Germany’s new Telecommunications Telemedia Data Protection Act (TTDSG) came into effect in December 2021. It applies to all companies that do business in Germany, even organizations located outside the country.
The regulation merges the data protection regulations in telemedia and telecommunications, previously scattered across various German laws. Among other things, TTDSG regulates confidentiality and privacy protection when using internet-ready terminal infrastructures such as websites, messenger services, or smart home devices. The law also modifies the legal framework for using cookies and similar technologies. It implements the requirements featured in the ePrivacy directive and is enforced in addition to the General Data Protection Regulation (GDPR).
If your company processes the data in Germany, you need to make sure your data collection satisfies the requirements of the law.
Our article will show you how to make your marketing stack TTDSG-compliant. You’ll also discover a simple method for collecting anonymous data under German regulation.
TTDSG is a local implementation of ePrivacy directive and a GDPR supplementation for the German market in the area of telemedia.
Following the ePrivacy directive, TTDSG applies to both personal and non-personal data. If no personal data is processed then only TTDSG applies. If both personal and non-personal data is processed, then both TTDSG and GDPR apply. The new German regulation also clarifies all organizational and technical security requirements for companies that transfer data between countries.
TTDSG requirements have a great impact on the way that companies operate, including their choice of analytics vendor. For example, Google Analytics doesn’t comply with the German law. According to noyb, legislation such as the Cloud Act enables US authorities to view data collected by US-based companies on their worldwide servers, including data from EU citizens. The Austrian, French, Italian, and Dutch data protection authorities (DPA) also follow this statement, ruling that using Google Analytics is incompatible with GDPR.
To discover further details about various DPA statements, read our article: Is Google Analytics (3 & 4) GDPR-compliant?
All this makes it incredibly challenging for Google to gain a foothold in Europe. As a result, the need for a privacy-friendly analytics platform is growing.
After the law came into force on December 1, 2021, many companies asked themselves how to collect anonymous data legally. Until now, they mostly have used fingerprinting or event-based methods that only guaranteed limited datasets. What’s more, most analytics vendors have advertised this method as “consent-free”. This might have worked under GDPR, but TTSDG states that consent is required for reading any information from an end-user’s device.
That being said, the website or any tool installed on that website cannot read data from the device without consent. This includes:
- screen resolution
- browser configuration
- installed plugins
- system fonts
- and many others
Such data was used to generate the so-called fingerprint and to assign the performed events to each session. This information could lead to identifying the visitor indirectly – thus, it is also classified as personal data.
There are two exceptions to this rule. The data can be stored in the end user’s device if:
- The sole purpose of storing information or accessing information already stored in the end user’s device is to transmit communication over a public telecommunications network
- The storage of information in the end user’s device or the access to information already stored in the end user’s device is necessary to provide a telemedia service requested by the user.
Consent forms, also known as cookie consent banners, are crucial when you want to collect accurate and complete data about your visitors’ behavior. TTDSG does not introduce any changes in this regard compared to GDPR.
However, German law clearly puts consent first in data collection. Each website needs to inform visitors about the fact of collecting data, whether it’s personal or not, and allow them to decline or accept such a request.
In short, to comply with TTDSG, you need to receive visitors’ consent to even store cookies or access their device data like screen resolution, browser plugins, and the like.
Companies should continue to seek consent in an informative, voluntary, unambiguous, and specific way.
Finally, legal requirements are crucial, but so is the design. Here are some examples of how well-designed cookie banners should look like:
In this cookie consent banner, the company informs visitors directly about necessary cookies and asks for direct, voluntary, and unambiguous consent. The user must flip the switch and confirm the action by clicking ‘Save’.
This cookie consent banner is composed of two parts. The first part allows visitors to choose whether to accept or reject all cookies immediately. The second part contains ‘Advanced settings’ that let visitors agree on selected cookies and change or revise their decision. This banner meets all the necessary guidelines and allows accepting and rejecting cookies with a single click.
Many companies still do not have consent banners that comply with data protection regulations. They use dark patterns that make refusing consent much more difficult for visitors. They take various forms, such as pressure, operational coercion, obstacles, sneaking, and misdirection, that can cause people to make irrational decisions.
To learn more about dark patterns and the best ways to avoid them, read our article: When design goes awry – How dark patterns conflict with GDPR and CCPA
However, some companies still put non-compliant banners on their website simply because they have little knowledge about legal requirements. Either they display a simple cookie banner or forms that definitely need optimization.
That’s why companies should choose a consent manager that could help them align with privacy regulations.
According to § 26 of TTDSG, the consent manager should provide user-friendly technical applications for obtaining consent. It should also allow visitors to manage consent, making it easy to change or revise their decision. All this should be done without neglecting data security.
To know more about cookie consent regulations across Europe, read our article: Everything you need to know about cookie consent in the EU
Piwik PRO Analytics Suite offers an integrated consent manager which doesn’t trigger tags unless visitors give their consent. It also allows you to share all consents with the entire marketing stack and work in accordance with data protection regulations.
The CNIL’s (France’s Data Protection Authority) consent exemption for Piwik PRO Analytics Suite proves that the platform meets the highest data privacy standards. The French data protection authority has added Piwik PRO to its list of analytics platforms that can be used without consent once the user chooses certain settings. It means that if you configure Piwik PRO correctly and limit the data collection, you don’t have to ask for users’ consent.
To learn more details about CNIL’s decision, read our article: CNIL’s consent exemption for Piwik PRO – What it means for you and the analytics data you collect
Piwik PRO Analytics Suite came up with an option for customers who want a solution that stitches the user session based on the data available within the HTTP request without accessing the end-user terminal.
This solution is not perfect, as many users may share the same traits of the HTTP request. As a result, Piwik PRO bundles their clickstream under a single visit.
Another possibility is to disable collecting end-user data that requires consent under TTDSG by simply pressing a switch. The rest happens by itself.
When deciding on the tracking setup, you should discuss your options with the privacy team. You can also choose other options, such as IP masking, anonymization, and consent, that may be bundled together with this TTDSG toggle.
In the end, we also recommend running your data protection impact assessment (DPIA), according to GDPR par. § 9 section 2.
As Europe is expanding its collection of new privacy regulations, such as TTDSG, Google Analytics and other US-based cloud services will have even more difficulties operating in Europe. At the same time, privacy-friendly analytics platforms are becoming more and more relevant as they allow companies to collect customer data and comply with applicable laws.
We hope that our article has cleared up some of your concerns about TTDS-compliant customer data collection. In case of any more questions, you can contact us anytime.
We also encourage you to try Piwik PRO Core – the free version of Piwik PRO Analytics Suite.