TTDSG + official letter
Our roadmap had actually planned a different topic for this month, but due to the large number of feedback from customers, we changed our mind at short notice and focused this month on the upcoming changes and clarifications of the German TTDSG. Furthermore, various customers have received questionnaires from data protection authorities, so that we have also implemented more features here that will help our customers to meet the requirements of the authorities more easily (see below for details).
TTDSG: Start on 01.12.2021
The TTDSG is Germany’s answer to the ePrivacy Regulation, which has now finally been implemented into German law. This means that it is now also clearly regulated in Germany that non-essential cookies always require consent and cookie banners are therefore mandatory . Since the TTDSG will come into force on December 1st, 2021, and the authorities are already carrying out initial checks on the basis of the ePrivacy Regulation (see below), it is advisable to question the existing cookie banner again and, if necessary, make design or make logic adjustments.
authority check
As early as May, the data protection authorities of several countries carried out a coordinated review of major websites. The websites concerned had to fill out extensive questionnaires and submit declarations on data protection. Various customers of consentmanager were also among them. The authorities have now mostly evaluated the answers and directed various points of criticism at the affected websites. We took these points as an opportunity and installed various features in the consentmanager to make it easier for our customers to comply with the legal requirements.
The letter from the authorities gives a relatively clear picture of “what works” and “what doesn’t work”. We have summarized the most important points for you here:
- Easy decline
The authorities have once again made it clear that refusing must be as easy as agreeing. There must therefore be an equivalent reject button on the first layer. Hiding the opt out in the text or just a submit button is not compliant.
Recommendation: Make sure your design has two equivalent accept and reject buttons. - Legitimate Interests
It was also underlined that the legal basis “legitimate interest” may only be used for really essential functions. In any case, marketing, analysis and social media are not essential. But this also applies to external fonts, tag managers or chat tools.
Recommendation: Only designate providers as “functional” / “essential” without which your website will not work. All other providers should always be blocked by default and only activated after approval. - descriptions
In many cases, the authorities have criticized the descriptions of the websites. For example, it is required that purposes are explained clearly and unambiguously (just “marketing” is not enough). Furthermore, the number of providers must be specified on the first layer.
Recommendation: Store a descriptive text for all purposes and providers and use the macro[vendorcount] in the text to insert the provider number. - Non-EU data transfer
The authorities also consider the reference to data transfer outside the EU to be important. If a provider is located or processes data in non-EU countries, a corresponding note should be attached.
Recommendation: Check your provider list and expand the text on the first layer if necessary. We also have under menu> CMP’s> To edit> Appearance created the possibility in the second layer (advanced settings) to display the list of providers for which data transfer is ticked. under menu> Offerer> You can edit whether each provider implements a data transfer abroad. - Short list of providers
In many cases there was criticism from the authorities that the lists of providers were too long. The background here is in particular the question of whether consent can be legal if the visitor can no longer have a meaningful overview of the list of providers.
Recommendation: Sort out providers and shorten the list of providers to the essentials. A provider list with more than 50 or even more than 100 providers will most likely be considered non-compliant. - IAB TCF standard
The authorities have found the IAB TCF standard to be critical. Various authorities have assessed parts of the standard as possibly not legally compliant and have expressed various concerns. For example, the purposes were criticized as too coarse-grained or the interaction between purposes, special purposes, features and special features as too incomprehensible.
Recommendation: If you do not use online advertising on your website, you should not use the IAB TCF and instead define your own purposes.
More new features and changes
- Improvements to WCAG / Accessible Display
- Cookie Groups
- Purpose descriptions on the first layer
- Improved crawler reports
- … and much more.