On May 20, 2021, the new Telecommunications and Telemedia Data Protection Act (TTDSG) was passed. It will come into force as of December 1, 2021. An important part of this law concerns the new regulation on the use of cookies, which has been set out in section 25.

What is new and must be observed in the future?

In order to protect the privacy of users of terminal equipment, cookies can in principle only be used in future with prior consent. The respective user must be clearly and comprehensively informed of this in advance.

Exceptions to this rule apply mainly to technically necessary cookies. These exceptions include:

Cookies that are necessary to ensure the performance of data transmission in a public telecommunications network.
Cookies that are necessary to transmit data for a telemedia service to which the user has already consented.

This is to ensure that tracking or advertising cookies may only be used after the end user has been informed and consented in advance.

High fines threaten in case of irregular behavior

Storing information in the form of cookies without information and consent is an administrative offense. It is irrelevant whether the action is intentional or negligent. Depending on the scope and severity of the offense, there are fines in different amounts in the scales:

  • Up to Euro 10,000
  • Up to Euro 50.000
  • Up to Euro 100.000
  • Up to Euro 300.000

The new law additionally stipulates that the end user’s browser must comply with the settings he or she has made regarding the use of cookies.

What are the requirements for cookie consent management services?

The legislator places high demands on cookie consent administrators:

  • User-friendly and competition-compliant procedures
  • Technical requirements for obtaining and managing consent
  • No commercial self-interest in data collection
  • Independence from commercial companies
  • No further use of stored data
  • Security concept with regard to all data protection requirements
  • High quality standards with regard to reliability

Exact specifications for consent management services will still be defined in a legal ordinance until the law comes into force on December 1, 2021.

Subscribe to our newsletter

and stay always updated on data protection.