German TTDSG law & Letters from DPAs
Our roadmap had actually planned a different topic for this month, but due to amount of feedback we received from customers, we changed our plans and focused on the upcoming changes and clarifications of the German TTDSG law. Furthermore, various customers have received questionnaires from data protection authorities, hence we also added many new features that will help our customers to meet the requirements of the authorities more easily (details see below).
TTDSG: Start on December 1st, 2021
The TTDSG is Germany’s answer to the ePrivacy Regulation, which has now finally been implemented into German law. It is now clearly regulated in Germany that non-essential cookies always require consent and that cookie banners are therefore mandatory. Since the TTDSG will come into force on December 1st, 2021 and the authorities are already carrying out initial checks on the basis of the ePrivacy Regulation (see below), it is advisable to question the existing cookie banner designs again and, if necessary, to adapt the design or logic accordingly.
Letters from DPAs
Already in May, the data protection authorities of several German states carried out a coordinated check of large websites. The websites concerned had to fill out extensive questionnaires and submit declarations on data protection. Also many of consentmanager’s clients were questioned. The majority of the authorities have now evaluated the answers and directed various points of criticism to the websites concerned. We took these points as an opportunity and incorporated various features in the consentmanager to make it easier for our customers to comply with the legal requirements.
As the official letters give a relatively clear picture of “what works” and “what does not work”. We have summarized the most important points for you here:
- Easy reject
The authorities have once again made it clear that rejecting has to be as easy as consenting. There must therefore be an equivalent Reject button on the first layer. Hiding the reject function in the text or only showing a settings button is not compliant.
Recommendation: Make sure your design has two equivalent accept and reject buttons.
- Legitimate interests
It was also emphasized that the legal basis “legitimate interest” may only be used for essential functions. In any case, marketing, analysis and social media are not essential.
Recommendation: Only set vendors as “functional” / “essential” that are required for your website to function. All other vendors should always be blocked by default and only activated once consent is given.
In many cases, the authorities have criticized the descriptions in the consent layers. For example, it is required that purposes are clearly explained (just “marketing” is not enough). The number of providers must also be specified on the first layer.
Recommendation: Setup a descriptive text for all purposes and vendors and use the macro [vendorcount] in the text in order to insert the vendor number.
- Non-EU data transfer
The authorities also consider the reference to data transfer outside the EU to be important. If a vendor is based or processes data in a non-EU country, a corresponding notice should be shown.
Recommendation: Check your vendor list and adjust the text on the first layer if necessary. Under Menu> CMPs> Edit> Appearance, we added the option to display the list of vendors that may use data transfers outside of the EU. Under Menu> Vendors> Edit, you can also set whether a vendor transfers/processes data outside of the EU.
- Short vendor list
In many cases there was criticism from the authorities about long lists of vendors. The background here is particularly the question whether consent can be compliant if the visitor can no longer understand the long list of vendors.
Recommendation: Sort out vendors and shorten the list of vendors to the bare essentials. A vendor list with more than 50 or even more than 100 vendors will most likely not be considered compliant.
- IAB TCF standard
The IAB TCF standard has also been criticized by the authorities. Various authorities have questioned many parts of the standard as possibly not compliant and expressed various concerns. For example, the purposes were criticized as being too broad and the logic between purposes, special purposes, features and special features may be seen as too incomprehensible.
Recommendation: If you do not use online advertising on your website, you should refrain from using the IAB TCF and instead define your own purposes.
More features and changes
- Improvements to WCAG / Accessibility Display
- Cookie groups
- Purpose descriptions on the first layer
- Improved crawler reports
- … and many more.
With the coming release we will apply the following changes:
- CSDK-23 Adjust WebView URL Logic
- CSDK-29 [IOS] hasVendor method: unexpected return value
- CSDK-5 Support for gradle
- CMP-786 Benchmark new data to compare
- CMP-799 Issue with two button logic
- CMP-844 Merge purpose name and purpose translation into one field
- CMP-849 Issue copying cmp with purposes
- CMP-637 Issue disabling consent with contentpass
- CMP-801 Add option for Cookiegroups
- CMP-802 Add Domainlists for CMP
- CMP-816 Issue 1plusx/Integral legal basis
- CMP-820 CSS: rename CSS functions with CMP… label
- CMP-798 All vendors button should disable instead of enable first
- CMP-805 Make adding a vendor clearer
- CMP-807 Add macros zu custom purpose translation
- CMP-808 Allow expanding purpose descriptions on first layer
- CMP-809 Add option to display IAB special purposes in navigation
- CMP-810 Issue reporting rights
- CMP-814 Add option to show non-EU datatransfer vendors in list
- CMP-815 Issue special purposes disabled
- CMP-817 Add possibility to show leg.int vendors in menu
- CMP-819 Add possibility to set own cookie view time
- CMP-826 WCAG: Tab logik
- CMP-828 Block Onlonad events on iframes
- CMP-832 Issue inserting macros in custom HTML
- CMP-847 WCAG alert logic