Organizations tracking German users need to understand TTDSG requirements. This law imposes stricter requirements than GDPR alone and has been the basis for enforcement actions against companies that assumed GDPR compliance was sufficient.
The German Telecommunications and Telemedia Data Protection Act (TTDSG), or Telekommunikation-Telemedien-Datenschutzgesetz, was adopted by the German Federal Cabinet and entered force on December 1, 2021. The TTDSG became the TDDDG on May 13, 2024, when it was renamed the Telecommunications Digital Services Data Protection Act to harmonize German law with the European Digital Services Act (DSA).
The law merges the data protection provisions of the Telemedia Act (TMG) and the Telecommunications Act (TKG) into one coherent framework.
Scope of application
The TTDSG applies not only to providers of number-based telecommunications services (traditional telephone services) but also to providers of number-independent services – so-called over-the-top services including webmail, messaging apps, and internet calling services.
The TTDSG also applies to telemedia service providers. Telemedia refers to electronic information and communication services, excluding telecommunications or telecommunications-based services and broadcasting. This includes websites and other online offers of goods and services, video-on-demand platforms, and advertising emails.
The geographical scope of application corresponds to GDPR: if you’re targeting users in Germany, TTDSG applies regardless of where your company is located.
Consent requirements
TTDSG imposes specific requirements for obtaining consent before storing or accessing information on users’ devices. This directly affects how you implement cookies, tracking pixels, and other technologies.
The key difference from GDPR alone: TTDSG provides more explicit guidance on what requires consent, making it harder to argue that certain tracking cookies qualify as “legitimate interest” without user permission. German data protection authorities have used TTDSG as the basis for requiring explicit opt-in consent for analytics cookies, even when those cookies don’t directly identify individuals.
Practical implications:
- Your consent management platform needs to be configured for TTDSG compliance specifically, not just GDPR
- Consent banners targeting German users should not pre-check boxes or use dark patterns that nudge toward acceptance
- You need documentation showing how you handle German users differently if your consent implementation varies by jurisdiction
German authorities have shown they’re willing to enforce these requirements, particularly against high-profile websites with significant German traffic.
You may also like:
