In for­ce as of 1 Decem­ber 2021: the TTDSG and the “new” coo­kie rules

The new Telecom­mu­ni­ca­ti­ons and Tele­me­dia Data Pro­tec­tion Act (TTDSG) (only in Ger­man) com­bi­nes the data pro­tec­tion pro­vi­si­ons of the Telecom­mu­ni­ca­ti­ons Act (TKG) (only in Ger­man) and the Tele­me­dia Act (TMG) and ser­ves to imple­ment Euro­pean law requi­re­ments, par­ti­cu­lar­ly the ePri­va­cy Direc­ti­ve. The Act is to take effect on 1 Decem­ber 2021. Are com­pa­nies facing new legal chal­len­ges as a result? We pre­sent the changes.

New regu­la­ti­on for the use of cookies?

§ 25 of the TTDSG recei­ved the most atten­ti­on in public dis­cus­sion. This sec­tion con­tains regu­la­ti­ons for the sto­rage and use of data on users’ ter­mi­nal equip­ment. The requi­re­ments for the use of the­se coo­kies, for examp­le by ope­ra­tors of Inter­net sites, has a long histo­ry in Germany.

For a long time, it was dis­pu­ted whe­ther Ger­ma­ny was even ade­qua­te­ly imple­men­ting the requi­re­ments of the ePri­va­cy Direc­ti­ve in this regard. Arti­cle 5(3) the­re­of cla­ri­fies that the sto­rage of and access to infor­ma­ti­on on users’ end devices, usual­ly refer­red to as “coo­kies”, is gene­ral­ly only pos­si­ble if they give their pri­or con­sent or if the coo­kie is tech­ni­cal­ly abso­lute­ly necessary.

Howe­ver, Euro­pean direc­ti­ves that impo­se obli­ga­ti­ons on pri­va­te actors are not direct­ly app­li­ca­ble, but requi­re imple­men­ta­ti­on through natio­nal law. The rele­vant pro­vi­si­on in Ger­man law was found in the pre­vious­ly app­li­ca­ble § 15 III 1 of the Ger­man Tele­me­dia Act (only in Ger­man). Howe­ver, this ina­de­qua­te­ly reflec­ted the requi­re­ment of Arti­cle 5(3) of the ePri­va­cy Direc­ti­ve. The Federal Supre­me Court (BGH) the­re­fo­re used an inter­pre­ta­ti­on in con­for­mi­ty with the Direc­ti­ve and inter­pre­ted the pro­vi­si­on of the Tele­me­dia Act con­tra­ry to the wor­d­ing in the favour of the requi­re­ments of Euro­pean law. § 25 TTDSG now pro­vi­des cla­ri­ty here by clear­ly imple­men­ting the requi­re­ments of the ePri­va­cy Direc­ti­ve and also clo­se­ly fol­lowing the wor­d­ing of the Direc­ti­ve. With regard to legal cer­tain­ty, this is to be wel­co­med as oppo­sed to an inter­pre­ta­ti­on bey­ond the limits of the wording.

At the same time, howe­ver, this means that the legal situa­ti­on has remai­ned lar­ge­ly unch­an­ged from the sta­tus quo ante on this issue. Rather, the legal situa­ti­on alrea­dy estab­lis­hed by the so-called “coo­kie rulings” of the Federal Supre­me Court (BGH) was only set out more clear­ly. The TTDSG also does not spe­ci­fy any fur­ther exact­ly the con­sent must be structured.

Con­sent services

Howe­ver, § 26 TTDSG (only in Ger­man) con­tains a sur­pri­sing inno­va­ti­on. Accord­ing to this pro­vi­si­on, con­sent manage­ment ser­vices are per­mis­si­ble under cer­tain con­di­ti­ons. The­se per­so­nal infor­ma­ti­on manage­ment sys­tems (PIMS) allow for pri­or con­sent through an inde­pen­dent ser­vice. Via this, a user can spe­ci­fy in advan­ce which cate­go­ries of coo­kies he or she gene­ral­ly agrees to and under which con­di­ti­ons. The ser­vices tell the web­sites the set­tings they want. In per­spec­ti­ve, this could pro­ve to be an effec­ti­ve tool for stem­ming the tide of con­sent ban­ners that many per­cei­ve as a burden.

Howe­ver, accord­ing to § 26(2) TTDSG (only in Ger­man), the Federal Government would first have to spe­ci­fy more pre­cise requi­re­ments in a ordi­nan­ce with the appro­val of the Federal Coun­cil. In addi­ti­on, pro­vi­ders would have to be found who have the cor­re­spon­ding cer­ti­fi­ca­ti­on requi­red by § 26(1) TTDSG (only in Ger­man) car­ri­ed out for their service.

Exten­ded scope of application

One chan­ge that should be of inte­rest to pro­duct manu­fac­tu­rers con­cerns the scope of app­li­ca­ti­on of the regu­la­ti­ons. In a depar­tu­re from the ePri­va­cy Direc­ti­ve, § 25 TTDSG (only in Ger­man) does not refer to end devices, but to users’ ter­mi­nal equip­ment. Pur­suant to § 2(2)6 TTDSG (only in Ger­man), this term is defi­ned as any device con­nec­ted direct­ly or indi­rect­ly to the inter­face of a public telecom­mu­ni­ca­ti­ons net­work for the pur­po­se of trans­mit­ting, pro­ces­sing or recei­ving messages. The legis­la­ti­ve intent of this Act sta­tes that this wor­d­ing is inten­ded to cover a broad scope of app­li­ca­ti­on. The requi­re­ments of § 25 TTDSG  thus app­ly not only to Inter­net com­mu­ni­ca­ti­ons, but also to the use of net­wor­ked devices (Inter­net of Things) such as smart home devices.


For com­pa­nies, the intro­duc­tion of the TTDSG chan­ges litt­le. The regu­la­ti­ons on coo­kies have alrea­dy been app­li­ca­ble law up to now. It is wel­co­me that legis­la­tors want to enab­le the use of PIMS. Howe­ver, it is ques­tion­ab­le when and whe­ther such ser­vices will be used at all on the basis of § 26 TTDSG, espe­cial­ly sin­ce the TTDSG will be super­se­ded in the com­ing years by the Euro­pean ePri­va­cy Regu­la­ti­on, which has alrea­dy been in the works for some time. Howe­ver, com­pa­nies that have not yet ade­qua­te­ly imple­men­ted the requi­re­ments of the ePri­va­cy Direc­ti­ve should do so in a time­ly fashion.


Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.