Government plans: Fewer cookie queries through new regulation

The General Data Protection Regulation (GDPR) currently leaves no way out: website operators must ask their visitors for permission before they place tracking or analysis cookies on their computers. This consent must be informed, which is why almost every advertising-supported website uses pop-up banners that contain a lot of text. And many banners use design tricks to nudge users to say “yes.”

Paragraph 26 of the Telecommunications Telemedia Data Protection Act (TTDSG), which came into force in December 2021, provides for a special German approach that is intended to make annoying banners superfluous: Users store their cookie preferences centrally in “recognized services for consent management”. . Websites then no longer ask the user directly, but obtain consent or rejection from the service. We have summarized the most important information for you.

The Federal Ministry for Digital Affairs and Transport (BMDV), led by Volker Wissing (FDP), has now drawn up a draft regulation that is intended to define the legal framework for consent services required under the TTDSG. According to the draft text, users can “give general consent sorted by category for specific access to terminal equipment and groups of telemedia providers”. The services must explain and inform well, and they should not influence the user with default settings.

The BMDV believes that the draft has struck the “right balance” between the interests of users and commercial providers. There is “no right to free content,” the ministry said. This premise is reflected in the draft: users in the external consent service may generally refuse to set cookies. However, in this case, the draft regulation allows providers to use pre-banners to indicate to users that they need tracking cookies in order to fund the site through advertising. They may also refer to a “paid alternative offer” (the so-called “pure subscriptions” on media websites) or ask the user “to change their default settings in the consent management service”.

The draft leaves it open how websites should query user preferences from the consent service. In the justification for the text, which is available to c’t, the BMDV speaks of “technology-neutral”. For example, the browser can send an HTTP request that contains the additional information that the end user is using a consent management service.

The BMDV also wants to leave it to the market how the services themselves work. They must have “no economic self-interest” in users giving as many consents as possible. But they are allowed to act commercially and also charge money for their services. You must present a security concept and then have it checked and certified by the Federal Data Protection Authority.

The BMDV sent the first draft to business associations at the end of August with a request for comments. It has not yet been coordinated with other federal ministries. Many changes will follow before he ends up in the Bundestag – and months will pass. Should the Bundestag wave the ordinance through, the EU must use the so-called notification procedure to check whether the text conforms to European law.

“Craft Errors”

There are already doubts about that. In a first statement, the Federal Association of the Digital Economy (BVDW) criticized “technical errors” in the text and complained that the “current European legal framework was not sufficiently appreciated”. The legislature has “increasingly worked towards it in recent years” to force consent as the legal basis for data processing, and now he wants to “virtually prohibit obtaining it”. “From the point of view of the data economy and especially from the point of view of the informational self-determination of the users, this is not the big hit, but a big step backwards”.

The BMDV presented its draft at a time when the EU is in the process of re-regulating cookie specifications and consent requirements anyway: In Brussels, the Council, EU Parliament and Commission are currently working on a compromise on the e-privacy regulation. Because this EU regulation will take precedence over German law, the German statutory regulation could be obsolete again in two to three years, depending on the outcome of the negotiations.

(raised)