Data protection law on the use of cookies: TTDSG as cookie policy

Are you wondering why you are greeted with your name when you visit an online store? Why you are increasingly shown advertisements for this item after researching a product? The reason for this is cookies. They are not served with tea on the Internet, but are part of almost every website. Nevertheless, they do not enjoy a good reputation and are generally regarded as a data protection risk.nullThat is why the legislator has acted: Since May 20, 2021, the Act on the Regulation of Data Protection and the Protection of Privacy in Telecommunications and Telemedia (TTDSG for short) and new regulations that are binding for almost all website operators and their services have been in force. You can find out exactly what is behind the law in this article. Also worth knowing: What are cookies anyway and why do website visitors have to consent to their use?

What are cookies?

"Cookies" are small text files that are stored on your computer when you visit a website. Certain information (e.g. your preferred language) is stored in cookies. If you visit this page again later, your browser will transmit the stored cookie information. You will be recognized.nullCookies are divided into four categories:

• Required cookies
• Technical cookies
• Tracking cookies
• Marketing cookies

Required cookies: Required or essential cookies are particularly helpful and indispensable when surfing. They are used for functions that would not be technically feasible without cookies. For example, for logging into a customer account or for using the shopping cart function.nullPerformance cookies: These technical cookies increase the usability of a website. They save settings so that users do not have to make them again and again. A typical use is a language switcher that retains the language once set - even when the website is visited again.nullTracking cookies: These cookies store how a user interacts with a website. How long does he stay? Which subpages are visited? Which content is particularly popular? The data collected is used to create movement profiles. They can be retrieved by the operator of a website using an analysis program such as Google Analytics.nullMarketing cookies: They are used to display suitable advertisements to visitors. You have probably already searched for a new hand blender in an online store and now only see ads for hand blenders. Marketing cookies save your search query and forward this information to third-party providers.

Why is consent required for cookies?

Cookies collect sensitive data and may transmit it to companies and advertisers. Personal information includes, for example

• the IP address and e-mail address
• the frequency and duration of internet visits
• websites visited
• recently viewed products
• Passwords

On May 20, 2021, the German Bundestag passed the TTDSG. This law also regulates the use of cookies. According to Section 25 TTDSG, third parties may only store information on a user's terminal equipment or access this information if the end user has been informed of this and has given their consent.nullHowever, there are exceptions. Consent is not required in accordance with Section 25 (2) No. 1 TTDSG if the storage of or access to information only takes place in order to transmit a message. Consent is also not required if the storage of or access to the information is absolutely necessary in order to provide telemedia requested by the end user.

Cookies and data protection: Which websites need a cookie banner?

Since the EU General Data Protection Regulation (GDPR) came into force in 2018, the use of cookies on a website has required the express consent of the user. Consent - for example with a cookie banner - must be explicit, voluntary and informed. However, this does not apply to all types of cookies. The processing of personal data based on the legal basis of the operator's legitimate interest does not require consent.nullWhether a cookie banner is necessary depends on which cookies are actually used. Technically necessary cookies (e.g. shopping cart cookies) do not require a cookie banner. The same applies to functional cookies that merely simplify the use of a website. The situation is different for cookies that store personal data. These always require a cookie banner. These include, for example, advertising, tracking and third-party cookies.nullBut what exactly should a cookie banner look like? Before the EU ePrivacy Directive (the so-called Cookie Directive) came into force in 2021, website visitors were only informed about the use of cookies via a small pop-up window. This is no longer sufficient today. A cookie banner must be detailed and comprehensive. It must contain a list of the individual cookies and give the user the option of selecting which cookies may or may not be used.nullOur tip: Our web check will tell you whether your website needs a cookie banner and how you can make it legally compliant.

What is the difference between the ePrivacy Regulation, the GDPR and the TTDSG?

The terms "GDPR", "ePrivacy Regulation" and "TTDSG" are often used in relation to data protection. But what exactly does this mean?nullThe General Data Protection Regulation ( GDPR for short) standardizes data protection in the EU. In particular, it regulates the protection of personal information, such as name, birth and contact details - but also information on political opinions and health. According to the GDPR, website operators are obliged to inform users about the collection and processing of personal data.nullThe European ePrivacy Regulation (EPR), on the other hand, specifies how companies may use this data in detail. It is primarily intended to protect personal data in electronic communications from data misuse. It supplements the GDPR and expands and specifies the regulations contained therein.nullBoth regulations are intended to standardize data protection regulations within the EU member states and protect the privacy of users. However, the EPVO only applies to the online sector, while the GDPR also covers offline media. Important to know: Website operators must generally comply with both regulations.nullWhat role does the TTDSG play? The purpose of the TTDSG is to eliminate the legal uncertainties resulting from the coexistence of the GDPR and the EPVO. To this end, the data protection regulations of the GDPR and the GDPR will be brought together in a new law. As a result, effective data protection and the protection of end users' privacy should be guaranteed. What is changing: Ensuring compliance with the obligation to obtain consent will in future be the responsibility of the Federal Data Protection Commissioner in accordance with Section 27 (2) TTDSG.

Bundestag adopts new TTDSG: The most important points in brief

The TTDSG is due to come into force on 01.12.2021. It combines the data protection regulations of the GDPR and special provisions of the EPVO in a new law for the purpose of legal certainty.nullAccording to § 25 TTDSG, the use of cookies is only permitted with the consent of the end user. This does not apply to cookies that are absolutely necessary for the provision of the website and its functions. Important: No personal data may be transferred to the website operator or third parties without the user's consent.nullWebsites that use non-essential cookies (marketing or tracking cookies) must inform visitors about this. A simple info window is not enough. A cookie banner must list the cookie technologies used in detail. In addition, the user must have the option of rejecting individual cookies and revoking their settings at any time.

Secure your online store now with Recht 24/7 Secure Shop