Under the GDPR, informing website users about their personal data collection and obtaining user consent for cookies is a fundamental requirement. Germany, like many other European countries, also has specific requirements for obtaining user consent.
In Germany, besides the GDPR, Cookie Consent is regulated by:
Telecommunications Telemedia Data Protection Act (TTDSG), published on 30 November 2022.
Data Protection Authority, Datenschutzkonferenz (DSK) guidelines, addressing Section 25 of the TTDSG, an updated version was published on 24 November 2022.
In this article, we will explore the Cookie Consent requirements in Germany and how to ensure compliance. It includes the usage of cookies, and similar trackers that can collect user information or track user activity, for example, spyware, web bugs, or hidden identifiers, except for strictly necessary cookies.
Scope of the Guidelines
When personal data is not involved, TTDSG should be used as the main act. The updated TTDSG act incorporates Article 5(3) of the e-Privacy Directive into the national law and sets requirements for data controllers, including telecommunications service providers and Telemedia services providers.
When personal data is also involved in the company’s activities, both TTDSG and GDPR should be used. TTDSG regulates in more detail the collection and storage of the data, while GDPR is more concerned about further data processing.
The DSK has clarified the need for the end user’s prior cookie consent and the storage of cookies and other tracking technologies in the user’s browsing devices.
This article combines the requirements mandated by both the above-mentioned regulatory laws and the GDPR.
Cookie Consent Requirements in Germany
The valid Cookie Consent must satisfy the following criteria and must be:
- Informed. Users must be informed clearly about the types of cookies used, their purposes, the duration of cookie storage, and any third-party involvement.
- Specific. Consent must be specific to the purpose for which cookies are used. If there are multiple purposes, each of them should have separate consent requests. For example, separate consent is needed for analytics cookies, advertising cookies, functional cookies, etc.
- Easy to withdraw. Users must be able to withdraw their consent as easily as they gave it. Websites should provide clear instructions on how to do this.
- Prior Cookie Consent. Websites should ask for the user’s consent and get consent prior to placing any cookies on a device. It’s not allowed to set cookies without getting their permission first.
Other Requirements for Cookie Consent and Cookies in Germany
With CookieScript, you can automatically scan your website for cookies and add them to your site’s list of cookies.
Pre-checked boxes for automatically accepting all cookie types are not allowed in Germany. Users must make an explicit selection of their cookie preferences, including the option to reject all cookies except for strictly necessary cookies.
Duration of consent
Consent for cookies in Germany has a limited duration. Users should be asked to renew their consent at reasonable intervals, like every 6 to 12 months.
Special care should be taken when processing children’s personal data. When the child is below the age of 16 years, cookie consent is needed from parents or other authorized individuals.
Documentation of cookie consent
Websites should collect and store cookie consent and be able to deliver them for proof of compliance with data protection regulations. The information should include when and how users gave their consent and the types of cookies.
Clear accept and reject choices
Use simple and straightforward language for consent options, such as “Agree” or “Accept.” Terms like “Okay” are not valid consent since it does not provide unambiguous action.
Present users with equal choices for giving or rejecting consent, otherwise it will be considered invalid. Both options should be easily visible on the Cookie Banner, without pressing any additional buttons.
Layered approach requirements
Consent banners can have multiple layers of information. The first layer must have basic information for accepting or rejecting of cookies, while the second layer could provide detailed information. The second layer could be accessed by clicking on a button or link in the first layer of the banner.
If the first layer has a consent button, it must provide specific details about cookies and the reasons for data collection. The consent wouldn’t be considered valid if detailed cookie information and separate consent choices were provided only in the second layer.
The first layer should allow both accepting and rejecting cookies easily.
Cookie consent by scrolling or by continued browsing
Under German law, consent by scrolling does not provide a valid indication of affirmative cookie consent. As with consent on scroll, continuing scrolling a webpage also does not recognize consent to be valid.
Use of Third-Party Cookies
The German guidelines do not set requirements for identifying third parties. However, if third parties have the ability to access user’s personal data, this information must be disclosed. In addition, if users have activated their devices to protect their personal data like using the “Do Not Track” feature, websites should respect such choice, it is not allowed to use any technical settings to bypass it.
Freedom to withdraw consent
The use of cookie walls is commonly not allowed. Consent earned in this way is not freely given. However, it’s acceptable if the Cookie Banner provides a “Reject cookies” option that closes the Cookie Banner and allows users to continue navigating the website.
So-called “paywalls” are allowed, which are granting access to the website without requiring cookie consent, but for a fee. Nevertheless, users should be provided with clear information about the cookies and the collection of their personal information.
Cross-border data transfers
Special care must be taken while using any cookies or other tracking technologies that provide information for international data transfers. Entities, using cross-border data transfers, should inform users about it and get consent for it, and use adequate data protection techniques while transferring data.
Consequences of Non-Compliance
Failure to comply with cookie consent requirements in Germany can result in significant fines. The exact amount of money depends on the severity of the violation, but under the GDPR, fines can reach up to €20 million or 4% of the company's global annual revenue, whichever is higher.
How to Get Cookie Consent?
The most common approach to obtaining cookie consent is to use a cookie banner: a pop-up notification providing information about cookies and asking the user whether they consent to them.
Our Cookie Scanner scans your website for cookies and other tracking technologies and provides a detailed scan report including details about your website’s cookies with their provider, duration, and third parties if any.
It also can help you comply with the EU – US Data Privacy Framework for international data transfers.
Frequently Asked Questions
Is cookie consent by scrolling allowed under German law?
Are pre-checked boxes on a Cookie Banner allowed under German law?
What are the requirements for user consent in Germany?
According to the TTDSG and DSK, the valid cookie consent be informed, freely given, specific, granular, easy to withdraw, and obtained prior to placing any cookies on a device. With CookieScript, you can easily create a cookie banner to obtain valid cookie consent, that complies with German privacy laws.
What are cookie banner requirements under German law?
The valid cookie banner should include clear and easily understandable information about the types of cookies used and their purposes, it must have a granular option for the selection of types of cookies and should not obscure the main content of the website. With CookieScript, you can easily create a valid, fully customizable, and configurable cookie banner, that complies with German privacy laws.
Are cookie walls allowed under German law?
How to get valid cookie consent in Germany?
The most common approach to obtaining cookie consent is to use a cookie banner: a pop-up notification providing information about cookies and asking the user whether they consent to them. CookieScript Consent Management Platform is an optimal solution for creating a valid cookie banner and being compliant with the GDPR, TTDSG, and DSK guidelines.