ARTICLE
17 September 2024

Consent Management Ordinance – What It Means For Cookie Banners

LS
Luther S.A.

Contributor

Leading business law firm Luther was established in Luxembourg in 2010. The firm’s multilingual professionals advise domestic and international clients across numerous practice areas, particularly Corporate/M&A, Banking and Finance, Dispute Resolution, Investment Management, Employment, and Real Estate. Our clients, ranging from multinational corporations, investment funds, financial institutions to private equity firms, have placed their trust in our interdisciplinary legal advice that aims to hit the mark. Luther employs over 420 lawyers and tax advisors and is present in ten German economic centers and has ten international offices in European and Asian financial centers.
The Consent Management Ordinance pursuant to Section 26(2) of the Telecommunications Digital Services Data Protection Act (TDDDG) (the Ordinance) was adopted by the Federal Government...
Germany Privacy

The Consent Management Ordinance pursuant to Section 26(2) of the Telecommunications Digital Services Data Protection Act (TDDDG)1 (the Ordinance) was adopted by the Federal Government on September 4, 2024. The Ordinance aims to provide an alternative for cookie banners and management of consent. OneTrust DataGuidance Research provides an overview of the Ordinance with expert insights by Dr. Christian Rabe, Senior Associate at Luther Rechtsanwaltsgesellschaft mbH, and Dr. Christoph Werkmeister, Partner at Freshfields Bruckhaus Deringer LLP.

Background to the Ordinance

Section 25 of the TDDDG requires organizations to obtain prior consent for storing information in the end user's terminal equipment or for accessing such information already stored in accordance with the General Data Protection Regulation (GDPR). The storage and/or access of such information is often done using cookies or similar technologies and consent is generally obtained via cookie banners.

However, Section 26 of the TDDDG states that consent management services, for obtaining consent under Section 25 of the TDDDG, may be recognized by an independent body in accordance with a legal regulation as issued by the Federal Government with the consent of the German Parliament (Bundestag) and the German Legislature (Bundesrat). The Ordinance was adopted by the Federal Government in exercising this authorization under the TDDDG.

Dr Rabe provides further insights into the Ordinance, highlighting that:

''Consent management services (also referred to as personal information management services) can replace manually granted consent to the use of cookies. With these services, users can specify which cookies they consent to and object to. Before a telemedia service provider requests the user's consent to the use of cookies when accessing its website, it can submit a request to the consent management services and check whether the respective user has already made default settings with a consent management service and adopt them.

The Ordinance is intended to regulate the legal framework for consent management services. With these systems, users of telemedia should be able to centrally grant, reject, and manage consent to the storage of and access to information on their end devices. Consent management systems were already being discussed during the political debate on the TDDDG in 2021. However, at the end of the 19th legislative period, only some framework conditions were regulated in Section 26(1) of the TDDDG. An authorization to issue an ordinance was included in Section 26(2) of the TDDDG for more detailed formulation.''

Scope of application

Specifically, the Ordinance regulates:

  • the obligations of a recognized consent management service provider;
  • the process of recognition of a consent management service; and
  • the technical obligations of digital services and retrieval and display software providers.

In terms of obligations under the GDPR, Dr Rabe advises that ''it is important to remember that the provider of digital services (for e.g., the owner of a website making use of cookies or similar technologies within the scope of Section 25 of the TDDDG) remains responsible for fulfilling the information obligations and for complying with the requirements for the effectiveness of consent in accordance with the GDPR.''

Definitions

The Ordinance defines a 'consent management service' as an information technology application or a digital service that enables end users to manage end users' preferences. The Ordinance clarifies that 'management' includes storing, transmitting, and revoking end users' preferences. A 'recognized consent management service' on the other hand, is one that is recognized by the Federal Commissioner for Data Protection and Freedom of Information (BfDI), the competent authority under the Ordinance.

Further, the Ordinance explains that 'retrieval and display software' means software used for retrieving and displaying information from the internet, including all programs and applications through which content from the internet is retrieved and displayed and which are not 'digital services' as defined under the Digital Services Act (DSA).

'End user settings' means the end user's decision to grant or not grant consent under Section 25(1) of the TDDDG to providers of digital services or third parties who wish to store information in their terminal equipment or access information already stored there.

What are the key requirements that companies should be aware of?

Dr Werkmeister notes that ''the Ordinance opens the door for an alternative to obtain consent in the online world. Under the Ordinance, companies can switch from conventional cookie banners to consent management services, but if they do so, they must implement certain technical and organizational measures, co-operate with consent management service providers, and provide specific information to end users.''

Dr Rabe clarifies that ''there are no mandatory implementation requirements since the integration of recognized consent management systems is voluntary. The Ordinance provides a framework for effective, user-friendly, and competition-compliant consent management through the integration of recognized consent management services. Insofar as providers of digital services (formerly known as telemedia providers) voluntarily decide to integrate the consent management services recognized by the BfDI, this can replace the costs for the existing consent management when consent is obtained.''

How can a consent management service provider be recognized?

To be recognized by the BfDI, a consent management service must meet the requirements of Part 2 of the Ordinance (detailed in the subsequent section) and submit a safety concept.

Additionally, the consent management service provider must make an application with the BfDI with the following:

  • the declaration that it will not process the personal data of end users and the end users' settings for any purposes other than consent management; and
  • information on completed or ongoing investments, statements, and orders of the competent data protection supervisory authorities, if issued.

The BfDI will maintain a public record of all recognized consent management services.

Contents of the application

The consent management service provider application must be submitted in an electronic format with a documented description of the services which would enable the BfDI to verify that it meets the requirements of Part 2 of the Ordinance, including:

  • the name, legal status, and the principal place of establishment in the EU;
  • the telephone, email, or other means of online communication details, provided that such means of communication that the end user can store the details of their correspondence including the date and time on a durable medium;
  • information on the electronic retrievability of information; and
  • information on the economic and organizational structure including information showing that:
  • it has no economic self-interest in the consent of end users and in the managed data; and
  • it is legally and organizationally independent of the companies that may have such interest.

In case the consent management service providers use the services of a processor as defined under the GDPR, the application should include the abovementioned information of the processor as well.

The BfDI may publish a template for the application and make the same available.

Security concept

The TDDDG also requires that consent management service providers present a security concept that allows an assessment of the quality and reliability of the service and the technical applications and that shows that the service meets, both technically and organizationally, the legal requirements for data protection and data security under the GDPR. Required contents of the security concept under the Ordinance include:

  • the security of the personal data and end users' settings managed by the consent management service;
  • the storage location of personal data and end users' settings; and
  • technical and organizational measures to ensure:
    • that the personal data and end users' settings are processed solely for the purposes of the consent management service;
    • the personal data is protected from unauthorized access;
    • the availability and accessibility of personal data; and
    • identifying risks to the integrity, confidentiality, and availability of the service offered and minimizing them as far as possible.

Continuity of recognition

The BfDI may revoke the recognition of a consent management service provider if it becomes aware that the conditions for recognition are no longer met. Consent management service providers are required to annually check whether the requirements under Part 2 of the Ordinance are still met and whether the facts on which the information was based when the application was submitted have changed. Changes relating to the requirements and updates to facts under the application must be reported electronically to the BfDI without delay.

Obligations of recognized consent management services

General requirements

The primary responsibility of a recognized consent management service is to store the end user settings when they use a digital service for the first time and when the digital services provider requests consent in accordance with the TDDDG, which has not yet been managed by the recognized consent management service. Every time a user accesses the digital service, the recognized consent management service will send the end user setting to the digital service provider.

The recognized consent management service may only manage end-user settings where the digital service provider has informed and obtained consent from the end user.

How can organizations ensure user-friendly consent management?

According to the Ordinance, a user-friendly consent management procedure entails:

  • a transparent and easily understandable user interface, allowing free and informed decision-making; and
  • the ability of the end-user to access, revoke, or amend their settings at any time.

Requests to review the end user's settings may not be made until one year has passed unless the end user has provided a different setting.

The Ordinance Notes explain that 'user-friendly' means that the consent of end users must not be controlled by the use of design elements that influence user behavior. This includes the use of manipulative designs or processes that are intended to persuade end users to take action. Designs must ensure that the principles of digital accessibility are guaranteed, i.e., perceptibility, operability, and comprehensibility. This includes sufficient color contrast and keyboard usability. Existing legal obligations under federal and state disability equality laws and the Accessibility Improvement Act also apply to recognized consent management services.

Dr Werkmeister adds that ''the Government understands the transition from traditional cookie banners to consent management services already as a step towards greater user-friendliness. A choice between the two options for obtaining consent would likely be more user-friendly than what we currently have.''

Technologies and configurations

The Ordinance specifies that the technology configurations of the recognized consent management service must ensure interaction with the providers of digital services. This includes:

  • ensuring that the digital services and the retrieval and display software can identify that the end-user is using the consent management service and that such service is recognized by the BfDI; and
  • sending consent requests in accordance with the TDDDG and checking whether end user consents are being managed.

End user rights

The Ordinance details that end users have the right to:

  • portability: to export the end user settings together with the information provided at that time in a common machine-readable format. Such transfer should be made by the recognized service consent management service free of charge if the transfer is made to another recognized consent management service; and
  • right to switch: to another recognized consent management service.

Technical obligations of digital services and retrieval and display software providers

The Ordinance imposes different technical requirements on digital services, and retrieval and display software providers, however, both entities that integrate a recognized consent management service must ensure neutrality by not encouraging end users, without objective reason to use or exclude certain recognized consent management services.

Digital services

Informing end users

For recognized consent management services to save user settings, the following information must be provided to the end users by the digital services:

  • the provider(s) of digital services or third parties who store information in the end user's terminal equipment or who can access information already stored there;
  • the specific information to be stored and/or accessed in the end user's terminal equipment;
  • the purposes for which the information is stored and/or accessed in the end user's terminal equipment;
  • the retention period for storing and accessing the information accessed in the end user's terminal equipment; and
  • the right to revoke the consent at any time and that the legality of the access and storage carried out on the basis of the consent is not affected by the revocation.

Measures to be taken for integration with recognized consent management services

While the integration of a recognized consent management service is voluntary, if a digital service opts for this option, it must implement state-of-the-art technological and organizational measures that ensure the following as stated by Dr Werkmeister:

  • ''the integration of a recognized service for consent management by the end user is taken into account when their digital service is called up; and
  • it is checked whether the end user's settings for the requested consents of the provider of digital services are managed by the recognized service for consent management.

Additionally, the providers of digital services that integrate a recognized consent management service must:

  • make it possible that the consent they request in accordance with the TDDDG and the end users' settings made for this purpose can be stored by the integrated recognized consent management service;
  • inform end users in a visible and appropriate place that the digital service offered integrates recognized consent management services and takes into account the end users' settings managed there;
  • cooperate with the recognized consent management service to implement the requirements of Section 7 of the Ordinance; and
  • provide the recognized consent management service with the information required under Articles 7, and 12 to 14 of the GDPR in a machine-readable format.

Companies must note that the German data protection supervisory authorities are critical of dark patterns and excessive nudging, both of which can lead to the invalidity of consent.''

How is the ordinance expected to impact companies' cookie policies? Will companies need to update their consent management program?

Dr Werkmeister provides that ''companies can keep their cookie policies. Even if a company voluntarily uses consent management services, cookie policies do not inherently need an update.''

Dr Rabe added that ''the Ordinance has no direct impact on the business activities of a company that falls within the scope of Section 25 of the TDDDG. If a company has previously obtained effective consent that meets the requirements of the TDDDG and the GDPR, then the Ordinance has no significance for these companies.''

Dr Rabe clarified that ''as the integration of recognized consent management services is voluntary, companies are not obliged to change their cookie management tools as long as these tools comply with the requirements of Section 25 of the TDDDG and the GDPR. It is at the discretion of the companies whether they use their own tools to ensure effective consent or use a recognized consent management service in the future.''

Providers of retrieval and display software

Dr Rabe points to the provisions of the Ordinance stating that ''as regards manufacturers and providers of retrieval and display software (for e.g., internet browsers), these companies shall, within the scope of technical possibilities, take technical and organizational measures to ensure that:

  • the retrieval and display software takes into account the integration of recognized services for consent management by end users; and
  • a signal stored via the recognized service for consent management or via the provider of digital services and the settings of the end users are neither suppressed, delayed, decrypted, nor changed in any other way.''

What is the impact of the Ordinance?

How should the transition from consent banners look like for organizations?

Dr Werkmeister reflected that "according to the German Government, end users may be given the choice between 'classic' cookie banners and 'new' consent management services. Nevertheless, such right to choose is only stated in the explanatory memorandum and is not reflected in the Ordinance itself.

[...] [T]here is currently little incentive for companies to switch from traditional cookie banners to consent management services. This is not least because legal challenges are not reduced (e.g., requirements for effective consent remain the same, and even when using a consent management service, a company must still be able to demonstrate that consent has been validly given)."

In terms of the overall impact of the Ordinance, Dr Rabe provided that:

''The German Retail Association (hde) welcomed the fact that a telemedia provider can decide for itself whether to integrate a consent management service. In a statement, the hde stated it doubts that the Ordinance can achieve the goal of reducing cookie banners at all. Since consent under Section 25 of the TDDDG only relates to access to the end device and the further processing of the data must be measured against the GDPR, consent would also have to cover further processing. However, this is not covered by the power to issue regulations under Section 26 of the TDDDG.

The German Federation of Consumer Organizations (vzbv) finds it particularly problematic that providers of digital services do not have to accept users' decisions made via consent management services. If users do not give their consent, providers can ask for consent again as often as they like. This is unacceptable, contradicts the requirements of the GDPR and removes the incentive for consumers to use consent management services. In this respect, the vzbv believes that the Ordinance will not have a positive effect.

[...] Consent management services are hardly widespread to date, it is still a relatively new technology, which is not yet established on the market. The Ordinance will not change this. It remains to be seen to what extent such consent management services will undergo the envisaged recognition procedure in the future.

The introduction of consent management service is seen as a major challenge. The GDPR is not designed for the use of general consent. Consent management services prove to be unsuitable for the practically relevant case where consent is to apply to a large number of third parties who are not yet known at the time of presetting and are not otherwise specified. Therefore, the literature on data protection law emphasizes that the effectiveness of consent given via consent management service can be doubtful in individual cases. Furthermore, the responsibility under data protection law for ineffective consent does not lie with the consent management service provider, but with the controller, who in turn neither knows nor needs to know the circumstances under which the consent management service operator obtains consent.

As a result, I do not expect consent management services to become established in Germany."

Enforcement and next steps

Dr Rabe noted that ''The Ordinance will enter into force on the first day of the quarter following its promulgation.

According to Dr Werkmeister, ''the approval of Bundestag and Bundesrat for the Ordinance is still pending. Enforcement of the Ordinance is subject to the TDDDG (e.g., imposition of fines if consent is not valid). Additionally, as only recognized consent management services may operate under the Ordinance, it remains to be seen whether players on the market will submit their applications to the BfDI.''

Madhura Sakharam Bhandarkar  Privacy Analyst
madhura.bhandarkar@onetrust.com

With comments provided by:

Dr. Christoph Werkmeister Partner
christoph.werkmeister@freshfields.com
Freshfields Bruckhaus Deringer LLP, Düsseldorf

Dr. Christian Rabe Senior Associate
christian.rabe@luther-lawfirm.com
Luther Rechtsanwaltsgesellschaft mbH, Hamburg

Footnote

1. The Ordinance (only available in German): https://bmdv.bund.de/SharedDocs/DE/Anlage/K/veordnung-nach-26-absatz-2-tdddg-und-zur-aenderung-der-besonderen-gebuehrenverordnung-telekommunikation.pdf?__blob=publicationFile

Originally Published by DataGuidance.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More