German Cookie Law: How to Ensure Your Business’s Compliance
A comprehensive guide to understanding the cookie rules complexities and protecting users’ privacy.
What are the German Cookie Rules?
The German cookie law, which underwent a significant change on May 28, 2020, mandates that businesses cannot use marketing or nonessential cookies without obtaining the user’s consent. The collected consent and the information of the end users must meet the requirements of the General Data Protection Regulation (GDPR).
According to the Telecommunications-Telemedia-Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz or TTDSG) businesses are required to take technical and organizational precautions to ensure data protection and privacy. This includes implementing secure data processing systems and practices, regularly reviewing and updating these systems, and ensuring that employees are trained in data protection practices.
Who Do the German Cookie Rules Apply To?
The German cookie regulations are applicable to any entity operating a website accessible by German users. If you are using cookies not strictly necessary for the functioning of your website, you need to take some precautions. These cookies, often used for marketing or analytics purposes, require explicit user consent prior to activation.
Cookies that are necessary for the website to function correctly or those enabling users to put items in a shopping cart and proceed to the checkout, are exempt from these rules. However, cookies that improve the user experience on your website but are not necessary to complete a service the customer requested are subject to these rules.
Rules for Obtaining Consent and Data Processing
Compliance with the General Data Protection Regulation (GDPR) general requirements is necessary for processing personal data obtained through tracking technologies.
Cookies can be categorized technically as first-party cookies or third-party cookies. A first-party cookie is generated by the visited domain itself, while a third-party cookie is created by a different domain’s service. Regardless of their source, cookies may be classified legally as either technically necessary or not. Cookies considered technically necessary – for instance, those preserving language preferences – may be placed without user consent. However, it is imperative to inform users about the utilization of such cookies.
Fines for Non-Compliance
Non-compliance with the German cookie rules can result in severe penalties, including written warnings, fines and other financial penalties, deletion of data collected without consent, restrictions on data sharing with third parties, and even temporary or permanent bans on processing activities.
According to the General Data Protection Regulation (GDPR), fines can reach up to €20 million or 4% of the global annual turnover, whichever is higher. This includes violations related to the use of cookies.
In addition, under the Telecommunications-Telemedia-Data Protection Act (TTDSG), easier enforceable fines of up to €300,000 can be imposed for not obtaining consent or insufficiently obtaining consent.
Compliance with the TTDSG is supervised by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the Federal Network Agency. These agencies have the authority to investigate potential violations of the law, impose penalties, and provide guidance to businesses on how to comply with the law.
How to Comply with the German Cookie Rules?
Under the German cookie rules, businesses must provide a clear notice to users at or before the point of data collection. This is typically facilitated through a Consent Management Platform, such as the one offered by Cookie Information or Personal Information Management Services (PIMS). These services can help businesses manage user consent in a way that complies with the law. They can also help users manage their own privacy settings, giving them more control over their personal data.
Businesses should have a cookie banner or other format to notify their use of cookies. This should include a few sentences explaining that they use cookies, why they use them, and how users can modify their cookie settings. The cookie banner or notice should be easy to understand and located on the landing page.
The cookie notice can also be a part of a website’s privacy policy. However, this is not sufficient to obtain consent for the use of not strictly necessary cookies for the functioning of the website. Consent must be obtained through a clear affirmative action, such as clicking a button to accept cookies, and users must be able to refuse the cookies that require consent without any adverse consequences like being denied access to certain parts of the website.
Furthermore, businesses must use blank checkboxes or similar tools to obtain consent. Pre-ticked boxes are not considered valid for obtaining consent, as they prevent individuals from deciding freely whether they want to accept cookies or not.
The TTDSG has specific provisions for the processing of personal data of minors. If your business collects data from individuals under the age of 18, you must take additional steps to protect this data and ensure that consent is appropriately obtained. This often involves obtaining consent from a parent or guardian.
Finally, businesses should publish a Cookie Policy. This is a legal document that sets out what cookies they use, why they use them, what happens to the data they collect, and how people can opt-in or opt-out of cookies.
