair for tech-related topics. Likes to make a specialized language more understandable for the readers.

See more posts by this author

Core – a new plan for Piwik PRO Analytics Suite

Privacy-compliant analytics, built-in consent management and EU hosting. For free.

Sign up for free

Upcoming live webinar

September 27, 2023

Unlock the power of web analytics data with Piwik PRO Customer Data Platform

Getting your analytics right is crucial, but it’s not enough to just collect data. You also need to activate it. Learn how to put your web and app data into action with Piwik PRO Customer Data Platform (CDP). Get to know the practical and privacy-compliant use cases for reducing cart abandonment, improving customer experience through personalization, recognizing the most profitable clients and more. Find answers to your questions during a dedicated Q&A session at the end of the webinar.

Sign up for this webinar