Germany’s new Telecommunications Telemedia Data Protection Act (TTDSG) came into effect in December 2021. It applies to all companies that do business in Germany, even organizations located outside the country.
The regulation merges the data protection regulations in telemedia and telecommunications, previously scattered across various German laws. Among other things, TTDSG regulates confidentiality and privacy protection when using internet-ready terminal infrastructures such as websites, messenger services, or smart home devices. The law also modifies the legal framework for using cookies and similar technologies. It implements the requirements featured in the ePrivacy directive and is enforced in addition to the General Data Protection Regulation (GDPR).
If your company processes the data in Germany, you need to make sure your data collection satisfies the requirements of the law.
Our article will show you how to make your marketing stack TTDSG-compliant. You’ll also discover a simple method for collecting anonymous data under German regulation.
TTDSG is a local implementation of ePrivacy directive and a GDPR supplementation for the German market in the area of telemedia.
Following the ePrivacy directive, TTDSG applies to both personal and non-personal data. If no personal data is processed then only TTDSG applies. If both personal and non-personal data is processed, then both TTDSG and GDPR apply. The new German regulation also clarifies all organizational and technical security requirements for companies that transfer data between countries.
In November 2023, the European Data Protection Board (EDPB) formulated guidelines outlining the new technical scope of Art. 5 (3) of the ePrivacy Directive. According to this article, companies must obtain prior consent before storing or accessing information on a user’s electronic device unless it is necessary to provide the requested service. So far, this principle has mainly applied to Internet cookies. The recent guidelines significantly extend the list of technologies covered by Art. 5 (3) to include new tracking methods and technical operations.
The EDPB focuses on five critical elements of the cookie rule and applies an extensive interpretation to all of them:
- Information includes both non-personal and personal data, regardless of how it is stored or by whom.
- Terminal equipment refers to equipment connected to the public telecommunications network, e.g., smartphones, laptops, connected cars, connected TVs, or smart glasses.
- An electronic communications network is any system that allows the transmission of electronic signals. The rule concerns public communication services provided over such networks. However, communication over a network available to a limited number of people (e.g., subscribers) is also considered public.
- Access – the EDPB has a very broad delimitation of access according to which an access exists if an entity actively takes steps to gain access to information stored on a terminal equipment.
- Storage applies to information of any type, in any quantity, and takes place over any time (even as short as storage in RAM or CPU cache).
The EDPB’s proposals have sparked controversy as they may negatively affect the market. It was reflected in the feedback from various industry bodies as part of the public consultation on the new guidelines.
To quote The Federation of European Data and Marketing:
The EDPB’s broad interpretation of “gaining access” would (…) mean that every communication over the internet is somehow “gaining access” to information within scope of Art 5(3) ePD (…). In doing so, the draft Guidelines’ interpretation also captures technologies and basic technical operations which are not necessarily related to marketing or advertising purposes (…). It is therefore unclear how a consent requirement for non-intrusive technical operations which do not necessarily involve the processing of personal data would bring a better protection of privacy to the user. This also seems detrimental to the user’s online experience as they will be asked to engage with additional consent requests, likely exacerbating the so-called “consent fatigue” .
The Central Association of the German Advertising Industry ZAW noted that the interpretation of “gaining access” presented by the EDPB clashes with the interpretation of the TTDSG by the German Datenschutzkonferenz, which focuses on the issue of information being actively requested from a terminal’s storage. The IAB brought up, among other things, the negligence of the technical considerations.
Nevertheless, the guidelines reflect the EU data protection authorities’ interpretation of the law and are not directly binding. The outcome of the EDPB’s efforts to enforce the guidelines is yet to be determined.
TTDSG requirements have a great impact on the way that companies operate, including their choice of analytics vendor. For example, Google Analytics doesn’t comply with the German law. According to noyb, legislation such as the Cloud Act enables US authorities to view data collected by US-based companies on their worldwide servers, including data from EU citizens. The Austrian, French, Italian, and Dutch data protection authorities (DPA) also follow this statement, ruling that using Google Analytics is incompatible with GDPR.
To discover further details about various DPA statements, read our article: Is Google Analytics (3 & 4) GDPR-compliant?
All this makes it incredibly challenging for Google to gain a foothold in Europe. As a result, the need for a privacy-friendly analytics platform is growing.
After the law came into force on December 1, 2021, many companies asked themselves how to collect anonymous data legally. Until now, they mostly have used fingerprinting or event-based methods that only guaranteed limited datasets. What’s more, most analytics vendors have advertised this method as “consent-free”. This might have worked under GDPR, but TTSDG states that consent is required for reading any information from an end-user’s device.
That being said, the website or any tool installed on that website cannot read data from the device without consent. This includes:
- screen resolution
- browser configuration
- installed plugins
- system fonts
- and many others
Such data was used to generate the so-called fingerprint and to assign the performed events to each session. This information could lead to identifying the visitor indirectly – thus, it is also classified as personal data.
There are two exceptions to this rule. The data can be stored in the end user’s device if:
- The sole purpose of storing information or accessing information already stored in the end user’s device is to transmit communication over a public telecommunications network
- The storage of information in the end user’s device or the access to information already stored in the end user’s device is necessary to provide a telemedia service requested by the user.
Consent forms, also known as cookie consent banners, are crucial when you want to collect accurate and complete data about your visitors’ behavior. TTDSG does not introduce any changes in this regard compared to GDPR.
However, German law clearly puts consent first in data collection. Each website needs to inform visitors about the fact of collecting data, whether it’s personal or not, and allow them to decline or accept such a request.
In short, to comply with TTDSG, you need to receive visitors’ consent to even store cookies or access their device data like screen resolution, browser plugins, and the like.
Companies should continue to seek consent in an informative, voluntary, unambiguous, and specific way.
Finally, legal requirements are crucial, but so is the design. Here are some examples of how well-designed cookie banners should look like:
In this cookie consent banner, the company informs visitors directly about necessary cookies and asks for direct, voluntary, and unambiguous consent. The user must flip the switch and confirm the action by clicking ‘Save’.
This cookie consent banner is composed of two parts. The first part allows visitors to choose whether to accept or reject all cookies immediately. The second part contains ‘Advanced settings’ that let visitors agree on selected cookies and change or revise their decision. This banner meets all the necessary guidelines and allows accepting and rejecting cookies with a single click.
Many companies still do not have consent banners that comply with data protection regulations. They use dark patterns that make refusing consent much more difficult for visitors. They take various forms, such as pressure, operational coercion, obstacles, sneaking, and misdirection, that can cause people to make irrational decisions.
To learn more about dark patterns and the best ways to avoid them, read our article: When design goes awry – How dark patterns conflict with GDPR and CCPA
However, some companies still put non-compliant banners on their website simply because they have little knowledge about legal requirements. Either they display a simple cookie banner or forms that definitely need optimization.
That’s why companies should choose a consent manager that could help them align with privacy regulations.
According to § 26 of TTDSG, the consent manager should provide user-friendly technical applications for obtaining consent. It should also allow visitors to manage consent, making it easy to change or revise their decision. All this should be done without neglecting data security.
To know more about cookie consent regulations across Europe, read our article: Everything you need to know about cookie consent in the EU
Piwik PRO Analytics Suite offers an integrated consent manager which doesn’t trigger tags unless visitors give their consent. It also allows you to share all consents with the entire marketing stack and work in accordance with data protection regulations.
The CNIL’s (France’s Data Protection Authority) consent exemption for Piwik PRO Analytics Suite proves that the platform meets the highest data privacy standards. The French data protection authority has added Piwik PRO to its list of analytics platforms that can be used without consent once the user chooses certain settings. It means that if you configure Piwik PRO correctly and limit the data collection, you don’t have to ask for users’ consent.
To learn more details about CNIL’s decision, read our article: CNIL’s consent exemption for Piwik PRO – What it means for you and the analytics data you collect
Piwik PRO Analytics Suite came up with an option for customers who want a solution that stitches the user session based on the data available within the HTTP request without accessing the end-user terminal.
This solution is not perfect, as many users may share the same traits of the HTTP request. As a result, Piwik PRO bundles their clickstream under a single visit.
Another possibility is to disable collecting end-user data that requires consent under TTDSG by simply pressing a switch. The rest happens by itself.
When deciding on the tracking setup, you should discuss your options with the privacy team. You can also choose other options, such as IP masking, anonymization, and consent, that may be bundled together with this TTDSG toggle.
In the end, we also recommend running your data protection impact assessment (DPIA), according to GDPR par. § 9 section 2.
As Europe is expanding its collection of new privacy regulations, such as TTDSG, Google Analytics and other US-based cloud services will have even more difficulties operating in Europe. At the same time, privacy-friendly analytics platforms are becoming more and more relevant as they allow companies to collect customer data and comply with applicable laws.
We hope that our article has cleared up some of your concerns about TTDS-compliant customer data collection. In case of any more questions, you can contact us anytime.
We also encourage you to try Piwik PRO Core – the free version of Piwik PRO Analytics Suite.